Two years ago in October 2015 we published a blogpost about a popular malware that was being distributed from the Google Play Store. Over the next two years we detected several similar apps on Google Play, but in October and November 2017 we found 85 new malicious apps on Google Play that are stealing credentials for VK.com. All of them have been detected by Kaspersky Lab products as Trojan-PSW.AndroidOS.MyVk.o. We reported 72 of them to Google and they deleted these malicious apps from Google Play Store, 13 other apps were already deleted. Furthermore, we reported these apps with technical details to VK.com. One of these apps was masquerading as a game and was installed more than a million times according to Google Play Store.
There were some other popular apps among them too – seven apps had 10,000-100,000 installations from Google Play and nine apps had 1,000-10,000 installation. All other apps had fewer than 1,000 installations.
Most of these apps were uploaded to Google Play in October 2017, but several of them were uploaded in July 2017, so they were being distributed for as long as 3 months. Moreover, the most popular app was initially uploaded to the Google Play Store on March 2017, but without any malicious code—it was just a game. Cybercriminals updated this app with a malicious version only in October 2017, having waited more than 7 months to do so!
Most of these apps looked like apps for VK.com – for listening to music or for monitoring user page visits.
Sure, such apps need a user to login into an account – that’s why they didn’t look suspicious. The only apps whose functionality was not VK-related were game apps. Because VK is popular mostly in CIS countries, cybercriminals checked the device language and asked for VK credentials only from users with certain languages – Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Belarusian, Kyrgyz, Romanian, Tajik, and Uzbek.
These cybercriminals were publishing their malicious apps on Google Play Store for more than two years, so they had to modify their code to bypass detection. In these apps they used a modified VK SDK with tricky code–users logged on to the standard page, but the cybercriminals used malicious JS code to get the credentials from the login page and pass them back to the app.
Then the credentials are encrypted and uploaded to the malicious website.
The interesting thing is that although most of these malicious apps had a described functionality, a few of them were slightly different—they also used malicious JS code from the OnPageFinished method, but not only for extracting credentials but for uploading them too.
We think that cybercriminals use stolen credentials mostly for promoting groups in VK.com. They silently add users to promote various groups and increase their popularity by doing so. We have reason to think so because there were complaints from some infected users that their accounts had been silently added to such groups.
Another reason to think so is that we were able to find several other apps on Google Play that were published by the same cybercriminals responsible for Trojan-PSW.AndroidOS.MyVk.o. They were published as unofficial clients for Telegram, a popular messaging app. All of them were detected by Kaspersky Lab products as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a. We notified Google about these apps too and they deleted them from Google Play Store.
These apps were not only masquerading as Telegram apps, they were actually built using an open source Telegram SDK and work almost like every other such app. Except one thing – they added users to promoted groups/chats. These apps receive a list with groups/chats from their server. What’s more, they can add users to groups anytime – to do so they steal a GCM token which allows cybercriminals to send commands 24/7.
We also discovered an interesting thing about the malicious website extensionsapiversion.space. According to KSN statistics, in some cases it was used for mining cryptocurrencies by using an API from http://coinhive.com.CNC
2017 was a year of great changes in the world of cyberthreats facing financial organizations.
Firstly, in 2017 we witnessed a continuation of cyberattacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Attackers were able to use malware in financial institutions to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organization in the world, because SWIFT software is unified and used by almost all the major players in the financial market. Victims of these attacks included several banks in more than 10 countries around the world.
Secondly, in 2017 we saw the range of financial organizations that cybercriminals have been trying to penetrate, expand significantly. Different cybercriminal groups penetrated bank infrastructure, e-money systems, cryptocurrency exchanges, capital management funds, and even casinos. Their main goal was to withdraw very large sums of money.
To complete their cybercriminal activities, attackers rely on proven schemes of monetizing network access. In addition to their attacks on SWIFT systems, cybercriminals have been actively using ATM infections, including those on financial institution’s own networks, as well as wielding RB (remote banking) systems, PoS terminal networks, and making changes in banks’ databases to ‘play’ with card balances.
Attacks on ATMs are worth mentioning separately. This kind of robbery became so popular that 2017 saw the first ATM malware-as-a-service: with cybercriminals providing on underground forums all necessary malicious programs and video instructions to gain access to ATMs. Those who bought a subscription only needed to choose an ATM, open it following the instructions, and pay the service organizers for activating the malicious program on the ATM, after which the money withdrawal process started. Schemes like this significantly increased the number of cybercriminals, even making cybercrime accessible to non-professionals.
We saw the interception of bank customers’ electronic operations through the hijacking of bank domains. Thus, customers did not have access to their bank’s real infrastructure, but to a fake one created by intruders. For several hours, criminals were therefore able to perform phishing attacks, install malicious code and wield the operations of customers who were using online banking services at the time.
It’s worth noting that, in some countries, banks have forgotten about the most “unimportant” thing – physical security. This has made attacks on banks’ financial assets possible. In some cases, this was due to easy access to cable lines, to which small Raspberry Pi devices were then connected. For several months these devices passively collected information about bank networks and sent intercepted data over LTE connections to the servers of intruders.Predictions for 2018
- Attacks via the underlying blockchain technologies of financial systems
Almost all of the world’s large financial organizations are actively investing in systems based on blockchain technology. Any new technology has its advantages, but also a number of new risks. Financial systems based on blockchain do not exist autonomously, therefore vulnerabilities and errors in blockchain implementation can enable attackers to earn money and disrupt the work of a financial institution. For instance, in 2016-2017, a number of vulnerabilities and errors were discovered in smart contracts, on which a number of financial institution’s services have been built.
- More supply chain attacks in the financial sphere
Large financial organizations invest considerable resources in cybersecurity, thus the penetration of their infrastructure is not an easy task. However, a threat vector that is likely to be actively used by cybercriminals in the coming year is attacks on software vendors supplying financial organizations. Such vendors, for the most part, have a weak level of protection compared to the financial organizations themselves. Last year, we witnessed a number of attacks like this: including against NetSarang, CCleaner, and MeDoc. As we can see, attackers replaced or modified updates for very different types of software. In the next year, we can expect cybercriminals to perform attacks via software designed specifically for financial organizations, including software for ATMs and PoS terminals. A few months ago we registered the first attempts of this kind, when attackers embedded a malicious module into a firmware installation file, and placed it on the official website of one of the American ATM software vendors.
- Mass media (in general, including Twitter accounts, Facebook pages, Telegram, etc.) hacks and manipulation for getting financial profit through stock/crypto exchange trade
2017 will be remembered as the year of ‘fake news’. Besides the manipulation of public opinion, this phrase can also mean a dishonest way of earning money. While stock exchange trading is mostly carried out by robots manipulating source data, which is used to make certain transactions, it can also lead to enormous changes in the price of goods, financial instruments and cryptocurrencies. In fact, just one tweet from an influencer, or a wave of messages on a social network created with the help of fake accounts, can drive the markets. And this method will certainly be used by intruders. With this approach, it’s almost impossible to find out which of the beneficiaries is the customer of the attack.
- ATM malware automation
The first malware for ATMs appeared in 2009, and since then these devices have received constant attention from cyber-fraudsters. There has been a continuous evolution of this type of attack. The past year saw the emergence of ATM malware-as-a-service, and the next step will be the full automation of such attacks – a mini-computer will be connected automatically to an ATM, leading to malware installation and jackpotting or card data collection. This will significantly shorten the time needed for intruders to commit their crime.
- More attacks on crypto exchange platforms
For the past year, cryptocurrencies have attracted a huge number of investors, which in turn has led to a boom in new services for trading various coins and tokens. Traditional players in the financial market, with highly developed cybersecurity protection, haven’t rushed to enter this field.
This situation provides attackers with an ideal opportunity to target cryptocurrency exchanges. On the one hand, new companies haven’t managed to test their security systems properly. On the other hand, the entire cryptocurrency exchange business, technically speaking, is built on well-known principles and technologies. Thus, attackers know, as well as have, the necessary toolkit to penetrate the infrastructure of new sites and services working with cryptocurrencies.
- Traditional card fraud will spike due to the huge data breaches of the previous year
Big personal data leaks – including the recent Equifax case, which resulted in more than 140 million U.S. residents’ data being leaked to cybercriminals, and the Uber case, when the data of another 57 million customers was leaked – has created a situation where traditional banking security can seriously fail, because it’s based on the analysis of data about current or potential customers.
For example, detailed knowledge of a victim’s personal data can allow attackers to pose as a banking customer, and extract their victim’s money or security information, while to the bank concerned, their request looks legitimate. Therefore, the coming year may be marked by a spike in quite traditional fraud schemes, with the big data that has been collected (but not properly protected) by organizations about their customers for years, set to help attackers in the successful realization of their fraud schemes.
- More nation-state sponsored attacks against financial organizations
The infamous Lazarus group, which is likely to be North-Korean state-sponsored, has attacked a number of banks in different parts of the world in the last few years. These have included banks in countries in Latin America, Europe, Asia and Oceania. Their main purpose has been to withdraw large sums of money, amounting to hundreds of millions of dollars. In addition, the data released by the Shadow Brokers indicates that experienced state-sponsored APT-groups are targeting financial institutions in order to learn more about cash flows. It is very likely that, next year other APT groups from countries that have just joined the cyber-spy game will follow this approach – both to earn money and to obtain information about customers, the flow of funds and the internal procedures of financial organizations.
- Fintechs’ inclusion and mobile only-users: a fall in the number of traditional PC-oriented internet-banking Trojans. Novice mobile banking users will be a new prime target for criminals
Digital banks will continue revolutionizing the financial sector on a global scale, especially in emerging markets. For example, in Brazil and Mexico, these banks are gaining more and more momentum and this, of course, has attracted cybercriminal attention. We are sure that the world of cybercrime will see increasing attacks against this type of banks and their customers. Their main feature is the complete absence of branches and traditional customer service. All communication between the bank and its customers actually occur through a mobile application. This can have several consequences.
The first is a decrease in the number of Windows Trojans, aimed at stealing money through traditional internet banking. The second is that the growing number of digital financial institutions will lead to organic growth in the number of users that are easy targets for cybercriminals: people without any mobile banking experience, but with banking applications installed on their mobile devices. These people will be the main targets for both malware attacks, such as Svpeng, and schemes completely built on social engineering. Persuading a customer to transfer money through a mobile application is much easier than forcing them to go to a physical bank and make a transaction.Conclusion
During the past few years, the number and quality of attacks aimed at financial sector organizations has grown continuously. These are attacks on the infrastructure of an organization and its employees, not its customers.
The financial institutions that have not already thought about cybersecurity will soon face the consequences of hacker attacks. And these consequences will be incompatible with the continuation of these businesses: they will lead to a complete halt in operations as well as extreme losses.
To prevent situations like this from happening, it is necessary to constantly adapt security systems to new emerging threats. This is impossible without analyzing data and information about the most important and relevant cyberattacks aimed at financial organizations.
An effective approach to combating attacks will be for banks to choose the right security solutions, but also to use specialized intelligence reports on attacks as these contain information that must be implemented immediately into overall protection systems. For example, using YARA-rules and IOCs (indicators of compromise), will become vital for financial organizations in the coming months.
The end of the year is a good time to take stock of the main cyberthreat incidents that took place over the preceding 12 months or so. To reflect on the impact these events had on organizations and individuals, and consider what they could mean for the overall evolution of the threat landscape.
Looking back over 2017, what stands out most is the growing number of blurred boundaries: between different types of threat and different types of threat actor. Examples of this trend include the headline-making ExPetr attack in June. At first sight, this seemed to be yet another ransomware program, but it turned out to be a targeted, destructive data wiper. Another example is the dumping of code by the Shadow Brokers group, which placed advanced exploits allegedly developed by the NSA at the disposal of criminal groups that would otherwise not have had access to such sophisticated code. Yet another is the emergence of advanced targeted threat (APT) campaigns focused not on cyberespionage, but on theft, stealing money to finance other activities the APT group is involved in. It will be interesting to see how this trend evolves over 2018.Highlights of 2017
- The defining cyber-moments of 2017 were, without doubt, the WannaCry, ExPetr and BadRabbit ransomware attacks. The infamous Lazarus threat actor is believed to have been behind WannaCry, which spread at staggering speed and is now believed to have claimed around 700,000 victims worldwide. ExPetr was more targeted, hitting businesses including many well-known global brands through infected business software. Maersk, the world’s largest container ship and supply vessel company has declared anticipated losses of between $200 and $300 as a result of ‘significant business interruption’ caused by the attack; while FedEx/TNT has announced around $300 in lost earnings.
- Elsewhere, the world’s big cyberespionage threat actors continued to do what they do, but with new, harder-to-detect tools and approaches. We reported on a wide range of campaigns, including the historically significant Moonlight Maze, believed to be related to Turla, as well as another Turla-related APT we call WhiteBear. We also uncovered the most recent toolkit of the Lamberts, an advanced threat actor that can be compared with Duqu, Equation, Regin or ProjectSauron in terms of complexity, and more technical details about the Spring Dragon group. In October, our advanced exploit prevention systems identified a new Adobe Flash zero-day exploit used in the wild against our customers, delivered through a Microsoft Office document. We can confidently link this attack to an actor we track as BlackOasis. For a more detailed summary of APT activity during 2017, you can view our annual APT review webinar here.
- In 2017 we also observed a resurgence of targeted attacks designed to destroy data, either instead of, or as well as data theft, for example Shamoon 2.0 and StoneDrill. We also uncovered threat actors achieving success, sometimes for years, with simple and poorly executed campaigns. The EyePyramid attack in Italy was a good example of this. Microcin provided another instance of how cybercriminals can achieve their goals by using cheap tools and selecting their targets with care.
- 2017 also revealed the extent to which advanced threat actors were diversifying into common theft to fund their expensive operations. We reported on BlueNoroff a subset of the infamous Lazarus group and responsible for the generation of illegal profits. BlueNoroff targeted financial institutions, casinos, companies developing financial trade software and those in the crypto-currency business, among others. One of the most notable BlueNoroff campaigns was its attacks on financial institutions in Poland.
- Attacks on ATMs continued to rise in 2017, with attackers targeting bank infrastructure and payment systems using sophisticated fileless malware, as well as by the more rudimentary methods of taping over CCTVs and drilling holes. More recently, we discovered a new targeted attack on financial institutions – mainly banks in Russia, but also some in Malaysia and Armenia. The attackers behind this Silence Trojan used a similar approach to Carbanak.
- Supply chain attacks appear to be the new ‘watering holes’ when it comes to targeting business victims. An emerging threat in 2017, seen in ExPetr and ShadowPad, which looks set to increase further in 2018.
- A year on from the Mirai botnet in 2016, the Hajime botnet was able to compromise 300,000 connected devices – and it was just one of many campaigns focused on connected devices and systems.
- 2017 also saw a number of massive data breaches, with millions of records exposed overall – these include Avanti Markets, Election Systems & Software, Dow Jones, America’s Job Link Alliance and Equifax. The Uber data breach which took place in October 2016 and exposed the data of 57 million customers and drivers was only made public in November 2017.
- The mobile malware landscape also evolved in 2017, and Trojanized mobile apps were downloaded in their tens of thousands or more, resulting in victims being swamped with aggressive advertising, hit with ransomware or facing theft through SMS and WAP billing. Mobile malware added new tricks to avoid detection, bypass security and exploit new services. As in 2016, many such apps were readily available through reputable sources such as the Google Play Store. Trojans particularly prevalent in 2017 included the Ztorg Trojan, Svpeng, Dvmap, Asacub and Faketoken.
2017 was a year when many things turned out to be very different from what they initially seemed to be. Ransomware was a wiper; legitimate business software was a weapon; advanced threat actors made use of simple tools while attackers farther down the food chain got their hands on highly sophisticated ones. These shifting sands of the cyberthreat landscape represent a growing challenge for security defenders.
For more information on these trends and advice on staying safe, please see the full Review of the Year 2017.
In 2017, the ransomware threat suddenly and spectacularly evolved. Three unprecedented outbreaks transformed the landscape for ransomware, probably forever. The attacks targeted businesses and used worms and recently leaked exploits to self-propagate, encrypting data and demanding a ransom they didn’t really want. The perpetrators of these attacks are unlikely to be the common thieves usually lurking behind ransomware. At least one of the attacks carried flaws that suggest it may have been released too soon, another spread via compromised business software, two are related and the two biggest appear to have been designed for data destruction. The cost to victims of these three attacks is already running into hundreds of millions of dollars.
Welcome to ransomware in 2017 – the year global enterprises and industrial systems were added to the ever-growing list of victims, and targeted attackers started taking a serious interest in the threat. It was also a year of consistently high attack numbers, but limited innovation.
