This is Kaspersky Lab’s annual threat analysis report covering the
major issues faced by corporate and individual users alike as a result
of malware, potentially harmful programs, crimeware, spam, phishing and
other different types of hacker activity.
The report has been prepared by the Global Research & Analysis
Team (GReAT) in conjunction with Kaspersky Lab’s Content & Cloud
Technology Research and Anti-Malware Research divisions.
The 10 Security Stories That Shaped 2012At the end of last year we published “ The Top 10 Security Stories of 2011”,
an article that summarized 2011 in one word: “explosive”. Back then,
the biggest challenge was how to narrow down all the incidents, stories,
facts, new trends and intriguing actors into just 10 top stories.
Based on the events and the actors who defined the top security stories of 2011, we made a number of predictions regarding 2012:
- The continued rise of hacktivist groups.
- The growth of Advanced Persistent Threat (APT) incidents
- The dawn of cyber-warfare and more powerful nation states jostling for dominance through cyber-espionage campaigns.
- Attacks on software and gaming developers such as Adobe, Microsoft, Oracle and Sony.
- More aggressive actions from law enforcement agencies against traditional cybercriminals.
- An explosion of Android threats.
- Attacks on Apple’s Mac OS X platform.
How did we fare in our predictions? Let’s take a look at the top 10 security incidents that shaped 2012...
1. Flashback hits Mac OS X
Although the Mac OS X Trojan Flashback/Flashfake
appeared in late 2011, it wasn’t until April 2012 that it became really
popular. And when we say really popular, we mean really popular. Based
on our statistics, we estimate that Flashback infected over 700,000
Macs, easily the biggest known MacOS X infection to date. How was this
possible? Two main factors: a Java vulnerability CVE-2012-0507 and the general sense of apathy among the Mac faithful when it comes to security issues.
Flashback continues to be relevant because it demolished the myth of
invulnerability surrounding the Mac and because it confirmed that
massive outbreaks can indeed affect non-Windows platforms. Back in 2011,
we predicted that we would see more Mac malware attacks. We just never
expected it would be this dramatic.
2. Flame and Gauss: nation-state cyber-espionage campaigns
In mid-April 2012, a series of cyber-attacks destroyed computer
systems at several oil platforms in the Middle East. The malware
responsible for the attacks, named “Wiper”, was never found – although
several pointers indicated a resemblance to Duqu and Stuxnet. During the
investigation, we stumbled upon a huge cyber-espionage campaign now
known as Flame.
Flame is arguably one of the most sophisticated pieces of malware
ever created. When fully deployed onto a system, it has more than 20 MB
of modules which perform a wide array of functions such as audio
interception, bluetooth device scanning, document theft and the making
of screenshots from the infected machine. The most impressive part was
the use of a fake Microsoft certificate to perform a man-in-the-middle
attack against Windows Updates, which allowed it to infect fully patched
Windows 7 PCs at the blink of an eye. The complexity of this operation
left no doubt that this was backed by a nation-state. Actually, a strong
connection to Stuxnet was discovered by Kaspersky researchers, which
indicate the Flame developers worked together with Stuxnet developers,
perhaps during the same operation.
Flame is important because it showed that highly complex malware can
exist undetected for many years. It is estimated that the Flame project
could be at least five years old. It also redefined the whole idea of
“zero-days”, through its “God mode” man-in-the-middle propagation
technique.
Of course, when Flame was discovered, people wondered how many other
campaigns like this were being mounted. And it wasn’t long before
others surfaced. The discovery of Gauss,
another highly sophisticated Trojan that was widely deployed in the
Middle East, added a new dimension to nation-state cyber campaigns.
Gauss is remarkable for a variety of things, some of which remain a
mystery to this day. The use of a custom font named “Palida Narrow” or
its encrypted payload which targets a computer disconnected from the
Internet are among the many unknowns. It is also the first
government-sponsored banking Trojan with the ability to hijack online
banking credentials from victims, primarily in Lebanon.
With Flame and Gauss, a new dimension was injected into the Middle
East battleground: cyber-war and cyber-warfare. It appears there is a
strong cyber component to the existing geopolitical tensions – perhaps
bigger than anyone expected.
3. The explosion of Android threats
During 2011, we witnessed an explosion in the number of malicious
threats targeting the Android platform. We predicted that the number of
threats for Android will continue to grow at an alarming rate. The
chart below clearly confirms this:
The number of samples we received continued to grow and peaked in
June 2012, when we identified almost 7,000 malicious Android programs.
Overall, in 2012, we identified more than 35,000 malicious Android
programs, which is about six times more than in 2011. That’s also about
five times more than all the malicious Android samples we’ve received
since 2005 altogether!
The reason for the huge growth of Android can be explained by two
factors: economic and platform related. First of all, the Android
platform itself has become incredibly popular, becoming the most
widespread OS for new phones, with over 70% market share.
Secondly, the open nature of the operating system, the ease with which
apps can be created and the wide variety of (unofficial) application
markets have combined to shine a negative spotlight on the security
posture of the Android platform.