This short paper highlights some of the key moments.The massive outbreaks that were not all they seemed WannaCry
It all started on May 12, when the security community observed something it hadn’t seen for almost a decade: a cyberattack with a worm that spread uncontrollably. On this occasion the worm was designed to install the WannaCry crypto-ransomware on infected machines.
The WannaCry epidemic affected hundreds of thousands of computers around the globe. To propagate, the worm used an exploit dubbed EternalBlue and a backdoor DoublePulsar, both of which had been made public by the Shadow Brokers group a month prior to the outbreak. The worm automatically targeted all computers sharing the same local subnet as the infected machine, as well as random IP ranges outside the local network – spreading it rapidly across the world.
To infect a machine, WannaCry exploited a vulnerability in the Windows implementation of the SMB protocol. Microsoft had released an update to fix this vulnerability back in March 2017, but the number of unpatched machines remained so high that this hardly hindered the propagation of WannaCry.
After infecting a machine and executing a routine to spread further, WannaCry encrypted some valuable files belonging to the victim and displayed a ransom note. Full decryption of the affected files was impossible without paying the ransom – although our analysts discovered several flaws in WannaCry’s code that could allow some victims to restore some of their data without paying the ransom.Impact of WannaCry
The attack was industry-agnostic, and victims were mainly organizations with networked systems. The ransomware also hit embedded systems. These often run on legacy OS and are therefore particularly vulnerable. Victims received a ransom demand to be paid in bitcoins. Reports suggests the ultimate number of victims could be as high as three-quarters of a million.
Car maker Renault had to close its largest factory in France and hospitals in the UK had to turn away patients. German transport giant Deutsche Bahn, Spain’s Telefónica, the West Bengal power distribution company, FedEx, Hitachi and the Russian Interior Ministry were all hit, too. A month after the initial outbreak had been contained, WannaCry was still claiming victims, including Honda, which was forced to shut down one of its production facilities, and 55 speed cameras in Victoria, Australia.The unanswered questions about WannaCry
As a devastating high profile attack targeting businesses, WannaCry was extremely successful. As a ransomware plot to make lots of money, it was a failure. Spreading via a worm is not advisable for a threat that is most lucrative when silently stalking the shadows. Estimates suggest it only made around $55,000 in bitcoin, hampered by its high visibility. The code was poor in places, and there are suggestions that it escaped into the wild before it was fully ready. There are also a number of indicators, including early code similarities that suggest the group behind WannaCry is the infamous Korean-speaking threat actor Lazarus.
The true purpose of the WannaCry attack may never be known – was it ransomware gone wrong or a deliberate destructive attack disguised as ransomware?ExPetr
The second big attack came just six weeks later, on June 27. This was spread predominantly through a supply chain infection and targeted machines mainly in Ukraine, Russia and western Europe. The company’s telemetry indicates that there were more than 5,000 attacked users. Victims received a ‘ransom demand’ of around $300, to be paid in bitcoins – although it turned out that even then they couldn’t get their files back.
ExPetr was a complex attack, involving several vectors of compromise. These included modified EternalBlue (also used by WannaCry) and EternalRomance exploits and the DoublePulsar backdoor for propagation within the corporate network; compromised MeDoc accounting software, which distributed the malware through software updates; and a compromised news website for Ukraine’s Bakhmut region that was used as a watering hole by the attackers.
What’s more, ExPetr was capable of spreading even to properly patched machines in the same local network as the initially infected computer. To do that, it harvested credentials from the infected system by means of a Mimikatz-like tool and proceeded with its lateral movement by means of the PsExec or WMIC instruments.
The encrypting component of ExPetr operated on two levels: encrypting the victim’s files with the AES-128 algorithm and then installing a modified bootloader taken from another malicious program – GoldenEye (the successor of the original Petya). This malicious bootloader encrypted the MFT, a critical data structure of the NTFS file system, and prevented further boot processes, asking for a ransom.Impact of ExPetr
Victims of ExPetr included major organizations such as shipping ports, supermarkets, ad agencies and law firms: for example, Maersk, FedEx (TNT) and WPP. A month after the attack, TNT’s deliveries were still affected, with SMB customers suffering most. Another victim, consumer goods giant Reckitt Benckiser, lost access to 15,000 laptops, 2,000 servers and 500 computer systems in the space of just 45 minutes when the attack hit – and expects the cost to the business to be over $130 million. Maersk announced a revenue loss of around $300 million due to the attack.The unanswered questions about ExPetr
Kaspersky Lab experts have found similarities between ExPetr and early variants of BlackEnergy’s KillDisk code – but the true motivation and purpose behind ExPetr also remain unknown.BadRabbit
Then, in late October, another crypto-worm, BadRabbit, appeared. The initial infection started as a drive-by download served from a number of compromised websites and mimicking an update for Adobe Flash Player. When launched on a victim’s computer, BadRabbit’s worm component attempted to self-propagate using the EternalRomance exploit and to employ a lateral movement technique similar to the one utilized by ExPetr. Most of BadRabbit’s targets were located in Russia, Ukraine, Turkey and Germany.
The ransomware component of BadRabbit encrypted the victim’s files, followed by the whole disk partitions using modules of legitimate utility DiskCryptor. The analysis of the code of BadRabbit samples and techniques suggests there is a notable similarity between this malware and ExPetr. However, unlike ExPetr, BadRabbit does not appear to be a wiper, as its cryptographic scheme technically allows the threat actors to decrypt the victim’s computer.Leaked exploits powered many new waves of attacks
The criminals behind the aforementioned ransomware outbreaks were not the only ones to use the code of exploits leaked by the Shadow Brokers to wreak havoc.
We have discovered some other not-so-notorious ransomware families that at some point used the same exploits. Among them are AES-NI (Trojan-Ransom.Win32.AecHu) and Uiwix (a variant of Trojan-Ransom.Win32.Cryptoff). These malware families are ‘pure’ ransomware in the sense that they do not contain any worm capabilities, i.e. cannot self-replicate, which is why they did not spread nearly as widely as WannaCry, for instance. However, the threat actors behind these malware families exploited the same vulnerabilities on victims’ computers during the initial infections.Master keys released for several ransomware families
Apart from the large-scale epidemics that shook the world, in Q2 2017 an interesting trend emerged: several criminal groups behind different ransomware cryptors concluded their activities and published the secret keys needed to decrypt victims’ files.
Below is the list of families for which keys became public in Q2:
- Crysis (Trojan-Ransom.Win32.Crusis);
- AES-NI (Trojan-Ransom.Win32.AecHu);
- xdata (Trojan-Ransom.Win32.AecHu);
- Petya/Mischa/GoldenEye (Trojan-Ransom.Win32.Petr).
The Petya/Mischa/GoldenEye master key was released shortly after the outbreak of ExPetr and might have been an attempt by the original Petya authors to show that they were not the ones behind ExPetr.The reappearance of Crysis
Despite the fact that the Crysis ransomware appeared to die in May 2017 following the release of all the master keys, it didn’t stay dead for long. In August, we started discovering numerous new samples of this ransomware and they turned out to be almost identical copies of the previously distributed samples, with only a few differences: they had new master public keys, new email addresses that victims were supposed to use to contact the criminals, and new extensions for the encrypted files. Everything else remained unchanged – even the timestamps in the PE headers. After thorough analysis of the old and new samples, our analysts concluded that most likely the new samples were created by binary patching the old ones using a hex editor. One reason for this might be that the criminals behind the new samples didn’t possess the source code and simply reverse-engineered the ransomware to raise it from the dead and use it for their own ends.RDP infections continue to grow
In 2016, we noticed a new emerging trend among the most widespread ransomware. Instead of trying to trick the victim into launching a malicious executable or using exploit kits, the criminals turned to another infection vector. They were brute-forcing the RDP logins and passwords on machines that had RDP turned on and that were available for access from the Internet.
In 2017, this approach became one of the main propagation methods for several widespread families, such as Crysis, Purgen/GlobeImposter and Cryakl. This means that when securing a network, InfoSec specialists should keep this vector in mind and block RDP access from outside the corporate network.Ransomware: a year in numbers
It is important not to read too much into the absolute numbers as they reflect changes in detection methodology as much as they do evolution of the landscape. Having said that, a few top line trends are worth noting:
- The level of innovation appears to be declining – in 2017, 38 new strains of encryption ransomware were deemed interesting and different enough to be designated as new ‘families’, compared to 62 in 2016. This could be due to the fact that the crypto-ransomware model is fairly limited and it is becoming progressively more difficult for malware developers to invent something new.
- There were many more modifications of new and existing ransomware detected in 2017: over 96,000 compared to 54,000 in 2016. The rise in modifications may reflect attempts by attackers to obfuscate their ransomware as security solutions get better at detecting them.
- The number of attacks as defined by hits against Kaspersky Lab customers remained fairly constant. In fact, the big spikes of 2016 have been replaced with a more consistent monthly spread. Overall, just under 950,000 unique users were attacked in 2017, compared to around 1.5 million in 2016. However, this data includes both encryptors and their downloaders; if you look at the numbers for encryptors only, the attack data for 2017 is similar to 2016. This makes sense if you consider that many attackers are starting to distribute their ransomware through other means, such as brute-forcing passwords and manual launching. These numbers do not include the many computers around the world unprotected by our solutions that fell victim to WannaCry – this number has been estimated at around 727,000 unique IP addresses.
- WannaCry, ExPetr and BadRabbit notwithstanding, the number of attacks targeting corporates increased only slightly: 26.2% in 2017 compared to 22.6% in 2016. Just over 4% of those targeted in 2017 were SMBs.
Further details on these trends, including the most affected countries and top ransomware families, can be found in the Kaspersky Security Bulletin 2017 Statistics Report.
According to Kaspersky Lab’s annual IT security survey
- 65% of businesses that were hit by ransomware in 2017 said they lost access to a significant amount or even all their data; while 29% said that although they were able to decrypt their data, a significant number of files were lost forever. These figures are largely consistent with those for 2016.
- 34% of those affected took a week if not more to restore full access, up from 29% in 2016.
- 36% paid the ransom – but 17% of them never recovered their data (32 and 19% in 2016).
In 2017, we saw ransomware apparently being used by advanced threat actors to mount attacks for data destruction rather than for pure financial gain. The number of attacks on consumers, SMBs and enterprises remained high, but they mainly involved existing or modified code from known or generic families.
Is the ransomware business model starting to crack? Is there a more lucrative alternative for cybercriminals motivated by financial gain? One possibility could be cryptocurrency mining. Kaspersky Lab’s threat predictions for cryptocurrencies in 2018 suggest a rise in targeted attacks for the purpose of installing miners. While ransomware provides a potentially large but one-off income, miners can result in lower but longer earnings, and this could be a tempting prospect for many attackers in ransomware’s current turbulent landscape. But one thing’s for sure, ransomware won’t just disappear – neither as a direct threat, nor as a disguise for deeper attacks.The fight against ransomware continues
- Through collaboration: On July 25, 2016, the No More Ransom initiative was launched by Kaspersky Lab, the Dutch National Police, Europol, and McAfee. It is a unique example of the power of joint public-private collaboration to both fight cybercriminals and help their victims with expertise, tips and decryption tools. One year on, the project has 109 partners and is available in 26 languages. The online portal carries 54 decryption tools, which between them cover 104 families of ransomware. To date, more than 28,000 devices have been decrypted, depriving cybercriminals of an estimated US$9.5 million in ransom.
- Through intelligence: Kaspersky Lab has monitored the ransomware threat from the start, and was one of the first to provide regular threat intelligence updates on extortion malware in order to boost industry awareness. The company publishes regular overviews of the evolving ransomware landscape, for instance, here and here.
- Through technology: Kaspersky Lab offers multi-layered protection against this widespread and increasing threat, including a free anti-ransomware tool that anyone can download and use, regardless of the security solution they use. The company’s products include a further layer of technology: System Watcher that can block and roll back malicious changes made on a device, such as the encryption of files or blocked access to the monitor.
Black Friday and Cyber Monday are great for shopping. Vendors flood the market with all kinds of goods, including lots of exciting connected devices that promise to make our life easier, happier and more comfortable. Being enthusiastic shoppers just like many other people around the world, at Kaspersky Lab we are, however paranoid enough to look at any Internet of Things (IoT)-device with some concern, even when the price is favorable. All because there is little fun in buying a coffeemaker that would give up your home or corporate Wi-Fi password to an anonymous hacker, or a baby-monitor that could livestream your family moments to someone you most definitely don’t want it livestreamed to.
It is no secret that the current state of security of the IoT is far from perfect, and in buying one of those devices you are potentially buying a digital backdoor to your house. So, while preparing for IoT-shopping this year, we asked ourselves: what are our chances of buying a perfectly secure connected device? To find the answer, we conducted a small experiment: we randomly took several different connected devices and reviewed their security set up. It would be an exaggeration to say that we conducted a deep investigation. This exercise was more about what you’d be able to see at first glance if you had a clue about how these things should and shouldn’t work. As a result we found some rather worrying security issues and a few, less serious, but unnecessary ones.
We looked at the following devices: a smart battery charger, an app-controlled toy car, an app-controlled smart set of scales, a smart vacuum cleaner, a smart iron, an IP camera, a smart watch, and a smart home hub.Smart Charger
The first device we checked was the smart charger that attracted us with its built-in Wi-Fi connectivity. You may ask yourself: who would need a remotely controlled battery charger, especially when you need to manually set the battery to charge? Nevertheless, it exists and it allows you not only to charge the battery, but to manage the way you charge it. Like a boss.
The device we tested charges and restores most types of batteries with a nominal voltage from 3 to 12 volts. It has a Wi-Fi module, which allows the device owner to connect remotely to control the charging process, to change the charging settings and to check how much electricity the battery is storing at any time.
Once turned on, the device switches by default to ‘access point’ mode. The user should then connect to the device and open the management interface web page. The connection between the charger and the device you use to access the management panel uses the outdated and vulnerable WEP algorithm instead of WPA2. However it is password protected. Having said that, the predefined password is ‘11111’ and it is actually written in the official documentation that comes with the device and is searchable online. However, you can change the password to a more secure one. Having said that, the length of the password is limited, for some reason, to five symbols. Based on the information available here, it would take four minutes to crack such a password. In addition to that the web interface of the device itself has no password protection at all. It is available as is, once it is connected to your home Wi-Fi network.
Who would attack a smart charger anyway, you may well ask, and you would probably be right as there are likely few black hat hackers in the world who would want to do that. Especially when it requires the attacker to be within range of the Wi-Fi signal or have access to your Wi-Fi router (which, by the way, is a much bigger problem). On the other hand, the ability to interfere with how the battery is charging, or randomly switching the parameters could be considered as worth a try by a wicked person. The probability of real damage, like setting fire to the battery or just ruining it is heavily dependent on the type of battery, however the attack can be performed just for lulz. Just because they can.
To sum up: most likely when using this device, you won’t be in constant danger of a devastating remote cyberattack. However, if your battery eventually catches fire while charging, it could be a sign that you have a hacker in your neighborhood, and you have to change the password for the device. Or it could be the work of a remote hacker, which probably means that your Wi-Fi router needs a firmware update or a password change.Smart App-Controlled Wireless Spy Vehicle
While some people are looking for useful IoT features, other seek entertainment and fun. After all, who didn’t dream of their own spying toolset when they were young? Well, a Smart App-Controlled Wireless Spy Vehicle would have seemed a dream come true.
This smart device is actually a spy camera on wheels, connected via Wi-Fi and managed via an application. The spy vehicle, sold in toy stores, has Wi-Fi as the only connection interface. For management there are two official applications, for iOS and Android. We assumed that there could be a weakness in the Wi-Fi connections – and we turned out to be right.
The device is able to execute the following commands:
- Move across the area (with multiple riding modes, it is possible to control speed and direction)
- View an image from the navigation camera during movement, for ease of navigation
- View an image from the main camera, which can also be rotated in different directions (there is even a night vision mode)
- Record photos and videos that are stored in the phone’s memory
- Play audio remotely via a built-in speaker
Once connected to a phone, it becomes a Wi-Fi access point without password requirements. In other words, any person connected to it can send remote commands to the vehicle – you’d just need to know which commands to send. And if you – being a bit concerned about the lack of password protection in a child’s toy that has spying capabilities – decided to set one up, you’d find there was no opportunity to do so. And if you have basic network sniffing software on your laptop, and decided you’d like to see what the vehicle was currently filming, you’d be able to intercept the traffic between the vehicle and the controlling device.
That said, a remote attack is not possible with this device, and an offensive third-party would have to be within the range of the toy’s Wi-Fi signal which should be enabled. But on the other hand, nothing prevents an attacker from listening to your traffic in a passive mode and catching the moment when the device is used. So if you have seen someone with a Wi-Fi antenna near your house recently, chances are they’re curious about your private life, and have the means to look into it.Smart Robo Vacuum Cleaner. With camera
Speaking of other devices with cameras that are around you, we spent some time trying to figure out why a smart vacuum cleaner would need to have a web-cam – is it for the macro filming of dust? Or to explore the exciting under-bed world? Joking aside, this function was made specifically for the cleaning enthusiast: if you find it exciting to control the vacuum cleaner manually while checking exactly what it’s doing, this is the gadget for you. Just keep in mind that it is not quite secure.
The device is managed via a specific application – you can control the cleaner’s movement, get video live-streaming while it’s cleaning, take pictures, etc. The video will disappear after streaming, while photos are stored in the application.
There are two ways to connect to the device via Wi-Fi:
- With the cleaner as access point. If you don’t have a Wi-Fi network in your home, the device will provide the connection itself. You simply connect to the cleaner via the mobile application – and off you go!
- The cleaner can also work as a Wi-Fi adapter, connected to an existing access point. After connecting to the cleaner-as-access-point you can then connect the device to your home Wi-Fi network for better connection and operation radius.
As the device is managed via a mobile phone application, the user should first go through some kind of authorization. Interestingly enough, for this they only need to enter a weak default password – and that’s it. Thus, an attacker just needs to connect to cleaner’s access point, type in the default password to authorize themselves in the application for pairing the mobile phone and the cleaner. After the pairing is completed, they can control the device. Also, after connection to a local network, the robot vacuum cleaner will be visible in the local network and available via a telnet protocol to anyone who is also connected to this network. Yes, the connection is password protected, which can be changed by the owner of the device (but really, who does that?!), and no, there is no brute force protection in place.
Also the traffic between the app and the device is encrypted, but the key is hard-coded into the app. We are still examining the device, and the following statement should be taken with a big grain of salt, but potentially a third-party could download the app from Google Play, find the key and use it in a Man-in-the-Middle attack against the protocol.
And, of course, like any other Android-app controlled connected device, the robot vacuum cleaner is a subject to attack via rooting malware: upon gaining super user rights, it can access the information coming from the cleaner’s camera and its controls. During the research, we also noticed that the device itself runs on a very old version of Linux OS, which potentially makes it subject to a range of other attacks through unpatched vulnerabilities. This, however, is the subject of ongoing research.Smart Camera
IP cameras are the devices targeted most often by IoT-hackers. History shows that, besides the obvious unauthorized surveillance, this kind of device can be used for devastating DDoS-attacks. Not surprisingly, today almost any vendor producing such cameras is in the cross-hairs of hackers.
In 2015, our attempt to evaluate the state of security of consumer IoT took a look at baby monitor; this year we’ve focused on a rather different kind of camera: the ones used for outside surveillance – for example the ones you’ve put up in your yard to make sure neighbors don’t steal apples from your trees.
Originally, the device and its relatives from the same vendor were insecure due to a lack of vendor attention to the problem. But the issue of camera protection changed dramatically around 2016 after reports of unauthorized access to cameras became publicly known through a number of publications like here or here.
Previously, all the cameras sold by this vendor were supplied with a factory default account and default password ‘12345’. Of course, users tended not to change the password. In 2016, the picture changed radically when the vendor became an industry pioneer in security issues, and started to supply cameras in ‘not activated’ mode. Thus, there was no access to the camera before activation. Activation required the creation of a password and some network settings. Moreover, the password was validated in terms of basic complexity requirements (length, variety of characters, numbers and special characters). Activation of the camera could be performed from any PC with access to the camera over the local network.
Since this reform, updating the firmware on a camera with a default password leads to the camera demanding a password change and warning the user about security issues every time they connect. The password requirements are quite solid:
Additionally, protection from password brute forcing has been implemented:
Moreover, the vendor added a new security feature to the firmware in 2016. This involves protection against brute forcing, by automatically blocking access for an IP address after five to seven attempts to enter the wrong password. The lock is automatically removed after 30 minutes. The feature, which is enabled by default, significantly increases the level of security.
Nevertheless, not everything is perfect in the camera. For instance, the exchange of data with the cloud is performed via HTTP, with the camera’s serial number as its ID. This obviously makes Man-in-the-Middle attacks more realistic.
In addition to a standard WEB interface for such devices, there is a specialized tool for camera configuration, which can search for cameras on the network, display data on the cameras, and perform basic settings including activation, password changes, and the implementation of password resets for network settings. When triggering the device search the PC sends a single Ethernet frame.
The camera’s response is not encrypted, and contains model information such as the firmware, date reset and network settings. Since this data is transmitted in a non-encrypted way and the request does not have authorization, this one Ethernet package can detect all cameras on the network and obtain detailed information about them. The algorithm has one more weakness: when forming a response, time delays are not considered. As a consequence, it is easy to organize a DDoS attack in the network, sending such requests to all cameras within the presented Ethernet network .
Apart from the described specific protocol, cameras support a standard SSDP protocol for sending notifications, and this allows any software or hardware to automatically detect the cameras. This SSDP data also contains information about the model and serial number of the camera.
One more attack vector lies in the remote password reset, which is supported by a technical support service. Anyone with access to the camera’s network can select a camera through the specialized tool for camera configuration and request the reset procedure. As a result, a small file containing the serial number of the camera is created. The file is sent to the technical support service, which then either refuses the request or sends a special code to enter a new password. Interestingly enough, the service doesn’t even try to check whether the user is the owner of the camera – outdoor surveillance assumes that the camera is located out of reach, and it is almost impossible to identify remotely the author of the request. In this scenario, an insider cybercriminal attack is the most probable vector.
To sum up: luckily this is not the worst camera we’ve ever seen when it comes to cybersecurity; however, some unnecessary issues are still there to be exploited by an offensive user.Smart Bathroom Scales
Remember that picture from the internet, where hacked smart scales threaten to post their owner’s weight online if they don’t pay a ransom? Well, joking aside we’ve proved this may be possible!
This is a smart device, interacting with a smartphone app via Bluetooth, but it is also equipped with a Wi-Fi module. This connectivity provides the owner with a number of additional features, from weight monitoring on a private website secured by a password to body analysis and integration with various healthcare apps. Interestingly enough, the only Wi-Fi-enabled feature is the receiving of weather updates.
We decided to test the possibility of arbitrary updates\software installation on the specified device in LAN using ARP spoofing and the implementation of Man-in-the-Middle attacks. Here’s what we found.
The mobile phone interacts with the main server via HTTPS, in a series of queries. The scales themselves are connected to the mobile phone via Bluetooth. The process of pairing is simple: you request connection via the application, and then turn the scales’ Bluetooth connection on. Given the very limited time for this stage, it is very unlikely that someone will be able to pair the devices without the user’s knowledge.
Among other things, the device transmits via Bluetooth various user data – mail, indication of weight, etc. The device receives updates via the application. The latter sends the current version of updates and a number of other parameters to the server – the server, in turn, passes to the application a link to the downloaded file and its checksum.
However the updates are provided as is, on the HTTP channel, without encryption, and the updates themselves are also not encrypted. Thus, if you are able to listen to the network to which the device is connected you would be able to spoof the server response or the update itself.
This enabled us to, firstly, ‘roll back’ the version of the updates, and then install a modified version that does not match the one retrieved from the server. In this scenario, the further development of attacks is possible, like installing arbitrary software on the device.
The good news is that this device has no camera, so even if any other severe vulnerabilities are found, you are safe. Besides that, who would want to spend time on hacking smart scales? Well, the concern is a valid one. First of all, see the picture at the beginning of this text, and secondly: as we already mentioned above, sometimes hackers do things just because they can, because certain things are just fun to crack.Smart Iron
Fun to crack – that is something you can definitely say about a smart iron. The very existence of such a device made us very curious. The list of things you could potentially do should a severe vulnerability be found and exploited looked promising. However, the reality turned out to be rather less amusing. Spoiler: based on our research it is impossible to set fire to the house by hacking the iron. However, there are some other rather interesting issues with this device.
The iron has a Bluetooth connection that enables a number of remote management options through a mobile app. We assumed that communication with the server would be insecure, allowing someone to take control of the device and its sensitive data, as manufacturers would not be paying enough attention to the protection of this channel, believing that a smart iron would be of little value to an attacker.
Once it is connected to the user’s mobile phone, the iron is managed via the application, which exists in versions for both iOS and Android. The app allows you to:
- View the orientation of the iron (whether it is lying flat, standing, or hanging by its cable)
- Disable (but – sadly – not enable) the iron
- Activate ‘safe mode’ (in which iron does not react to a mechanical switch on. To turn the iron on when it is in that mode you need to turn off safe mode in the app).
In terms of on/off safety the iron automatically switches off if it is stationary for five seconds in a ‘lying’ position, or for eight minutes in a ‘standing’ position.
The iron can also be controlled via the internet. For this, it is necessary to have a gateway near the device, like a separate smartphone or tablet with internet access and a special app.
Given all that, we decided to take a closer look at the applications for the device. There are three of them – one for iOS and two for Android. The first Android app is for when you manage the device via Bluetooth and are standing nearby, and the other one is for the gateway, which serves as an online door to your iron when you are not at home. The iOS app is for Bluetooth management. Speaking about the security of all applications, it is worth mentioning that the vendor’s code is not obfuscated at all.
When viewing online traffic, we found out that the Android Bluetooth application uses HTTPS, which is a sensible solution. The corresponding app for iOS does not and neither does the gateway app for Android. We decided to test the traffic for the iOS application.
Once it is enabled, the application offers the user the chance to register, and then sends the data without encryption via HTTP. This gives us a very simple attack vector based on the interception of traffic between the mobile application and the vendor’s server within the local network.
As already mentioned, the phone also communicates with the iron using BLE. The BLE traffic is also not encrypted. After deeper investigation of the applications, we were able to control the iron by creating specific commands just from looking into what is transmitted between the devices.
So, if you were a hacker, what could you do with all this knowledge? First of all if you would be able to capture the user’s credentials, to pass the authorization stage in an official application and to switch off the iron or set it to ‘safe mode’. It is important to note here that these applications are used for all of the vendor’s smart devices, and there are quite a few. This significantly enlarges the attack surface.
No need to worry if you miss the chance to intercept the authentication data. Given that the data exchange between the app and the device is not encrypted, you would be able to intercept a token transmitted from the server to the application and then create your own commands to the iron.
As a result, within the local network an attacker can perform:
- Identity theft (steal personal email address, username, password)
- Extortion (take advantage of the ignorance of the user to enable ‘safe mode’ so that the user could not mechanically turn on the iron, and to demand money for disabling ‘safe mode’)
Of course both these vectors are highly unlikely to be extensively performed in the wild, but they are still possible. Just imagine how embarrassing it would be if your private information was compromised, not as a result of an attack by a sophisticated hackers, but because of the poor security of your smart iron.Smart home hub
The biggest problem with the vast majority of connected devices currently available is that most of them work with your smartphone as a separate, independent device, and are not integrated into a larger smart ecosystem. The problem is partly solved by so called smart hubs – nodes that unite in one place the data exchange between multiple separate smart devices. Although prior art in finding a secure smart hub, conducted by multiple other researchers, leaves little room for hope, we tried anyway and took a fancy smart hub with a touch screen and the ability to work with different IoT-protocols. It is universally compatible, works with ZigBee и ZWave home automation standards, and very easy to handle: according to the manufacturer, it can be set up within three minutes, using the touchscreen.
In addition the hub serves as a wireless Wi-Fi router.
Given all the features this multi-purpose device has, being a router, range extender, access point or wireless bridge, we decided to check one of the most common and most dangerous risks related to unauthorized external access to the router. Because, if successful, it would possibly lead to full control of a user’s smart home, including all connected devices.
And, no surprise, our research has shown there is such a possibility.
To check our assumption we created a local network, by connecting a PC, the device and one more router to each other. All network devices received their IP addresses, and we successfully scanned available ports. Our initial research has shown that, by default, there are two opened ports over WAN. The first one, port 80, is one of the most commonly used and assigned to protocol HTTP. It is the port from which a computer sends and receives web client-based communication and messages from a web server, and which is used to send and receive HTML pages or data. If opened, it means that any user can connect to port 80 and thus have access to the user’s device via the HTTP protocol.
The second one, port 22 for contacting SSH (Secure Shell) servers is used for remote control of the device. Attackers can gain access to a device if they obtain or successfully brute force a root password. Usually it’s not an easy task to do. However, in our research we explored another interesting risky thing with the smart hub that makes this much easier.
While analyzing the router, we discovered it might have problems with a very common threat risk – weak password generation. In the router system we found ELF (Executable and Linkable Format) file ‘rname’ with a list of names. By looking at this list and the password displayed on the screen, it became clear that device’s password is generated based on the names from this file and, thus, it doesn’t take long for brute force cracking.
After a hard reset, the source line for passwords remained, with slightly changed symbols. However, the main password base remained the same, and that still leaves a chance to generate a password.
In addition, we found that for device access a root account is constantly used. Thus, offensive users will know the login and a base part of the password, which will significantly facilitate a hacker attack.
In case the device has a public IP address and the ports described above are opened, the router can be available for external access from the internet. Or, in other case, if a provider or an ISP (Internet Service Provider) improperly configures the visibility of neighboring hosts of the local network, these devices will be available to the entire local network within the same ISP.
In all, we weren’t surprised; just like most any other smart hubs on the market, this one provides a really vast attack surface for an intruder. And this surface covers not only the device itself, but the network it works on. And here are the conclusions which the results of our experiment have brought us to.Conclusions
Based on what we’ve seen while doing this exercise, the vendors of many IoT-devices developing their products assume that:
- They won’t be attacked due to limited device functionality and a lack of serious consequences in the case of a successful attack.
- The appropriate level of security for an IoT-device is when there is no easy way to communicate with the wider internet and the attacker needs to have access to the local network the device is connected to.
We have to say that these assumptions are reasonable, but only until the moment when a vulnerable router or multifunctional smart hub, like the one described above, appears in the network to which all other devices are connected. From that moment, all the other devices, no matter how severe or trivial their security issues, are exposed to interference. It is easy to imagine a house, apartment or office populated with all these devices simultaneously, and also easy to imagine what a nightmare it would be if someone tried each of described threat vectors.
So in answer to the question we asked ourselves at the beginning of this experiment, we can say that, based on our results at least, it is still hard to find a perfectly secure IoT-device.
On the other hand, no matter which device you purchase, most likely it won’t carry really severe security issues, but again, only until you connect them to a vulnerable router or smart hub.
Keeping that and the ongoing high sales holiday season in mind we’d like to share the following advice on how to choose IoT devices:
- When choosing what part of your life you’re going to make a little bit smarter, consider the security risks. Think twice if you really need a camera-equipped robo vacuum cleaner or a smart iron, which can potentially spill some of your personal data to an unknown third-party.
- Before buying an IoT device, search the internet for news of any vulnerability. The Internet of Things is a very hot topic now, and a lot of researchers are doing a great job of finding security issues in products of this kind: from baby monitors to app controlled rifles. It is likely that the device you are going to purchase has already been examined by security researchers and it is possible to find out whether the issues found in the device have been patched.
- It is not always a great idea to buy the most recent products released on the market. Along with the standard bugs you get in new products, recently-launched devices might contain security issues that haven’t yet been discovered by security researchers. The best choice is to buy products that have already experienced several software updates.
- To overcome challenges of smart devices’ cybersecurity, Kaspersky Lab has released a beta version of its solution for the ‘smart’ home and the Internet of Things – the Kaspersky IoT Scanner. This free application for the Android platform scans the home Wi-Fi network, informing the user about devices connected to it and their level of security.
When it comes to the vendors of IoT-devices, the advice is simple: collaborate with the security vendors and community when developing new devices and improving old ones.P.S. 1 out of 8
There was one random device in our research, which showed strong enough security for us at least not to be worried about private data leakage or any other devastating consequences. It was a smart watch. Like most other similar devices, these watches require an app to pair them with the smartphone and use. From that moment, most of data exchange between the device and the smartphone, the app and the vendors’ cloud service are reliably encrypted and, without a really deep dive into encryption protocol features or the vendor’s cloud services it is really hard to do anything malicious with the device.
For the pairing the owner should use the pin code displayed on the clock for successful authorization. The pin is randomly generated and is not transmitted from the clock. After entering the pin code in the app, the phone and clock create the key for encryption, and all subsequent communication is encrypted. Thus, in the case of BLE traffic interception an attacker will have to decrypt it as well. For this, an attacker will need to intercept traffic at the stage of generating the encryption key.
It is apparently impossible to get user data (steps, heart rate etc.) directly from the device. Data synchronization from the clock on the phone is encrypted and, in the same form is sent to the server. Thus, data on the phone is not decrypted, so the encryption algorithm and the key are unknown.