Looking forward, there is no doubt this trend will continue, just
like it did with Windows malware many years ago. We are therefore
expecting 2013 to be filled with targeted attacks against Android users,
zero-days and data leaks.
4. The LinkedIn, Last.fm, Dropbox and Gamigo password leaks
On 5 June 2012, LinkedIn, one of the world’s biggest social networks
for business users was hacked by unknown assailants and the password
hashes of more than 6.4 million people leaked
onto the Internet. Through the use of fast GPU cards, security
researchers recovered an amazing 85% of the original passwords. Several
factors made this possible. First of all, LinkedIn stored the passwords
as SHA1 hashes. Although better than the very popular MD5, modern GPU
cards can crack SHA1 hashes at incredible speeds. For instance, a $400
Radeon 7970 can check close to 2 billion SHA1 password/hashes per
second. This, combined with modern cryptographic attacks such as the
usage of Markov chains to optimize brute force search or mask attacks,
taught web developers some new lessons about storing encrypted
passwords.
When DropBox announced that it was hacked
and user account details were leaked, it was yet another confirmation
that hackers were targeting valuable data (especially user credentials)
at popular web services. In 2012, we saw similar attacks at Last.fm and Gamigo, where more than 8 million passwords were leaked to the public.
To get an idea of how big a problem this is, during the InfoSecSouthwest 2012 conference, Korelogic released an archive
containing about 146 million password hashes, which was put together
from multiple hacking incidents. Of these, 122 million were already cracked.
These attacks show that in the age of the ‘cloud’, when information
about millions of accounts is available in one server, over speedy
internet links, the concept of data leaks takes on new dimensions. We
explored this last year during the Sony Playstation Network hack; there
is perhaps no surprise such huge leaks and hacks continued in 2012.
5. The Adobe certificates theft and the omnipresent APT
During 2011, we saw several high profile attacks against certificate
authorities. In June, DigiNotar, a Dutch company, was hacked out of
business, while a Comodo affiliate was tricked into issuing digital
certificates in March. The discovery of Duqu in September 2011 was also
related to a Certificate Authority hack.
On 27 September 2012, Adobe announced
the discovery of two malicious programs that were signed using a valid
Adobe code signing certificate. Adobe’s certificates were securely
stored in an HSM,
a special cryptographic device which makes attacks much more
complicated. Nevertheless, the attackers were able to compromise a
server that was able to perform code signing requests.
This discovery belongs to the same chain of extremely targeted
attacks performed by sophisticated threat actors commonly described as APT.
The fact that a high profile company like Adobe was compromised in
this way redefines the boundaries and possibilities that are becoming
available for these high-level attackers.
6. The DNSChanger shutdown
When the culprits behind the DNSChanger malware were arrested in November 2011 during the “Ghost Click” operation, the identity-theft infrastructure was taken over by the FBI.
The FBI agreed to keep the servers online until 9 July 2012, so the
victims could have time to disinfect their systems. Several doomsday
scenarios aside, the date passed without too much trouble. This would
not have been possible without the time and resources invested into the
project by the FBI, as well as other law enforcement agencies, private
companies and governments around the world. It was a large scale action
that showed that success against cybercrime can be achieved through open
cooperation and information sharing.
7. The Ma(h)di incident
During late 2011 and the first half of 2012, an ongoing campaign to
infiltrate computer systems throughout the Middle East targeted
individuals across Iran, Israel, Afghanistan and others scattered across
the globe. In partnership with Seculert, we thoroughly investigated
this operation and named it “Madi”, based on certain strings and handles used by the attackers.
Although Madi was relatively unsophisticated, it did succeed in
compromising many different victims around the globe through social
engineering and Right-To-Left-Override tactics. The Madi campaign
demonstrated yet another dimension to cyber-espionage operations in the
Middle East and one very important thing: low investment operations, as
opposed to nation-state sponsored malware with an unlimited budget, can
be quite successful.
8. The Java 0-days
In the aftermath of the previously mentioned Flashback incident,
Apple took a bold step and decided to disable Java across millions of
Mac OS X users. It might be worth pointing out that although a patch was
available for the vulnerability exploited by Flashback since February,
Apple users were exposed for a few months because of Apple’s tardiness
in pushing the patch to Mac OS X users. The situation was different on
Mac OS X, because while for Windows, the patches came from Oracle, on
Mac OS X, the patches were delivered by Apple.
If that was not enough, in August 2012, a Java zero-day vulnerability
was found to be massively used in-the-wild (CVE-2012-4681). The exploit
was implemented in the wildly popular BlackHole exploit kit and quickly
become the most effective of the whole set, responsible for millions of
infections worldwide.
During the second quarter of 2012, we performed an analysis
of vulnerable software found on users’ computers and found that more
than 30% had an old and vulnerable version of Java installed. It was
easily the most widespread vulnerable software installed.
9. Shamoon
In the middle of August, details appeared about a piece of highly
destructive malware that was used in an attack against Saudi Aramco, one
of the world’s largest oil conglomerates. According to reports, more
than 30,000 computers were completely destroyed by the malware.
We analyzed the Shamoon malware
and found that it contained a built-in switch which would activate the
destructive process on 15 August, 8:08 UTC. Later, reports emerged of
another attack of the same malware against another oil company in the
Middle East.