From our perspective this is an example of a really responsible approach to the product, because, by default the vendor of this device could also easily limit their security efforts to assuming that no one will try to hack their watches, as, even if successful, nothing serious happens. This is probably true: it is hard to imagine a hacker who would pursue an opportunity to steal information about how many steps you made or how fast your heart beats at any given moment of the day. Nevertheless, the vendor did their best to eliminate even that small possibility. And this is good, because cybersecurity is not all those boring and costly procedures which you have to implement because some hackers found some errors in your products, we think cybersecurity is an important and valuable feature of an IoT-product, just like its usability, design and list of useful functions. We are sure that as soon as IoT-vendors understand this fact clearly, the whole connected ecosystem will become much more secure than it is now.
There’s certainly no shortage of commercial spying apps for Android, with most positioned as parental control tools. In reality, however, these apps barely differ from spyware, with the exception perhaps of the installation method. There’s no need to even resort to Tor Browser or other darknet activity either – all you need to do is type something like “android spy app” into Google.
They are called ‘commercial’ because anyone can buy an app like this for just a few dollars.
Kaspersky Lab mobile products detect this sort of commercial Android spyware as not-a-virus:Monitor.AndroidOS.*. According to our telemetry, the popularity of these apps has been growing in recent years:
That’s why we decided to take a closer look at this controversial type of mobile software.Features
Almost all commercial spyware apps are installed by manually accessing the target’s phone, and this is the only big difference between these apps and classic malicious spyware like DroidJack or Adwind. Customers have to download the app, install it and enter credentials that are received after purchasing. After that, the spying app becomes invisible on the phone. Installation usually only takes a couple of minutes.
Some of these tools use device admin features to gain persistence and self-protection on the target’s phone.
So what does the customer get? Features may vary, but some of them are present in almost all these kinds of apps:
- Stealing SMSs
- Stealing calls (logs/recordings)
- GPS tracking
- Stealing browser data (history/bookmarks)
- Stealing stored photos/videos
- Stealing address books (with emails and even photos sometimes)
And if you’re still not impressed, then check out the actual feature lists (in addition to the above) of some popular commercial spyware for Android. We have added the infamous Pegasus APT and Droidjack spyware to our comparison table below to show the difference in features between them and monitoring apps. Pegasus is an advanced persistent threat, created by NSO Group. Droidjack is an RAT that was sold some time ago for a $210 lifetime license. This tool is more akin to TrojWare, because of features such as remote installation and customization of your own C&C server. However, even after several users in European countries were arrested, malware author Sanjeevi claimed that Droidjack is “very useful for users who use it legally”. He stated that “Droidjack is a parental tool for remote Android administration. It is strictly meant for that and no other reasons”. Anyone who breaks these rules, adds Sanjeevi, will have their license revoked.Stealing emails Stealing surrounding voice Stealing scheduled tasks/ calendar/ notes Stealing social media/IM data Backdoor behavior (e.g., remote control) Photo/ video/ screenshot capture Keylogging Stealing clipboard Pegasus + + + + + + + – DroidJack – + – + + + – – TiSpy + + + + – + + + Exaspy + + + + + + – – iKeyMonitor + + – + – + + + Mobistealth + + + + – + + – mSpy + – + + + – + – iSpyoo + + + + + – – – SpyHuman – + – + + + – – TheftSpy – + – + + + – – TheTruthSpy – + – + + – + – OneSpy + + – + – + – – Highster Mobile + – – + – – – – Spymaster Pro – – – + – + – – DroidWatcher – – – + – + – –
This comparison table shows that the difference between known sophisticated spyware and some commercial monitor apps is not that great and, in some cases, monitor applications can even grab more private user information.
Exaspy is an especially interesting case. This is a classic monitor application with a regular manual-access installation method (you have to enter license credentials after installation to start spying):
However, after news about a high-profile victim – a senior executive at a company – this monitor app is considered illegal for now. Note that there are a lot of similar apps that can result in cases like this.
Some special features (spying on social media apps, for example) only work on a rooted device, but the list is still impressive. The ‘Stealing social media/IM data’ feature is particularly important. It means that the spyware is able to attack other social media or messenger apps (depending on the specific product), for example, Facebook, Viber, Skype, WhatsApp, etc. As a result, an attacker can observe messenger conversations, feeds and other personal data from the victim’s social media profile.
These products use the same techniques as standard malicious spyware to steal data, and sometimes on a bigger scale. For example, here is a fragment of code from a commercial application called OneSpy with a list of external attacked applications:
As you can see, the commercial app is interested in all popular social media apps and messengers.It’s ‘legal’
Above we mentioned that some commercial Android spyware apps like Exaspy were recognized as illegal after investigations. But many commercial spyware applications are still considered legitimate because, according to their sites, they were created “for everyone who needs a helping hand in protection of their loved-ones, their children, family and employees”.
Some of them claim that their products are ‘100% undetectable’. This may be true for the naked eye, but definitely not for our products.
But why do we think commercial spyware poses a danger and why do we detect it? There are several reasons:
- Almost all commercial spyware is distributed from its own site and landing pages. This results in vendors prompting users to enable the “Allow install of non-market applications” setting. This setting is very important for device safety because enabling it makes an Android device vulnerable to malware installation. For security reasons this method of distribution is contrary to Google policy.
- Because some spying features only work on a rooted device, many vendors recommend rooting the targeted device. This opens the door for potential malware infection, and moreover, device rooting is contrary to Google policy.
- Not every vendor can guarantee the safety of personal data, and that applies not only to hacker attacks but also to simple methods of product security.
The last point is very important and our concerns aren’t baseless. I analyzed one commercial spyware app, investigating the vendor’s main site and C&C server. I soon found lots of files that had been uploaded to the server and that turned out to be users’ personal data collected by the app. Private files were stored on the server without any protection and could be accessed by anyone.
Many users of spyware apps who want to monitor the private lives of their relatives simply don’t understand that they may not be the only ones who will have access to such information.
To sum up, installing such apps, even on your child’s device, is a risky step that could lead to malware infection, data leaks or other unpleasant consequences. In our products we use a special technology for Android OS that helps detect dangerous apps capable of violating a customer’s data privacy. There is one simple and very important tip for everyone – always protect your phone with a password, PIN or fingerprint, so an attacker won’t be able to manually access your device.
The average home now has around three connected computers and four smart mobile devices. Hardly surprising, considering that 86 per cent of us check the Internet several times a day or more, and that’s outside of work. Chatting, shopping, banking, playing games, listening to music, booking travel and managing our increasingly connected homes. The risk of cyberattack can be the furthest thing from our mind.
Every year, Kaspersky Lab’s experts look at the main cyberthreats facing connected businesses over the coming 12 months, based on the trends seen during the year. For 2018, we decided to extract some top predictions that also have big implications for everyday connected life.
So what could the hackers be after in 2018?
Security gaps in your connected car. Earlier this year, researchers showed how a hack could shut down all safety features in a car, including airbags. Such attacks will become easier as connected cars contain more and more components that could be accessed digitally. For example: mobile phones can be paired with a vehicle’s head unit via Bluetooth; and Bluetooth was recently found to have more than 8 serious software A hacker only has to use one and they will have an access to car systems to conduct further attacks. Some cars have cellular or Wi-Fi connectivity and almost any modern car has a USB-port – all of these can be used in order to deliver infected code to the car’s systems.
The data exchange between the internal systems of a car has been proven to be vulnerable to external interference, both by external researchers and Kaspersky Lab own findings. Given the fact that car industry is planning the development and production cycles years ahead, it is unlikely that all reported issues will be fixed in new connected cars coming on the market in 2018. Most of these cars were designed before cybersecurity became an issue for the automotive industry. That said, we expect that cars coming off the production line after that will have the most critical cybersecurity features implemented and will therefore be safer.
- Vulnerable car apps. Most leading car manufacturers now offer apps to make life easier for drivers – they can locate, lock/unlock your car, check tire pressure, request assistance, schedule maintenance and more. Researchers have already shown how many such apps can be hacked to partly take over a car. 2018 could see the first appearance of an infected app that can manage a car or spy on its owner by tracking their location, or collecting authentication data. This data could then be sold on the underground market. Kaspersky Lab researchers have seen signs that authentication data to access connected car apps is already in demand on underground markets. As the number of connected cars increases, this trend will become a bigger problem.
- Security gaps in wearable medical devices/implants, for data theft or sabotage. In 2018, there will be an estimated 19 million connected medical wearables, such as insulin pumps, pacemakers, monitors etc. in use, up from 12.8 million today. Companies are already issuing warnings about security gaps, knowing that, in an extreme case hackers could tamper with devices, set them to administer a fatal dose or to otherwise malfunction. This threat will rise in 2018 and probably keep on rising.
- Still everywhere. The global pandemic that is ransomware shows no signs of abating. Our data shows that just under a million of our users were attacked with ransomware in 2017, only slightly less than in 2016 – but the actual number of those attacked in 2017 will be much higher. For example, the WannaCry ransomware victim count may exceed 700,000 thousand. With malware and distribution tools freely available on the web, attackers have discovered that locking or encrypting people’s data and devices – and those belonging to big companies, hospitals and smart city networks – is an easy and effective way of making money. In 2018 expect more of the same.
- Malware, ditto – particularly that targeting Android mobile devices. We live in an increasingly mobile-driven world and hackers have upped their game. In 2017, we saw Android malware poisoning hotel booking, taxi service and ride-sharing apps, targeting mobile payments (SMS- and WAP billing), and using new techniques to bypass OS security. In 2018 we expect to see even more innovation.
- Getting you to mine for cryptocurrency coins or stealing your coins. Cryptocurrencies are becoming more popular, so experts predict hackers will tap into people wanting to get a share of the action. In 2018, this could see more people going over to mining cryptocurrencies on their work-computers. We’ll certainly see more attacks designed to steal crypto coins from users, or install hidden mining tools on machines, particularly mobiles. Kaspersky Lab research shows that the number of people hit by such attacks have already exceeded two million in 2017. On the other hand, if handled properly and with the user’s consent, some forms of cryptocurrency mining may become a legal way of monetization for websites and/or apps.
- Taking control of the world’s connected stuff for large scale disruption. Speaking of smart city technology such as CCTV cameras, what would happen if there was an attack on a city’s light control systems, causing not just blackouts but stroboscopic effects? Over the next year, smart city technologies such as traffic control, lighting, speed cameras, public transport and power supplies, as well as air traffic control infrastructure and more, will be a growing target for hackers. It’s estimated that by 2020 there will be 9.6 billion connected things used in smart cities around the world. Many of them just as buggy and vulnerable as your home router. Disruption to and disabling of these vast connected systems could do untold damage.
Taking control of your connected stuff to create big botnets. Your home routers, connected webcams and smart thermostats are all great, but they’re likely full of software bugs and if you don’t set a proper password, hackers can pull them into a huge zombie botnet. The infamous ‘Mirai’ botnet that nearly broke the Internet in 2016 was largely made up of CCTV cameras and connected printers – and in 2017 researchers found attackers improving Mirai’s tools. Proven as reliable and effective denial-of-service tools, new botnets built out of insecure devices may emerge in 2018.
So there’s some scary stuff and a few not very nice people out there. That shouldn’t stop you from making the most of what connected devices and systems have to offer over the next year and beyond. Fortunately, there are a lot of simple things that you can to stay safe. Here’s a few examples:
- Make use of the security features that come with your devices: set a decent password and keep the software updated. Not just phones and computers, but everything that is connected.
- Be selective when choosing a smart device. Ask yourself: Does this really need an internet connection? If the answer is yes, then take the time to understand the device options before buying. If you discover that it has hard-coded passwords, choose a different model.
- Consider cryptocurrencies as another way of saving and treat them accordingly. Just like you treat your ‘regular’ money.
- Only install apps from reputable stores like Google Play, created by reputable developers.
- Last but not least, consider supplementing the OS/device security with some additional software – particularly to keep your family and finances safe. A free version of Kaspersky Lab’s security software is available here.
For more information and advice on staying safe online please see the Kaspersky Daily blog.
The festive holiday shopping season, which covers Thanksgiving, Black Friday and Cyber Monday in late November as well as Christmas in December, now accounts for a significant share of annual sales for retailers, particularly in the U.S., Europe and APAC.
Those selling clothing, jewellery, consumer electronics, sports, hobbies and books can make around a quarter of their sales during the holiday period. In 2017, holiday sales in the U.S. alone are expected to be up by 3.6 to 4.0 per cent on the same time in 2016.
For brands looking to make the most of this annual spending spree, the desire to sell as much as possible at a time of intense competition is leading to ever more aggressive marketing campaigns – particularly online.
Promotional emails, banner ads, social media posts and more bombard consumers over the holiday months; generating a great deal of noise. Tactics such as one-click buying are designed to making the purchase process ever easier and faster. Further, up to three quarters of emails received on Black Friday and Cyber Monday are now opened on a mobile device. People are becoming used to making instant decisions – and that has significant security implications. They may miss vital signs that things are not what they seem and their data could be at risk.
All this makes this time of year an ideal hunting ground for hackers, phishers and malware spreaders; disguising their attacks as offers too good to refuse, a concerned security message from your bank requiring urgent attention, a special rate discount from your credit card service, and more. All you have to do is enter your personal details, card numbers or bank account credentials.
Not surprisingly, messages or links designed to look as if they come from well-known, trusted brands, payment cards and banks account for many of the malicious communications detected by Kaspersky Lab’s systems in the last few years.Methodology and Key Findings
The overview is based on information gathered by Kaspersky Lab’s heuristic anti-phishing component that activates every time a user tries to open a phishing link that has not yet been added to Kaspersky Lab’s database. Data is presented either as the number of attacks or the number of attacked users. It updates the 2016 Black Friday overview report with data covering the fourth quarter of 2016 through to 18 October, 2017.Key Findings:
- Following a decline in 2015, financial phishing abusing online payment systems, banks and retailers increased again in 2016.
- Financial phishing now accounts for half (49.77 per cent) of all phishing attacks, up from 34.33 per cent in 2015.
- Mobile-first consumers are likely to be a key driver behind the rise in financial phishing: the use of smartphones for online banking, payment and shopping has doubled in a year, and mobile users will have less time to think and check each action, particularly if they are out and about.
- Attack levels are now fairly consistent throughout the year; and Q4 data shows they are also more evenly spread in terms of the brand names the phishers make use of.
- Data for both 2015 and 2016 shows a clear attack peak on Black Friday, followed by a fall. In 2016 the number of attacks fell by up to 33 per cent between Friday and Saturday, despite Saturday being the second biggest shopping day over the holiday weekend in the U.S.
- Financial phishers are exploiting the Black Friday name in their attacks, as well as consumer awareness of, and concerns about online security – disguising their attack messages as security alerts, implications that the user has been hacked, or adding reassuring-sounding security messages.
As earlier editions of the Black Friday overview have shown, phishing is one of the most popular ways of stealing personal information, including payment card details and credentials to online banking accounts. The schemes are fairly easy to set up, requiring limited investment and skills – and are mainly reliant on encouraging people to voluntarily part with their personal and financial information.
Originally spread mainly through emails – phishing attacks are now also carried out through website banners and pop-ups, links, instant messaging, SMS, forums, blogs and social media.
Phishing has a global reach. Kaspersky Lab data on attempted attacks shows that in 2017, China, Australia, Brazil were particularly vulnerable – with up to a quarter or more (28 per cent) of users targeted. Followed by North America., large parts of Western Europe, the Russian federation, Latin America, India and elsewhere – where up to one in six (17 per cent) were affected.A new pool for phishers
During the holiday period, consumers can become more exposed online. An onslaught of promotional emails, offers and ads, the pressure to buy gifts, and a growing tendency to use their smartphone for everything, can mean that people are browsing and buying through a relatively small screen and often while out and about surrounded by distractions. Taken together, the can make them easier to mislead and manipulate through social engineering and high quality spoofed web interfaces.
The 2017 Kaspersky Cybersecurity Index shows how important smartphones have become for online banking, payment and retail transactions.
Between the first six months of 2016 and the same period in 2017, online shopping on smartphones increased from 24 per cent to 43 per cent; online banking from 22 per cent to 35 per cent; and the use of online payment systems from 14 per cent to 29 per cent. Further, the use of smartphones to send and receive emails grew from 44 per cent to 59 per cent over the same period.
The Kaspersky Lab phishing data used in this report focuses on the attack rather than the device the messages/links are received or opened on, but the trend towards mobile-first behavior among consumers is creating new opportunities for cybercriminals that they will not hesitate to capitalize on.Financial phishing on the rise
As more people adopt online payment and shopping, the theft of financial information or credentials to online bank accounts is a growing target. The proportion of phishing attacks focused on financial data has risen steadily over the last few years and now accounts for half of all phishing attacks.
This popularity means that attack levels now remain fairly consistent throughout the year. The gap that previously existed between the number of attacks experienced during the high spending holiday period, and those registered in the rest of the year, seemed to close in 2016.
However, when you dig deeper into the data it becomes clear that the holiday season continues to represent a time of significant and greater risk of falling victim to financial phishing – mainly because of clear localized attack peaks, but probably also because of the increased vulnerability of distracted mobile shoppers and the surge of marketing noise.Types of financial phishing
We define three categories of financial phishing, depending on what is being exploited: online banking, online payment or online shopping. Each type has evolved at a different, and not always consistent rate over the last few years.2013 Full year Q4 Financial phishing total 31.45% 32.02% Online shop 6.51% 7.80% Online banks 22.20% 18.76% Online payments 2.74% 5.46% 2014 Full year Q4 Financial phishing total 28.73% 38.49% Online shop 7.32% 12.63% Online banks 16.27% 17.94% Online payments 5.14% 7.92% 2015 Full year Q4 Financial phishing total 34.33% 43.38% Online shop 9.08% 12.29% Online banks 17.45% 18.90% Online payments 7.08% 12.19% 2016 Full year Q4 Financial phishing total 47.48% 48.14% Online shop 10.41% 10.17% Online banks 25.76% 26.35% Online payments 11.55% 11.37% 2017 Q1-Q3 Financial phishing total 49.77% Online shop 9.98% Online banks 24.47% Online payments 15.31%
The change in the share of different types of financial phishing in 2013-2017Attackers follow consumer adoption trends
Data for the first three quarters of 2017 shows a slight drop in all financial phishing categories with the exception of online payment systems.
Looking at the dynamics of Q4 attacks using the names of leading payment systems it is clear that cybercriminals are adapting to reflect the growing use of online payment methods such as PayPal. But overall, there seems to be a disappearance of extremes, with attacks spread more evenly across the different brand names.Multi-brand retailers remain a top choice for financial phishing
In terms of retail brand, the leading names used by attackers over the last few years have barely changed – but the number of attacks in Q4 using each brand have also become more evenly spread. This could reflect growing consumer adoption of online shopping. Most of the top names supply multiple brands (Amazon, Alibaba, Taobao, eBay).
In short, financial phishing is no longer focused on one or two brands to the exclusion of all others, the attackers are widening their net – and this has far-reaching security implications. No brand can be assumed to be safe, or even safer.
Further, looking at the daily spread of attacks during the week leading up to Black Friday it can be seen that there are some major red flag days when consumers are more vulnerable than ever.Black Friday attacks
The following chart shows how the number of financial phishing attacks peak on Black Friday (November 25 in 2016, and November 27 in 2015), followed by a decline – particularly in 2016 when attacks detected fell by 33 per cent within a day (from around 770,000 to 510,000 detections). Weekends generally see lower levels of attacks and fewer people online, but in the U.S. the day after Black Friday is the second biggest shopping day of the year.Conclusion and advice
The main purpose of the report is to raise awareness of a threat that consumers, retailers, financial services and payments systems may encounter over the holiday season. Cybercriminals out for financial information and account details – and ultimately money – are increasingly adept at hiding in the noise, targeting their attacks and exploiting human emotions, such as fear and desire. For further information and advice, please see the full overview.
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
- Was our software used outside of its intended functionality to pull classified information from a person’s computer?
- When did this incident occur?
- Who was this person?
- Was there actually classified information found on the system inadvertently?
- If classified information was pulled back, what happened to said data after? Was it handled appropriately?
- Why was the data pulled back in the first place? Is the evidence this information was passed on to “Russian Hackers” or Russian intelligence?
- What types of files were gathered from the supposed system?
- Do we have any indication the user was subsequently “hacked” by Russian hackers and data exfiltrated?
- Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers’ computers?
- Assuming cyberspies were able to see the screens of our analysts, what could they find on it and how could that be interpreted?
Answering these questions with factual information would allow us to provide reasonable materials to the media, as well as show hard evidence on what exactly did or did not occur, which may serve as a food for thought to everyone else. To further support the objectivity of the internal investigation we ran our investigation using multiple analysts of non-Russian origin and working outside of Russia to avoid even potential accusations of influence.The Wall Street Journal Article
The article published in October laid out some specifics that need to be documented and fact checked. Important bullet points from the article include:
- The information “stolen” provides details on how the U.S. penetrates foreign computer networks and defends against cyberattacks.
- A National Security Agency contractor removed the highly classified material and put it on his home computer.
- The data ended up in the hands of so called “Russian hackers” after the files were detected using Kaspersky Lab software.
- The incident occurred in 2015 but wasn’t discovered until spring of last year .
- The Kaspersky Lab linked incident predates the arrest last year of another NSA contractor, Harold Martin.
- “Hackers” homed in on the machine and stole a large amount of data after seeing what files were detected using Kaspersky data.
Having all of the data above, the first step in trying to answer these questions was to attempt to identify the supposed incident. Since events such as what is outlined above only occur very rarely, and we diligently keep the history of all operations, it should be possible to find them in our telemetry archive given the right search parameters.
The first assumption we made during the search is that whatever data was allegedly taken, most likely had to do with the so-called Equation Group, since this was the major research in active stage during the time of alleged incident as well as many existing links between Equation Group and NSA highlighted by the media and some security researchers. Our Equation signatures are clearly identifiable based on the malware family names, which contain words including “Equestre”, “Equation”, “Grayfish”, “Fanny”, “DoubleFantasy” given to different tools inside the intrusion set. Taking this into account, we began running searches in our databases dating back to June 2014 (6 months prior to the year the incident allegedly happened) for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. Results showed quickly: we had a few test (silent) signatures in place that produced a LARGE amount of false positives. This is not something unusual in the process of creating quality signatures for a rare piece of malware. To alleviate this, we sorted results by count of unique hits and quickly were able to zoom in on some activity that happened in September 2014. It should be noted that this date is technically not within the year that the incident supposedly happened, but we wanted to be sure to cover all bases, as journalists and sources sometimes don’t have all the details.
Below is a list of all hits in September for an “Equestre” signature, sorted by least amount to most. You can quickly identify the problem signature(s) mentioned above.Detection name (silent) Count HEUR:Trojan.Win32.Equestre.u 1 HEUR:Trojan.Win32.Equestre.gen.422674 3 HEUR:Trojan.Win32.Equestre.gen.422683 3 HEUR:Trojan.Win32.Equestre.gen.427692 3 HEUR:Trojan.Win32.Equestre.gen.427696 4 HEUR:Trojan.Win32.Equestre.gen.446160 6 HEUR:Trojan.Win32.Equestre.gen.446979 7 HEUR:Trojan.Win32.Equestre.g 8 HEUR:Trojan.Win32.Equestre.ab 9 HEUR:Trojan.Win32.Equestre.y 9 HEUR:Trojan.Win32.Equestre.l 9 HEUR:Trojan.Win32.Equestre.ad 9 HEUR:Trojan.Win32.Equestre.t 9 HEUR:Trojan.Win32.Equestre.e 10 HEUR:Trojan.Win32.Equestre.v 14 HEUR:Trojan.Win32.Equestre.gen.427697 18 HEUR:Trojan.Win32.Equestre.gen.424814 18 HEUR:Trojan.Win32.Equestre.s 19 HEUR:Trojan.Win32.Equestre.x 20 HEUR:Trojan.Win32.Equestre.i 24 HEUR:Trojan.Win32.Equestre.p 24 HEUR:Trojan.Win32.Equestre.q 24 HEUR:Trojan.Win32.Equestre.gen.446142 34 HEUR:Trojan.Win32.Equestre.d 39 HEUR:Trojan.Win32.Equestre.j 40 HEUR:Trojan.Win32.Equestre.gen.427734 53 HEUR:Trojan.Win32.Equestre.gen.446149 66 HEUR:Trojan.Win32.Equestre.ag 142 HEUR:Trojan.Win32.Equestre.b 145 HEUR:Trojan.Win32.Equestre.h 310 HEUR:Trojan.Win32.Equestre.gen.422682 737 HEUR:Trojan.Win32.Equestre.z 1389 HEUR:Trojan.Win32.Equestre.af 2733 HEUR:Trojan.Win32.Equestre.c 3792 HEUR:Trojan.Win32.Equestre.m 4061 HEUR:Trojan.Win32.Equestre.k 6720 HEUR:Trojan.Win32.Equestre.exvf.1 6726 HEUR:Trojan.Win32.Equestre.w 6742 HEUR:Trojan.Win32.Equestre.f 9494 HEUR:Trojan.Win32.Equestre.gen.446131 26329 HEUR:Trojan.Win32.Equestre.aa 87527 HEUR:Trojan.Win32.Equestre.gen.447002 547349 HEUR:Trojan.Win32.Equestre.gen.447013 1472919
Taking this list of alerts, we started at the top and worked our way down, investigating each hit as we went trying to see if there were any indications it may be related to the incident. Most hits were what you would think: victims of Equation or false positives. Eventually we arrived at a signature that fired a large number of times in a short time span on one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). Given limited understanding of Equation at the time of research it could have told our analysts that an archive file firing on these signatures was an anomaly, so we decided to dig further into the alerts on this system to see what might be going on. After analyzing the alerts, it was quickly realized that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development. Below is a list of Equation specific signatures that fired on this system over a period of approximately three months:
In total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users’ privacy. This was a hard decision, but should we make an exception once, even for the sake of protecting our own company’s reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.
The file paths observed from these detections indicated that a developer of Equation had plugged in one or more removable drives, AV signatures fired on some of executables as well as archives containing them, and any files detected (including archives they were contained within) were automatically pulled back. At this point in time, we felt confident we had found the source of the story fed to Wall Street Journal and others. Since this type of event clearly does not happen often, we believe some dates were mixed up or not clear from the original source of the leak to the media.
Our next task was to try and answer what may have happened to the data that was pulled back. Clearly an archive does not contain only those files that triggered, and more than likely contained a possible treasure trove of data pertaining to the intrusion set. It was soon discovered that the actual archive files themselves appear to have been removed from our storage of samples, while the individual files that triggered the alerts remained.
Upon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named “[undisclosed].7z” was removed from storage. Based on description from the analyst working on that archive, it contained a collection of executable modules, four documents bearing classification markings, and other files related to the same project. The reason we deleted those files and will delete similar ones in the future is two-fold; We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not consumed even to produce detection signatures based on descriptions.
This concern was later translated into a policy for all malware analysts which are required to delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party. Again to restate: to the best of our knowledge, it appears the archive files and documents were removed from our storage, and only individual executable files (malware) that were already detected by our signatures were left in storage. Also, it is very apparent that no documents were actively “detected on” during this process. In other words, the only files that fired on specific Equation signatures were binaries, contained within an archive or outside of it. The documents were inadvertently pulled back because they were contained within the larger archive file that alerted on many Equation signatures. According to security software industry standards, requesting a copy of an archive containing malware is a legitimate request, which often helps security companies locate data containers used by malware droppers (i.e. they can be self-extracting archives or even infected ISO files).An Interesting Twist
During the investigation, we also discovered a very interesting twist to the story that has not been discussed publicly to our knowledge. Since we were attempting to be as thorough as possible, we analyzed EVERY alert ever triggered for the specific system in question and came to a very interesting conclusion. It appears the system was actually compromised by a malicious actor on October 4, 2014 at 23:38 local time, specifically by a piece of malware hidden inside a malicious MS Office ISO, specifically the “setup.exe” file (md5: a82c0575f214bdc7c8ef5a06116cd2a4 – for detection coverage, see this VirusTotal link) .
Looking at the sequence of events and detections on this system, we quickly noticed that the user in question ran the above file with a folder name of “Office-2013-PPVL-x64-en-US-Oct2013.iso”. What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as “kms.exe” (a name of a popular pirated software activation tool), and “kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions”. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.
At a later time after installation of the supposed MS Office 2013, the antivirus began blocking connections out on a regular basis to the URL “http://xvidmovies[.]in/dir/index.php”. Looking into this domain, we can quickly find other malicious files that beacon to the same URL. It’s important to note that the reason we know the system was beaconing to this URL is because we were actively blocking it as it was a known bad site. This does however indicate the user actively downloaded / installed malware on the same system around the same time frame as our detections on the Equation files.
To install and run this malware, the user must have disabled Kaspersky Lab products on his machine. Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the malware was run. Executing the malware would not have been possible with the antivirus enabled.
Additionally, there also may have been other malware from different downloads that we were unaware of during this time frame. Below is a complete list of the 121 non-Equation specific alerts seen on this system over the two month time span:
At this point, we had the answers to the questions we felt could be answered. To summarize, we will address each one below:
Q1 – Was our software used outside of its intended functionality to pull classified information from a person’s computer?
A1 – The software performed as expected and notified our analysts of alerts on signatures written to detect on Equation group malware that was actively under investigation. In no way was the software used outside of this scope to either pull back additional files that did not fire on a malware signature or were not part of the archive that fired on these signatures.
Q2 – When did this incident occur?
A2 – In our professional opinion, the incident spanned between September 11, 2014 and November 17, 2014.
Q3 – Who was this person?
A3 – Because our software anonymizes certain aspects of users’ information, we are unable to pinpoint specifically who the user was. Even if we could, disclosing such information is against our policies and ethical standards. What we can determine is that the user was originating from an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD and surrounding area.
Q4 – Was there actually classified information found on the system inadvertently?
A4 – What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on an Equation specific malware signatures. Besides malware, the archive also contained what appeared to be source code for Equation malware and four Word documents bearing classification markings.
Q5 – If classified information was pulled back, what happened to said data after? Was it handled appropriately?
A5 – After discovering the suspected Equation malware source code and classified documents, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all of our systems. With the archive that contained the classified information being subsequently removed from our storage locations, only traces of its detection remain in our system (i.e. – statistics and some metadata). We cannot assess whether the data was “handled appropriately” (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so.
Q6 – Why was the data pulled back in the first place? Is the evidence this information was passed on to “Russian Hackers” or Russian intelligence?
A6 – The information was pulled back because the archive fired on multiple Equation malware signatures. We also found no indication the information ever left our corporate networks. Transfer of a malware file is done with appropriate encryption level relying on RSA+AES with an acceptable key length, which should exclude attempts to intercept such data anywhere on the network between our security software and the analyst receiving the file.
Q7 – What types of files were gathered from the supposed system?
A7 – Based on statistics, the files that were submitted to Kaspersky Lab were mostly malware samples and suspected malicious files, either stand-alone, or inside a 7zip archive. The only files stored to date still in our sample collection from this incident are malicious binaries.
Q8 – Do we have any indication the user was subsequently “hacked” by Russian actors and data exfiltrated?
A8 – Based on the detections and alerts found in the investigation, the system was most likely compromised during this time frame by unknown threat actors. We asses this from the fact that the user installed a backdoored MS Office 2013 illegal activation tool, detected by our products as Backdoor.Win32.Mokes.hvl. To run this malware, the user must have disabled the AV protection, since running it with the antivirus enabled would not have been possible. This malicious software is a Trojan (later identified as “Smoke Bot” or “Smoke Loader”) allegedly created by a Russian hacker in 2011 and made available on Russian underground forums for purchase. During the period of September 2014-November 2014, the command and control servers of this malware were registered to presumably a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “firstname.lastname@example.org”. We are still working on this and further details on this malware might be made available later as a separate research paper.
Of course, the possibility exists that there may have been other malware on the system which our engines did not detect at the time of research. Given that system owner’s potential clearance level, the user could have been a prime target of nation states. Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands. What we are certain about is that any non-malware data that we received based on passive consent of the user was deleted from our storage.
Q9 – Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers’ computers?
A9 – Kaspersky Lab security software, like all other similar solutions from our competitors, has privileged access to computer systems to be able to resist serious malware infections and return control of the infected system back to the user. This level of access allows our software to see any file on the systems that we protect. With great access comes great responsibility and that is why a procedure to create a signature that would request a file from a user’s computer has to be carefully handled. Kaspersky malware analysts have rights to create signatures. Once created, these signatures are reviewed and committed by another group within Kaspersky Lab to ensure proper checks and balances. If there were an external attempt to create a signature, that creation would be visible not only in internal databases and historical records, but also via external monitoring of all our released signatures by third parties. Considering that our signatures are regularly reversed by other researchers, competitors, and offensive research companies, if any morally questionable signatures ever existed it would have already been discovered. Our internal analysis and searching revealed no such signatures as well.
In relation to Equation research specifically, our checks verified that during 2014-2016, none of the researchers working on Equation possessed the rights to commit signatures directly without having an experienced signature developer verifying those. If there was a doubtful intention in signatures during the hunt for Equation samples, this would have been questioned and reported by a lead signature developer.
Q10 – Assuming cyberspies were able to see screens of our analysts, what could they find on it and how could that be interpreted?