Shamoon is important because it brought up the idea used in the Wiper
malware, which is a destructive payload with the purpose of massively
compromising a company’s operations. As in the case of Wiper, many
details are unknown, such as how the malware infected the systems in the
first place or who was behind it.
10. The DSL modems, Huawei banning and hardware hacks
In October 2012, Kaspersky researcher Fabio Assolini published
the details of an attack which had been taking place in Brazil since
2011 using a single firmware vulnerability, two malicious scripts and 40
malicious DNS servers. This operation affected six hardware
manufacturers, resulting in millions of Brazilian internet users falling
victim to a sustained and silent mass attack on DSL modems.
In March 2012, Brazil’s CERT team confirmed that more than 4.5
million modems were compromised in the attack and were being abused by
cybercriminals for all sorts of fraudulent activity.
At the T2 conference in Finland, security researcher Felix ‘FX’ Lindner of Recurity Labs GmbH discussed
the security posture and vulnerabilities discovered in the Huawei
family of routers. This came in the wake of the U.S. government’s
decision to investigate Huawei for espionage risks
(http://www.cbsnews.com/8301-18560_162-57527441/huawei-probed-for-security-espionage-risk/).
The case of Huawei and the DSL routers in Brazil are not random
incidents. They are just indications that hardware routers can pose the
same if not higher security risks as older or obscure software that is
never updated. They indicate that defense has become more complex and
more difficult than ever - in some cases, even impossible.
Conclusions: From Explosive to Revealing and Eye-opening
As we turn the page to 2013, we’re all wondering what’s next. As we
can see from the top 10 stories above, we were very much on the ball
with our predictions.
Despite the arrest of LulzSec’s Xavier Monsegur and many prominent
‘Anonymous’ hackers, the hacktivists continued their activities. The
cyber-warfare/cyber-espionage campaigns grew to new dimensions with the
discovery of Flame and Gauss. APT operations continued to dominate the
news, with zero-days and clever attack methods being employed to hack
high-profile victims. Mac OS X users were dealt a blow by Flashfake, the
biggest Mac OS X epidemic to date while big companies fought against
destructive malware that wrecked tens of thousands of PCs.
The powerful actors from 2011 remained the same: hacktivist groups,
IT security companies, nation states fighting each other through
cyber-espionage, major software and gaming developers such as Adobe,
Microsoft, Oracle or Sony, law enforcement agencies and traditional
cybercriminals, Google, via the Android operating system, and Apple,
thanks to its Mac OS X platform.
We categorized 2011 as “explosive” and we believe the incidents in
2012 raised eyebrows and piqued the imagination. We came to understand
the new dimensions in existing threats while new attacks are beginning
to take shape.
Security forecast for 2013
The end of the year is traditionally a time for reflection – for
taking stock of our lives and looking to the future. So we’d like to
offer you our forecast for the year ahead, looking at the key issues
that we believe are likely to dominate the security landscape in 2013.
Of course, the future is always rooted in the present, so our security
retrospective, outlining the key trends of 2012, is a good
starting-point.
1. Targeted attacks and cyber-espionage
While the threat landscape is still dominated by random, speculative
attacks designed to steal personal information from anyone unlucky
enough to fall victim to them, targeted attacks have become an
established feature in the last two years. Such attacks are
specifically tailored to penetrate a particular organization and are
often focused on gathering sensitive data that has a monetary value in
the ‘dark market’. Targeted attacks can often be highly sophisticated.
But many attacks start by ‘hacking the human’, i.e. by tricking
employees into disclosing information that can be used to gain access to
corporate resources. The huge volume of information shared online and
the growing use of social media in business has helped to fuel such
attacks – and staff with public-facing roles (for example, those with
sales or marketing roles within a company) can be particularly
vulnerable. We can expect the growth of cyber-espionage to continue
into 2013 and beyond. It’s easy to read the headlines in the computer
press and imagine that targeted attacks are a problem only for large
organizations, particularly those that maintain ‘critical
infrastructure’ systems within a country. However, any organization can
become a victim. All organizations hold data that is of value to
cybercriminals; and they may also be used as ‘stepping-stones’ to reach
other companies.
2. The onward march of ‘hacktivism’
Stealing money – either by directly accessing bank accounts or by
stealing confidential data – is not the only motive behind attacks.
Sometimes the purpose of an attack is to make a political or social
point. There was a steady stream of such attacks this year. This
included the DDoS attacks launched by Anonymous on government websites
in Poland, following the government’s announcement that it would support
ACTA (the Anti-Counterfeiting Trade Agreement); the hacking of the
official F1 website in protest against the treatment of anti-government
protesters in Bahrain; the hacking of various oil companies in protest
against drilling in the Arctic; the attack on Saudi Aramco; and the
hacking of the French Euromillions website in a protest against
gambling. Society’s increasing reliance on the Internet makes
organizations of all kinds potentially vulnerable to attacks of this
sort, so ‘hacktivism’ looks set to continue into 2013 and beyond.
Fuente: www.securelist.com
No hay comentarios:
Publicar un comentario