A10 – We have done a thorough search for keywords and classification markings in our signature databases. The result was negative: we never created any signatures on known classification markings. However, during this sweep we discovered something interesting in relation to TeamSpy research that we published earlier (for more details we recommend to check the original research at https://securelist.com/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/35520/). TeamSpy malware was designed to automatically collect certain files that fell into the interest of the attackers. They defined a list of file extensions, such as office documents (*.doc, *.rtf, *.xls, *.mdb), pdf files (*.pdf) and more. In addition, they used wildcard string pattern based on keywords in the file names, such as *pass*, *secret*, *saidumlo* (meaning “secret” in Georgian) and others. These patterns were hardcoded into the malware that we discovered earlier, and could be used to detect similar malware samples. We did discover a signature created by a malware analyst in 2015 that was looking for the following patterns:
These strings had to be located in the body of the malware dump from a sandbox processed sample. In addition, the malware analyst included another indicator to avoid false positives; A path where the malware dropper stored dropped files: ProgramData\Adobe\AdobeARM.
One could theorize about an intelligence operator monitoring a malware analyst’s work in the process of entering these strings during the creation of a signature. We cannot say for sure, but it is a possibility that an attacker looking for anything that can expose our company from a negative side, observations like this may work as a trigger for a biased mind. Despite the intentions of the malware analyst, they could have been interpreted wrongly and used to create false allegations against us, supported by screenshots displaying these or similar strings.
Many people including security researchers, governments, and even our direct competitors from the private sector have approached us to express support. It is appalling to see that accusations against our company continue to appear without any proof or factual information being presented. Rumors, anonymous sources, and lack of hard evidence spreads only fear, uncertainty and doubt. We hope that this report sheds some long-overdue light to the public and allows people to draw their own conclusions based on the facts presented above. We are also open and willing to do more, should that be required.
Today, cryptocurrency is no longer only for computer geeks and IT pros. It’s starting to affect people’s daily life more than they realize. At the same time, it is fast becoming an attractive target for cybercriminals. Some cyberthreats have been inherited from e-payments, such as changing the address of the destination wallet address during transactions and stealing an electronic wallet, among other things. However, cryptocurrencies have opened up new and unprecedented ways to monetize malicious activity.
In 2017, the main global threat to users was ransomware: and in order to recover files and data encrypted by attackers, victims were required to pay a ransom in cryptocurrency. In the first eight months of 2017, Kaspersky Lab products protected 1.65 million users from malicious cryptocurrency miners, and by the end of the year we expect this number to exceed two million. In addition, in 2017, we saw the return of Bitcoin stealers after a few years in the shadows.What can we expect in 2018?
With the ongoing rise in the number, adoption and market value of cryptocurrencies, they will not only remain an appealing target for cybercriminals, but will lead to the use of more advanced techniques and tools in order to create more. Cybercriminals will quickly turn their attention to the most profitable money-making schemes. Therefore, 2018 is likely to be the year of malicious web-miners.
- Ransomware attacks will force users to buy cryptocurrency. Cybercriminals will continue to demand ransoms in cryptocurrency, because of the unregulated and almost anonymous cryptocurrency market: there is no need to share any data with anyone, no one will block the address, no one will catch you, and there is little chance of being tracked. At the same time, further simplification of the monetization process will lead to the wider dissemination of encryptors.
- Targeted attacks with miners. We expect the development of targeted attacks on companies for the purpose of installing miners. While ransomware provides a potentially large but one-off income, miners will result in lower but longer Next year we will see what tips the scales.
- Rise of miners will continue and involve new actors. Next year mining will continue to spread across the globe, attracting more people. The involvement of new miners will depend on their ability to get access to a free and stable source of electricity. Thus, we will see the rise of ‘insider miners’: more employees of government organizations will start mining on publicly owned computers, and more employees of manufacturing companies will start using company-owned facilities.
- Web-mining. Web-mining is a cryptocurrency mining technique used directly in browser with a special script installed on a web-page. Attackers have already proved it is easy to upload such a script to a compromised website and engage visitors’ computers in mining and, as a result add more coins to the criminals’ wallets. Next year web-mining will dramatically affect the nature of the Internet, leading to new ways of website monetization. One of these will replace advertising: websites will offer to permanently remove a mining script if the user subscribes to paid content. Alternatively, different kinds of entertainment, such as movies, will be offered for free in exchange for your mining. Another method is based on a website security check system – Captcha verification to distinguish humans from bots will be replaced with web mining modes, and it will be no longer matter whether a visitor is bot or human since they will ‘pay’ with mining.
- Fall of ICO (Initial Coin Offering). ICO means crowdfunding via cryptocurrencies. 2017 saw tremendous growth of this approach; with more than $3 billion collected by different projects, most related in some way to blockchain. Next year we should expect ICO-hysteria to decline, with a series of failures (inability to create the ICO-funded product), and more careful selection of investment projects. A number of unsuccessful ICO projects may negatively affect the exchange rate of cryptocurrencies (Bitcoin, Ethereum etc.), which in 2017 experienced unprecedented growth. Thus we will see a decrease in the absolute number of phishing and hacking attacks targeting ICO, smart contracts and wallets.
In 2017 we’ve seen fraud attacks in financial services become increasingly account-centric. Customer data is a key enabler for large-scale fraud attacks and the frequency of data breaches among other successful attack types has provided cybercriminals with valuable sources of personal information to use in account takeover or false identity attacks. These account-centric attacks can result in many other losses, including that of further customer data and trust, so mitigation is as important as ever for businesses and financial services customers alike.What can we expect in 2018?
2018 will be a year of innovation in financial services as the pace of change in this space continues to accelerate. As more channels and new financial service offerings emerge, threats will diversify. Financial services will need to focus on omni-channel fraud prevention to successfully identify more fraud crossing from online accounts to newer channels. Newer successful payment types will see more attack attempts as their profitability for attack increases.
- Real-time payment challenges. Increasing demand from consumers for real-time and cross-border financial transactions results in pressure to analyse risk more quickly. Consumer expectations for friction-free payments make this task even more challenging. Financial services will need to rethink and make ‘Know Your Customer’ processes more effective. Machine learning and eventually AI-based solutions will also be key in meeting the need for quicker fraud and risk detection.
- Social engineering attacks. Financial services will need to stay focused on tried and tested attack techniques. In spite of more sophisticated emergent threats, social engineering and phishing continue to be some of the simplest and most profitable attacks – exploiting the human element as the weakest link. Customer and employee education should continue to improve awareness of the latest attacks and scams.
- Mobile threats. According to the latest Kaspersky Cybersecurity Index, ever more online activity now takes place on mobile. For example, 35 per cent of people now use their smartphone for online banking and 29 per cent for online payment systems (up from 22 per cent and 19 per cent respectively in the previous year). These mobile-first consumers will increasingly be prime targets for fraud. Cybercriminals will use previously-successful and new malware families to steal user banking credentials in creative ways. In 2017 we saw the modification of malware family Svpeng. In 2018, other families of mobile malware will re-surface to target banking credentials with new features. Identification and the removal of mobile malware is essential to financial services institutions to stop these attacks early.
- Data breaches. Data breaches will continue to make the headlines in 2018 and the secondary impact on financial institutions will be felt through fake account set ups and account take-over attacks. Data breaches, although harder to commit than individual fraud attacks against customers, are hugely profitable to criminals thanks to the high volume of customer data exposed in one hit. Financial services should regularly test their defences and use solutions to detect any suspicious access at the earliest stages.
- Cryptocurrency targets. More financial institutions will explore the application of cryptocurrencies, making attacks on these currencies a key target for cybercriminals. We already saw the occurrence of mining malware increasing in 2017 and more attempts to exploit these currencies will be seen in 2018. Solutions capable of detecting the latest malware families should be used as well as combining the latest threat intelligence into prevention strategies. [See Threat Predictions for Cryptocurrencies for further information on this threat.]
- Account takeover. More secure physical payments through chip technology and other Point of Sale improvements, have shifted fraud online in the past decade. Now, as online payment security improves through tokenisation, biometric technology and more, fraudsters are shifting to account takeover attacks. Industry estimates suggest fraud of this type will run into billions of dollars as fraudsters pursue this highly profitable attack vector. Financial services will need to rethink digital identities and use innovative solutions to be sure that customers are who they say they are, every time.
- Pressure to innovate. More and more businesses will venture into payment solutions and open banking offerings in 2018. Innovation will be key to incumbent financial service firms seeking a competitive advantage over an increasing number of competitors. But understanding the regulatory complications can be challenging enough, never mind evaluating the potential for attack on new channels. These new offerings will be targets for fraudsters upon release and any new solution not designed with security at the core will find itself an easy target for cybercriminals.
- Fraud-as-a-Service. International underground communication amongst cybercriminals means that knowledge is shared quickly and attacks can spread globally even faster. Fraud services are offered on the dark web, from bots and phishing translation services to remote access tools. Less experienced cybercriminals purchase and use these tools, meaning more attempted attacks for financial services to block. Sharing knowledge across departments as well as looking to threat intelligence services will be key in mitigation.
ATM attacks. ATMs will continue to attract the attention of many cybercriminals. In 2017, Kaspersky Lab researchers uncovered, among other things, attacks on ATM systems that involved new malware, remote and fileless operations, and an ATM-targeting malware called ‘Cutlet Maker’ that was being sold openly on the DarkNet market for a few thousand dollars with a step-by-step user guide. Kaspersky Lab has published a report on future ATM attack scenarios targeting ATM authentication systems.
In 2017, Kaspersky Lab research revealed the extent to which medical information and patient data stored within the connected healthcare infrastructure is left unprotected and accessible online for any motivated cybercriminal to discover. For example, we found open access to around 1,500 devices used to process patient images. In addition, we found that a significant amount of connected medical software and web applications contains vulnerabilities for which published exploits exist.
This risk is heightened because cyber-villains increasingly understand the value of health information, its ready availability, and the willingness of medical facilities to pay to get it back.What can we expect in 2018?
The threats to healthcare will increase as ever more connected devices and vulnerable web applications are deployed by healthcare facilities. Connected healthcare is driven by a number of factors, including a need for resource and cost efficiency; a growing requirement for remote, home-based care for chronic conditions like diabetes and ageing populations; consumer desire for a healthy lifestyle; and a recognition that data-sharing and patient monitoring between organizations can significantly enhance the quality and effectiveness of medical care.
The threats facing these trends over the coming 12 months include the following:
- Attacks targeting medical equipment with the aim of extortion, malicious disruption or worse, will rise. The volume of specialist medical equipment connected to computer networks is increasing. Many such networks are private, but one external Internet connection can be enough for attackers to breach and spread their malware through the ‘closed’ network. Targeting equipment can disrupt care and prove fatal – so the likelihood of the medical facility paying up is very high.
- There will also be a rise in the number of targeted attacks focused on stealing data. The amount of medical information and patient data held and processed by connected healthcare systems grows daily. Such data is immensely valuable on the black market and can also be used for blackmail and extortion. It’s not just other criminals who could be interested: the victim’s employer or insurance company might want to know as it could impact premiums or even job security.
- There will be more incidents related to ransomware attacks against healthcare facilities. These will involve data encryption as well as device blocking: connected medical equipment is often expensive and sometimes life-critical, which makes them a prime target for attack and extortion.
- The concept of a clearly-defined corporate perimeter will continue to ‘erode’ in medical institutions, as ever more workstations, servers, mobile devices and equipment go online. This will give criminals more opportunities to gain access to medical information and networks. Keeping defenses and endpoints secure will be a growing challenge for healthcare security teams as every new device will open up a new entry point into the corporate infrastructure.
- Sensitive and confidential data transmitted between connected ‘wearables’, including implants, and healthcare professionals will be a growing target for attack as the use of such devices in medical diagnosis, treatment and preventative care continues to increase. Pacemakers and insulin pumps are prime examples.
- National and regional healthcare information systems that share unencrypted or otherwise insecure patient data between local practitioners, hospitals, clinics and other facilities will be a growing target for attackers looking to intercept data beyond the protection of corporate firewalls. The same applies to data shared between medical facilities and health insurance companies.
- The growing use by consumers of connected health and fitness gadgets will offer attackers access to a vast volume of personal data that is generally minimally protected. The popularity of health-conscious, connected lifestyles means that fitness bracelets, trackers, smart watches, etc. will carry and transmit ever larger quantities of personal data with only basic security – and cybercriminals won’t hesitate to exploit this.
- Disruptive attacks – whether in the form of denial of service attacks or through ‘ransomware’ that simply destroys data (such as WannaCry) – are a growing threat to increasingly digital health care facilities. The ever increasing number of work stations, electronic records management and digital business processes that underpin any modern organization broadens the attack surface for cybercriminals. In healthcare, they take on an extra urgency, as any disruption can in real terms become a matter of life or death.
Last, but not least, emerging technologies such as connected artificial limbs, implants for smart physiological enhancements, embedded augmented reality etc. designed both to address disabilities and create better, stronger, fitter human beings – will offer innovative attackers new opportunities for malicious action and harm unless they have security integrated from the very first moment of design.
Modern cars are no longer just electro-mechanical vehicles. With each generation, they become more connected and incorporate more intelligent technologies to make them smarter, more efficient, comfortable and safe. The connected-car market is growing at a five-year compound annual growth rate of 45% — 10 times faster than the car market overall.
In some regions (e.g. the EU or Russia) two-way connected systems (eCall, ERA-GLONASS) are extensively implemented for safety and monitoring purposes; and all major auto manufacturers now offer services that allow users to interact remotely with their car via a web interface or a mobile app.
Remote fault diagnostics, telematics and connected infotainment significantly enhance driver safety and enjoyment, but they also present new challenges for the automotive sector as they turn vehicles into prime targets for cyberattack. The growing risk of a vehicle’s systems being infiltrated or having its safety, privacy and financial elements violated, requires manufacturers to understand and apply IT security. Recent years have seen a number (here, here, and here) of examples highlighting the vulnerability of connected cars.What can we expect in 2018?
Gartner estimates that there will be a quarter of a billion connected cars on the roads by 2020. Others suggest that by then around 98% of cars will be connected to the Internet. The threats we face now, and those we expect to face over the coming year should not be seen in isolation – they are part of this continuum – the more vehicles are connected, in more ways, the greater the surface and opportunities for attack.
The threats facing the automotive sector over the coming 12 months include the following:
- Vulnerabilities introduced through lack of manufacturer attention or expertise, combined with competitive pressures. The range of connected mobility services being launched will continue to rise, as will the number of suppliers developing and delivering them. This ever-growing supply (and the likelihood of products/suppliers being of variable quality), coupled with a fiercely competitive marketplace could lead to security short cuts or gaps that provide an easy way in for attackers.
- Vulnerabilities introduced through growing product and service complexity. Manufacturers serving the automotive sector are increasingly focused on delivering multiple interconnected services to customers. Every link is a potential point of weakness that attackers will be quick to seize on. An attacker only needs to find one insecure opening, whether that is peripheral such as a phone Bluetooth or a music download system, for example, and from there they may be able to take control of safety-critical electrical components like the brakes or engine, and wreak havoc.
- No software code is 100% bug free – and where there are bugs there can be exploits. Vehicles already carry more than 100 million lines of code. This in in itself represents a massive attack surface for cybercriminals. And as more connected elements are installed into vehicles, the volume of code will soar, increasing the risk of bugs. Some automotive manufacturers, including Tesla have introduced specific bug bounty programs to address this.
- Further, with software being written by different developers, installed by different suppliers, and often reporting back to different management platforms, no one player will have visibility of, let alone control over, all of a vehicle’s source code. This could make it easier for attackers to bypass detection.
- Apps mean happiness for cybercriminals. There are a growing number of smartphone apps, many introduced by car manufacturers, which owners can download to remotely unlock their cars, check the engine status or find its location. Researchers have already demonstrated proof of concepts of how such apps can be compromised. It will not be long before Trojanized apps appear that inject malware direct into the heart of an unsuspecting victim’s vehicle.
- With connected components increasingly introduced by companies more familiar with hardware than software, there is a growing risk that the need for constant updates could be overlooked. This could make it harder, if not impossible for known issues to be patched remotely. Vehicle recalls take time and cost money and in the meantime many drivers will be left exposed.
- Connected vehicles will generate and process ever more data – about the vehicle, but also about journeys and even personal data on the occupants – this will be of growing appeal to attackers looking to sell the data on the black market or to use it for extortion and blackmail. Car manufacturers are already under pressure from marketing companies eager to get legitimate access to passenger and journey data for real time location-based advertising.
- Fortunately, growing awareness and understanding of security threats will result in the first cyber secure devices for remote diagnostic and telematics data appearing on the marke
- Further, lawmakers will come up with requirements and recommendations for making cybersecurity a mandatory part of all connected vehicles.
- Last but not least, alongside existing safety certification there will be new organizations set up that are responsible for cybersecurity certification. They will use clearly defined standards to assess connected vehicles in terms of their resistance to cyberattacks.
Addressing these risks involves integrating security as standard, by design, focused on different parts of the connected car ecosystem. Defensive software solutions could be installed locally on individual electrical components— for instance, the brakes — to reinforce them against attacks. Next, software can protect the vehicle’s internal network as a whole by examining all network communications, flagging any changes in standard in-vehicle network behaviour and stopping attacks from advancing in the network. Overarching this, a solution needs to protect all components that are connected externally, to the Internet. Cloud security services can detect and correct threats before they reach the vehicle. They also can send the vehicle over-the-air updates and intelligence in real time. All of this should be supported with rigorous and consistent industry standards.
As hard as it is to believe, it’s once again time for our APT Predictions. Looking back at a year like 2017 brings the internal conflict of being a security researcher into full view: on the one hand, each new event is an exciting new research avenue for us, as what were once theoretical problems find palpable expression in reality. This allows us to understand the actual attack surface and attacker tactics and to further hone our hunting and detection to address new attacks. On the other hand, as people with a heightened concern for the security posture of users at large, each event is a bigger catastrophe. Rather than consider each new breach as yet another example of the same, we see the compounding cumulative insecurity facing users, e-commerce, financial, and governmental institutions alike.
As we stated last year, rather than thinly-veiled vendor pitching, our predictions are an attempt to bring to bear our research throughout the year in the form of trends likely to peak in the coming year.Our record – did we get it right?
As a snapshot scorecard of our performance last year, these are some of our 2017 predictions and some examples where relevant:
Espionage and APTs:
- Passive implants showing almost no signs of infection come into fashion
Yes – https://securelist.com/unraveling-the-lamberts-toolkit/77990/
- Ephemeral infections / memory malware
Yes – https://securelist.com/fileless-attacks-against-enterprise-networks/77403/
- Espionage goes mobile
Yes – https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html
- The future of financial attacks
Yes – https://securelist.com/lazarus-under-the-hood/77908/
- Dirty, lying ransomware
Yes – https://securelist.com/schroedingers-petya/78870/
- The ICS Armageddon didn’t come yet (and we are happy to be wrong on that), however, we’ve seen ICS come under attack from Industoyer – https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
- A brick by any other name
Yes! BrickerBot – https://arstechnica.com/information-technology/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/
- Yes, multiple examples – https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish/
- More supply chain attacks. Kaspersky Lab’s Global Research and Analysis Team tracks over 100 APT (advanced persistent threat) groups and operations. Some of these are incredibly sophisticated and possess wide arsenals that include zero-day exploits, fileless attack tools, and combine traditional hacking attacks with handovers to more sophisticated teams that handle the exfiltration part. We have often seen cases in which advanced threat actors have attempted to breach a certain target over a long period of time and kept failing at it. This was either due to the fact that the target was using strong internet security suites, had educated their employees not to fall victim to social engineering, or consciously followed the Australian DSD TOP35 mitigation strategies for APT attacks. In general, an actor that is considered both advanced and persistent won’t give up that easily, they’ll continue poking the defenses until they find a way in.
When everything else fails, they are likely to take a step back and re-evaluate the situation. During such a re-evaluation, threat actors can decide a supply chain attack can be more effective than trying to break into their target directly. Even a target whose networks employ the world’s best defenses is likely using software from a third-party. The third party might be an easier target and can be leveraged to attack the better protected original target enterprise.
During 2017, we have seen several such cases, including but not limited to:
These attacks can be extremely difficult to identify or mitigate. For instance, in the case of Shadowpad, the attackers succeeded in Trojanizing a number of packages from Netsarang that were widely used around world, in banks, large enterprises, and other industry verticals. The difference between the clean and Trojanized packages can be dauntingly difficult to notice –in many cases it’s the command and control (C&C) traffic that gives them away.
For CCleaner, it was estimated that over 2 million computers received the infected update, making it one of the biggest attacks of 2017. Analysis of the malicious CCleaner code allowed us to correlate it with a couple of other backdoors that are known to have been used in the past by APT groups from the ‘Axiom umbrella’, such as APT17 also known as Aurora. This proves the now extended lengths to which APT groups are willing to go in order to accomplish their objectives.
Our assessment is that the amount of supply chain attacks at the moment is probably much higher than we realize but these have yet to be noticed or exposed. During 2018, we expect to see more supply chain attacks, both from the point of discovery and as well as actual attacks. Trojanizing specialized software used in specific regions and verticals will become a move akin to waterholing strategically chosen sites in order to reach specific swaths of victims and will thus prove irresistible to certain types of attackers.
- More high-end mobile malware. In August 2016, CitizenLab and Lookout published their analysis of the discovery of a sophisticated mobile espionage platform named Pegasus. Pegasus, a so-called ‘lawful interception’ software suite, is sold to governments and other entities by an Israeli company called NSO Group. When combined with zero-days capable of remotely bypassing a modern mobile operating systems’ security defenses, such as iOS, this is a highly potent system against which there is little defense. In April 2017, Google published its analysis of the Android version of the Pegasus spyware which it called Chrysaor. In addition to ‘lawful surveillance’ spyware such as Pegasus and Chrysaor, many other APT groups have developed their own mobile malware implants.
Due to the fact that iOS is an operating system locked down from introspection, there is very little that a user can do to check if their phone is infected. Somehow, despite the greater state of vulnerability of Android, the situation is better on Android where products such as Kaspersky AntiVirus for Android are available to ascertain the integrity of a device.
Our assessment is that the total number of mobile malware existing in the wild is likely higher than currently reported, due to shortcomings in telemetry that makes these more difficult to spot and eradicate. We estimate that in 2018 more high-end APT malware for mobile will be discovered, as a result of both an increase in the attacks and improvement in security technologies designed to catch them.
- More BeEF-like compromises with web profiling. Due to a combination of increased interest and better security and mitigation technologies being deployed by default in operating systems, the prices of zero-day exploits have skyrocketed through 2016 and 2017. For instance, the latest Zerodium payout chart lists up to $1,500,000 for a complete iPhone (iOS) Remote jailbreak with persistence attack, which is another way of saying ‘a remote infection without any interaction from the user’.
The incredible prices that some government customers have most certainly chosen to pay for these exploits mean there is increasing attention paid towards protecting these exploits from accidental disclosure. This translates into the implementation of a more solid reconnaissance phase before delivering the actual attack components. The reconnaissance phase can, for instance emphasize the identification of the exact versions of the browser used by the target, their operating system, plugins and other third-party software. Armed with this knowledge, the threat actor can fine tune their exploit delivery to a less sensitive ‘1-day’ or ‘N-day’ exploit, instead of using the crown jewels.
These profiling techniques have been fairly consistent with APT groups like Turla and Sofacy, as well as Newsbeef (a.k.a. Newscaster, Ajax hacking team, or ‘Charming Kitten’), but also other APT groups known for their custom profiling frameworks, such as the prolific Scanbox. Taking the prevalence of these frameworks into account in combination with a surging need to protect expensive tools, we estimate the usage of profiling toolkits such as ‘BeEF‘ will increase in 2018 with more groups adopting either public frameworks or developing their own.
- Sophisticated UEFI and BIOS attacks. The Unified Extensible Firmware Interface (UEFI) is a software interface which serves as the intermediary between the firmware and the operating system on modern PCs. Established in 2005 by an alliance of leading software and hardware developers, Intel most notable amongst them, it’s now quickly superseding the legacy BIOS standard. This was achieved thanks to a number of advanced features that BIOS lacks: for example, the ability to install and run executables, networking and Internet capabilities, cryptography, CPU-independent architecture and drivers, etc. The very advanced capabilities that make UEFI such an attractive platform also open the way to new vulnerabilities that didn’t exist in the age of the more rigid BIOS. For example, the ability to run custom executable modules makes it possible to create malware that would be launched by UEFI directly before any anti-malware solution – or, indeed, the OS itself – had a chance to start.
The fact that commercial-grade UEFI malware exists has been known since 2015, when the Hacking team UEFI modules were discovered. With that in mind, it is perhaps surprising that no significant UEFI malware has been found, a fact that we attribute to the difficulty in detecting these in a reliable way. We estimate that in 2018 we will see the discovery of more UEFI-based malware.
- Destructive attacks continue. Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East. The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012. Dormant for four years, one of the most mysterious wipers in history has returned. Also known as Disttrack, Shamoon is a highly destructive malware family that effectively wipes the victim machine. A group known as the ‘Cutting Sword of Justice’ took credit for the Saudi Aramco attack by posting a Pastebin message on the day of the attack (back in 2012), and justified the attack as a measure against the Saudi monarchy.
The Shamoon 2.0 attacks seen in November 2016 targeted organizations in various critical and economic sectors in Saudi Arabia. Just like the previous variant, the Shamoon 2.0 wiper aims for the mass destruction of systems inside compromised organizations. While investigating the Shamoon 2.0 attacks, Kaspersky Lab also discovered a previously unknown wiper malware that appears to be targeting organizations in Saudi Arabia. We’ve called this new wiper StoneDrill and have been able to link it with a high degree of confidence to the Newsbeef APT group.
In addition to Shamoon and Stonedrill, 2017 has been a tough year in terms of destructive attacks. The ExPetr/NotPetya attack, which was initially considered to be ransomware, turned out to be a cleverly camouflaged wiper as well. ExPetr was followed by other waves of ‘ransomware’ attacks, in which there is little chance for the victims to recover their data; all cleverly masked ‘wipers as ransomware’. One of the lesser known facts about ‘wipers as ransomware’ is perhaps that a wave of such attacks was observed in 2016 from the CloudAtlas APT, which leveraged what appeared to be ‘wipers as ransomware’ against financial institutions in Russia.
In 2018, we estimate that destructive attacks will continue to rise, leveraging its status as the most visible type of cyberwarfare.
- More subversion of cryptography. In March 2017, IoT encryption scheme proposals developed by the NSA came into question with Simon and Speck variant ISO approvals being both withdrawn and delayed a second time.
In August 2016, Juniper Networks announced the discovery of two mysterious backdoors in their NetScreen firewalls. Perhaps the most interesting of the two was an extremely subtle change of the constants used for the Dual_EC random number generator, which would allow a knowledgeable attacker to decrypt VPN traffic from NetScreen devices. The original Dual_EC algorithm was designed by the NSA and pushed through NIST. Back in 2013, a Reuters report suggested that NSA paid RSA $10 million to put the vulnerable algorithm in their products as a means of subverting encryption. Even if the theoretical possibility of a backdoor was identified as early as 2007, several companies (including Juniper) continued to use it with a different set of constants, which would make it theoretically secure. It appears that this different set of constants made some APT actor unhappy enough to merit hacking into Juniper and changing the constants to a set that they could control and leverage to decrypt VPN connections.
These attempts haven’t gone unnoticed. In September 2017, an international group of cryptography experts have forced the NSA to back down on two new encryption algorithms, which the organization was hoping to standardize.
In October 2017, news broke about a flaw in a cryptographic library used by Infineon in their hardware chips for generation of RSA primes. While the flaw appears to have been unintentional, it does leave the question open in regards to how secure are the underlying encryption technologies used in our everyday life, from smart cards, wireless networks or encrypted web traffic. In 2018, we predict that more severe cryptographic vulnerabilities will be found and (hopefully) patched, be they in the standards themselves or the specific implementations.
- Identity in e-commerce comes into crisis. The past few years have been punctuated by increasingly catastrophic large-scale breaches of personally identifiable information (PII). Latest among these is the Equifax breach reportedly affecting 145.5 million Americans. While many have grown desensitized to the weight of these breaches, it’s important to understand that the release of PII at scale endangers a fundamental pillar of e-commerce and the bureaucratic convenience of adopting the Internet for important paperwork. Sure, fraud and identity theft have been problems for a long time, but what happens when the fundamental identifying information is so widely proliferated that it’s simply not reliable at all? Commerce and governmental institutions (particularly in the United States) will be faced with a choice between scaling back the modern comforts of adopting the Internet for operations or doubling down on the adoption of other multi-factor solutions. Perhaps thus far resilient alternatives like ApplePay will come into vogue as de facto means of insuring identity and transactions, but in the meantime we may see a slowdown in the critical role of the Internet for modernizing tedious bureaucratic processes and cutting operational costs.
- More router and modem hacks. Another known area of vulnerability that has gone vastly ignored is that of routers and modems. Be they home or enterprise, these pieces of hardware are everywhere, they’re critically important to daily operations, and tend to run proprietary pieces of software that go unpatched and unwatched. At the end of the day, these little computers are Internet-facing by design and thereby sitting at a critical juncture for an attacker intent on gaining persistent and stealthy access to a network. Moreover, as some very cool recent research has shown, in some cases attackers might even be able to impersonate different Internet users, making it possible to throw off the trail of an attacker entirely to a different connecting address. At a time of increased interest in misdirection and false flags, this is no small feat. Greater scrutiny of these devices will inevitably yield some interesting findings.
- A medium for social chaos. Beyond the leaks and political drama of the past year’s newfound love for information warfare, social media itself has taken a politicized role beyond our wildest dreams. Whether it’s at the hand of political pundits or confusing comedic jabs at Facebook’s CEO by South Park’s writers, eyes have turned against the different social media giants demanding some level of fact-checking and identification of fake users and bots attempting to exert disproportionate levels of social influence. Sadly, it’s becoming obvious that these networks (which base their success on quantified metrics like ‘daily active users’) have little incentive to truly purge their user base of bots. Even when these bots are serving an obvious agenda or can be tracked and traced by independent researchers. We expect that as the obvious abuse continues and large bot networks become accessible to wider swaths of politically unsavory characters, that the greater backlash will be directed at the use of social media itself, with disgusted users eagerly looking for alternatives to the household giants that revel in the benefits of the abuse for profits and clicks.
In 2017 we pronounced the death of Indicators of Compromise. In 2018, we expect to see advanced threat actors playing to their new strengths, honing their new tools and the terrifying angles described above. Each year’s themes and trends shouldn’t be taken in isolation – they build on each other to enrich an ever-growing landscape of threats facing users of all types, be it individuals, enterprise, or government. The only consistent reprieve from this onslaught is the sharing and knowledgeable application of high-fidelity threat intelligence.
While these predictions cover trends for advanced targeted threats, individual industry sectors will face their own distinct challenges. In 2018, we wanted to shine the spotlight on some of those as well – and have prepared predictions for the connected healthcare, automotive, financial services, and industrial security sectors, as well as cryptocurrencies. You can find them all here!
Threat Predictions for Automotive in 2018
Threat Predictions for Connected Health in 2018
Threat Predictions for Financial Services and Fraud in 2018
Threat Predictions for Industrial Security in 2018
Threat Predictions for Cryptocurrencies in 2018
2017 was one of the most intense in terms of incidents affecting the information security of industrial systems. Security researchers discovered and reported hundreds of new vulnerabilities, warned of new threat vectors in ICS and technological processes, provided data on accidental infections of industrial systems and detected targeted attacks (for example, Shamoon 2.0/StoneDrill). And, for the first time since Stuxnet, discovered a malicious toolset some call a ‘cyber-weapon’ targeting physical systems: CrashOverride/Industroyer.
However, the most significant threat to industrial systems in 2017 was encryption ransomware attacks. According to a Kaspersky Lab ICS CERT report, in the first half of the year experts discovered encryption ransomware belonging to 33 different families. Numerous attacks were blocked, in 63 countries across the world. The WannaCry and ExPetr destructive ransomware attacks appear to have changed forever the attitude of industrial enterprises to the problem of protecting essential production systems.What can we expect in 2018?
- A rise in general and accidental malware infections. With few exceptions, cybercriminal groups have not yet discovered simple and reliable schemes for monetizing attacks on industrial information systems. Accidental infections and incidents in industrial networks caused by ‘normal’ (general) malicious code aimed at a more traditional cybercriminal target such as the corporate networks, will continue in 2018. At the same time, we are likely to see such situations result in more severe consequences for industrial environments. The problem of regularly updating software in industrial systems in line with the corporate network remains unresolved, despite repeated warnings from the security community.
- Increased risk of targeted ransomware attacks. The WannaCry and ExPetr attacks taught both security experts and cybercriminals that operational technology (OT) systems are more vulnerable to attack than IT systems, and are often exposed to access through the Internet. Moreover, the damage caused by malware can exceed that in the corresponding corporate network, and ‘firefighting’ in the case of OT is much more difficult. Industrial companies have demonstrated how inefficient their organization and staff can be when it comes to cyberattacks on their OT infrastructure. All of these factors make industrial systems a desirable target for ransomware attacks.
- More incidents of industrial cyberespionage. The growing threat of organized ransomware attacks against industrial companies could trigger development of another, related area of cybercrime: the theft of industrial information systems data to be used afterwards for the preparation and implementation of targeted (including ransomware) attacks.
- New underground market activity focused on attack services and hacking tools. In recent years, we have seen growing demand on the black market for zero day exploits targeting ICS. This tells us that criminals are working on targeted attack campaigns. We expect to see this interest increase in 2018, stimulating the growth of the black markets and the appearance of new segments focused on ICS configuration data and ICS credentials stolen from industrial companies and, possibly, botnets with ‘industrial’ nodes offerings. Design and implementation of advanced cyberattacks targeting physical objects and systems requires an expert knowledge of ICS and relevant industries. Demand is expected to drive growth in areas such as ‘malware-as-a-service’, ‘attack-vector-design-as-a-service’, ‘attack-campaign-as-a-service’ and more.
- New types of malware and malicious tools. We will probably see new malware being used to target industrial networks and assets, with features including stealth and the ability to remain inactive in the IT network to avoid detection, only activating in less secure OT infrastructure. Another possibility is the appearance of ransomware targeting lower-level ICS devices and physical assets (pumps, power switches, etc.).
- Criminals will take advantage of ICS threat analyses published by security vendors. Researchers have done a good job finding and making public various attack vectors on industrial assets and infrastructures and analyzing the malicious toolsets found. However, this could also provide criminals with new opportunities. For example, the CrashOverride/Industroyer toolset disclosure could inspire hacktivists to run denial-of-service attacks on power and energy utilities; or criminals may targeted ransomware and may even invent monetizing schemes for blackouts. The PLC (programmable logic controller) worm concept could inspire criminals to create real world malicious worms; while others could try to implement malware using one of standard languages for programming PLCs. Criminals also could recreate the concept of infecting the PLC itself. Both these types of malware could remain undetected by existing security solutions.
- Changes in national regulation. In 2018, a number of different cybersecurity regulations for industrial systems will need to be implemented. For example, those with critical infrastructures and industrial assets facilities will be compelled to do more security assessments. This will definitely increase protection and awareness. Thanks to that, we will probably see some new vulnerabilities found and threats disclosed.
- Growing availability of, and investment in industrial cyber insurance. Industrial cyber-risk insurance is becoming an integral part of risk management for industrial enterprises. Previously, the risk of a cybersecurity incident was excluded from insurance contracts – just like the risk of a terrorist attack. But the situation is changing, with new initiatives introduced by both cybersecurity and insurance companies. In 2018, this will increase the number of audits/assessments and incident responses undertaken, raising cybersecurity awareness among the industrial facility’s leaders and operators.
Beginning in the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of what research we have been conducting. This report serves as the next installment, focusing on important reports produced during Q3 of 2017.
As stated last quarter, these reports will serve as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: email@example.com.Chinese-Speaking Actors
The third quarter demonstrated to us that Chinese-speaking actors have not “disappeared” and are still very much active, conducting espionage against a wide range of countries and industry verticals. In total, 10 of the 24 reports produced centered around activity attributed to multiple actors in this region.
The most interesting of these reports focused on two specific supply chain attacks; Netsarang / ShadowPad and CCleaner. In July 2017, we discovered a previously unknown malware framework (ShadowPad) embedded inside the installation packages hosted on the Netsarang distribution site. Netsarang is a popular server management software used throughout the world. The ShadowPad framework contained a remotely activated backdoor which could be triggered by the threat actor through a specific value in a DNS TXT record. Others in the research community have loosely attributed this attack to the threat actor Microsoft refers to as BARIUM. Following up on this supply chain attack, another was reported initially by Cisco Talos in September involving CCleaner, a popular cleaner / optimization tool for PCs. The actors responsible signed the malicious installation packages with a legitimate Piriform code signing certificate and pushed the malware between August and September.
Q3 also showed China is very interested in policies and negotiations involving Russia with other countries. We reported on two separate campaigns demonstrating this interest. To date, we have observed three separate incidents where Russia and another country hold talks and are targeted shortly thereafter, IndigoZebra being the first. IronHusky was a campaign we first discovered in July targeting Russian and Mongolian government, aviation companies, and research institutes. Earlier in April, both conducted talks related to modernizing the Mongolian air defenses with Russia’s help. Shortly after these talks, the two countries were targeted with a Poison Ivy variant from a Chinese-speaking threat actor. In June, India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries. Very soon after, both countries energy sector were targeted with a new piece of malware we refer to as “H2ODecomposition”. In some case this malware was masquerading as a popular Indian antivirus solution (QuickHeal). The name of the malware was derived from an initial RC5 string used in the encryption process (2H2O=2H2+O2) which describes a chemical reaction used in hydrogen fuel cells.
Other reports published in the third quarter under chinese-speaking actors were mainly updates to TTPs by known adversaries such as Spring Dragon, Ocean Lotus, Blue Termite, and Bald Knight. The Spring Dragon report summarized the evolution of their malware to date. Ocean Lotus was observed conducting watering hole attacks on the ASEAN website (as done previously) but with a new toolkit. A new testing version of Emdivi was discovered in use by Blue Termite as well as their testing of CVE-2017-0199 for use. Finally, Bald Knight (AKA – Tick) was seen using their popular XXMM malware family to target Japan and South Korea.
Below is a summary of report titles produced for the Chinese region. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to firstname.lastname@example.org.
- Analysis and evolution of Spring Dragon tools
- EnergyMobster – Campaign targeting Russian-Indian energy project
- IronHusky – Intelligence of Russian-Mongolian military negotiations
- The Bald Knight Rises
- Massive watering holes campaign targeting Asia-Pacific
- Massive Watering Holes Campaign Targeting AsiaPacific – The Toolset
- NetSarang software backdoored in supply chain attack – early warning
- ShadowPad – popular server management software hit in supply chain attack
- New BlueTermite samples and potential new wave of attacks
- CCleaner backdoored – more supply chain attacks
The third quarter was a bit slower with respect to Russian speaking threat actors. We produced four total reports, two of which focused on ATM malware, one on financial targeting in Ukraine and Russia, and finally a sort of wrap-up of Sofacy activity over the summer.
The ATM related reports centered around Russian speaking actors using two previously unknown pieces of malware designed specifically for certain models. “Cutlet Maker” and “ATMProxy” both ultimately allowed the users to dispense cash at will from a chosen cartridge within the ATMs. ATMProxy was interesting since it would sit dormant on an ATM until a card with a specific hard coded number was inserted, at which point it would dispense more cash than what was requested.
Another report discussed a new technique utilizing highly targeted watering holes to target financial entities in Ukraine and Russia with Buhtrap. Buhtrap has been around since at least 2014, but this new wave of attacks was leveraging search engine optimization (SEO) to float malicious watering hole sites to the top of search results, thus providing more of a chance for valid targets to visit the malicious sites.
Finally, we produced a summary report on Sofacy’s summertime activity. Nothing here was groundbreaking, but rather showed the group remained active with their payloads of choice; SPLM, GAMEFISH, and XTUNNEL. Targeting also remained the same, focusing on European defense entities, Turkey, and former republics.
Below is a list of report titles for reference:
- ATMProxy – A new way to rob ATMs
- Cutlet maker – Newly identified ATM malware families sold on Darknet
- Summertime Sofacy – July 2017
- Buhtrap – New wave of attacks on financial targets
The last quarter also had us reporting on yet another member of the Lamberts family. Red Lambert was discovered during our previous analysis of Grey Lambert and utilized hard coded SSL certificates in its command and control communications. What was most interesting about the Red Lambert is that we discovered a possible operational security (OPSEC) failure on the actor’s part, leading us to a specific company who may have been responsible, in whole or in part, for the development of this Lambert malware.
- The Red Lambert
We were also able to produce two reports on Korean speaking actors, specifically involving Scarcruft and Bluenoroff. Scarcruft was seen targeting high profile, political entities in South Korea using both destructive malware as well as malware designed more for espionage. Bluenoroff, the financially motivated arm of Lazarus, targeted a Costa Rican casino using Manuscrypt. Interestingly enough, this casino was compromised by Bluenoroff six months prior as well, indicating they potentially lost access and were attempting to get back in.
Report titles focusing on Korean-speaking actors:
- Scent of ScarCruft
- Bluenoroff hit Casino with Manuscrypt
Finally, we also wrote seven other reports on “uncategorized” actors in the third quarter. Without going into detail on each of these reports, we will focus on two. The first being a report on the Shadowbrokers’ June 2017 malware dump. An anonymous “customer” who paid to get access to the dump of files posted the hashes of the files for the month, mainly due to their displeasure in what was provided for the money. We were only able to verify one of nine file hashes, which ended up being an already known version of Triple Fantasy.
The other report we’d like to highlight (“Pisco Gone Sour”) is one involving an unknown actor targeting Chilean critical institutions with Veil , Meterpreter, and Powershell Empire. We are constantly searching for new adversaries in our daily routine and this appears to be just that. The use of publicly available tools makes it difficult to attribute this activity to a specific group, but our current assessment based on targeting is that the actor may be based somewhere in South America.
- Dark Cyrene – politically motivated campaign in the Middle East
- Pisco Gone Sour – Cyber Espionage Campaign Targeting Chile
- Crystal Finance Millennium website used to launch a new wave of attacks in Ukraine
- New Machete activity – August 2017
- Shadowbroker June 2017 Pack
- The Silence – new trojan attacking financial organizations
Normally we would end this report with some predictions for the next quarter, but as it will be the end of the year soon, we will be doing a separate predictions report for 2018. Instead, we would like to point out one alarming trend we’ve observed over the last two quarters which is an increase in supply chain attacks. Since Q2, there have been at least five incidents where actors have targeted the supply chain to accomplish their goals instead of going directly after the end target; MeDoc, Netsarang, CCleaner, Crystal Finance, and Elmedia. While these incidents were not the result of just one group, it does show how the attention of many of the actors out there may be shifting in a direction that could be much more dangerous. Successfully compromising the supply chain provides easy access to a much wider target base than available through traditional means such as spear phishing. As an added benefit, these attacks can remain undetected for months, if not longer. It remains to be seen if this trend will continue into 2018, but given the successes from the five mentioned above, we feel we haven’t seen the last of this type of attack in the near future.
According to KSN data, Kaspersky Lab solutions detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world.
72,012,219 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 204,388 user computers.
Crypto ransomware attacks were blocked on 186283 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 198,228,428 unique malicious and potentially unwanted objects.
Kaspersky Lab mobile security products detected:
- 1,598,196 malicious installation packages;
- 19,748 mobile banking Trojans (installation packages);
- 108,073 mobile ransomware Trojans (installation packages).
In the third quarter, we continued to monitor the activity of the mobile banking Trojan Trojan-Banker.AndroidOS.Asacub that actively spread via SMS spam. Q3 saw cybercriminals carry out a major campaign to distribute the Trojan, resulting in a tripling of the number of users attacked. Asacub activity peaked in July, after which there was a decline in the number of attacks: in September we registered almost three times fewer attacked users than in July.New capabilities of mobile banking Trojans
Q3 2017 saw two significant events in the world of mobile banking Trojans.
Firstly, the family of mobile banking Trojans Svpeng has acquired the new modification Trojan-Banker.AndroidOS.Svpeng.ae capable of granting all the necessary rights to itself and stealing data from other applications. To do this, it just needs to persuade the user to allow the Trojan to utilize special functions designed for people with disabilities. As a result, the Trojan can intercept text that a user is entering, steal text messages and even prevent itself from being removed.
Interestingly, in August we discovered yet another modification of Svpeng that uses special features. Only, this time the Trojan was not banking related – instead of stealing data, it encrypts all the files on a device and demands a ransom in bitcoins.
Secondly, the FakeToken family of mobile banking Trojans has expanded the list of apps it attacks. If previously representatives of this family mostly overlaid banking and some Google apps (e.g. Google Play Store) with a phishing window, it is now also overlaying apps used to book taxis, air tickets and hotels. The aim of the Trojan is to harvest data from bank cards.The growth of WAP billing subscriptions
In the third quarter of 2017, we continued to monitor the increased activity of Trojans designed to steal users’ money via subscriptions. To recap, these are Trojans capable of visiting sites that allow users to pay for services by deducting money from their mobile phone accounts. These Trojans can usually click buttons on such sites using special JS files, and thus make payments without the user’s knowledge.
Our Top 20 most popular Trojan programs in Q3 2017 included three malware samples that attack WAP subscriptions. They are Trojan-Dropper.AndroidOS.Agent.hb and Trojan.AndroidOS.Loapi.b in fourth and fifth, and Trojan-Clicker.AndroidOS.Ubsod.b in seventh place.Mobile threat statistics
In the third quarter of 2017, Kaspersky Lab detected 1,598,196 malicious installation packages, which is 1.2 times more than in the previous quarter.Distribution of mobile malware by type
RiskTool (53.44%) demonstrated the highest growth in Q3 2017, with its share increasing by 12.93 percentage points (p.p.). The majority of all installation packages discovered belonged to the RiskTool.AndroidOS.Skymobi family.
Trojan-Dropper malware (10.97%) came second in terms of growth rate: its contribution increased by 6.29 p.p. Most of the installation packages are detected as Trojan-Dropper.AndroidOS.Agent.hb.
The share of Trojan-Ransom programs, which was first in terms of the growth rate in the first quarter of 2017, continued to fall and accounted for 6.69% in Q3, which is 8.4 p.p. less than the previous quarter. The percentage of Trojan-SMS malware also fell considerably to 2.62% – almost 4 p.p. less than in Q2.
In Q3, Trojan-Clicker malware broke into this rating after its contribution increased from 0.29% to 1.41% in the space of three months.TOP 20 mobile malware programs
Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.Verdict % of attacked users* 1 DangerousObject.Multi.Generic 67.14 2 Trojan.AndroidOS.Boogr.gsh 7.52 3 Trojan.AndroidOS.Hiddad.ax 4.56 4 Trojan-Dropper.AndroidOS.Agent.hb 2.96 5 Trojan.AndroidOS.Loapi.b 2.91 6 Trojan-Dropper.AndroidOS.Hqwar.i 2.59 7 Trojan-Clicker.AndroidOS.Ubsod.b 2.20 8 Backdoor.AndroidOS.Ztorg.c 2.09 9 Trojan.AndroidOS.Agent.gp 2.05 10 Trojan.AndroidOS.Sivu.c 1.98 11 Trojan.AndroidOS.Hiddapp.u 1.87 12 Backdoor.AndroidOS.Ztorg.a 1.68 13 Trojan.AndroidOS.Agent.ou 1.63 14 Trojan.AndroidOS.Triada.dl 1.57 15 Trojan-Ransom.AndroidOS.Zebt.a 1.57 16 Trojan-Dropper.AndroidOS.Hqwar.gen 1.53 17 Trojan.AndroidOS.Hiddad.an 1.48 18 Trojan.AndroidOS.Hiddad.ci 1.47 19 Trojan-Banker.AndroidOS.Asacub.ar 1.41 20 Trojan.AndroidOS.Agent.eb 1.29
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.
First place was occupied by DangerousObject.Multi.Generic (67.14%), the verdict used for malicious programs detected using cloud technologies. This is basically how the very latest malware is detected.
As in the previous quarter, Trojan.AndroidOS.Boogr.gsh (7.52%) came second. This verdict is issued for files recognized as malicious by our system based on machine learning.
Trojan.AndroidOS.Hiddad.an (4.56%) was third. The main purpose of this Trojan is to open and click advertising links received from the C&C. The Trojan requests administrator rights to prevent its removal.
Trojan-Dropper.AndroidOS.Agent.hb (2.96%) climbed from sixth in Q2 to fourth this quarter. This Trojan decrypts and runs another Trojan – a representative of the Loaipi family. One of them –Trojan.AndroidOS.Loapi.b – came fifth in this quarter’s Top 20. This is a complex modular Trojan whose main malicious component needs to be downloaded from the cybercriminals’ server. We can assume that Trojan.AndroidOS.Loapi.b is designed to steal money via paid subscriptions.
Trojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for Trojans protected by a certain packer/obfuscator, fell from fourth to sixth. In most cases, this name indicates representatives of the FakeToken and Svpeng mobile banking families.
In seventh was Trojan-Clicker.AndroidOS.Ubsod.b, a small basic Trojan that receives links from a C&C and opens them. We wrote about this family in more detail in our review of Trojans that steal money using WAP subscriptions.
Trojan Backdoor.AndroidOS.Ztorg.c came eighth. This is one of the most active advertising Trojans that uses superuser rights. In the third quarter of 2017, our Top 20 included eight Trojans that try to obtain or use root rights and which make use of advertising as their main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them ‘hide’ in the system folder, making it very difficult to remove them. It’s worth noting that the quantity of this type of malware in the Top 20 has been decreasing (in Q1 2017, there were 14 of these Trojans in the rating, while in Q2 the number was 11).
Trojan.AndroidOS.Agent.gp (2.05%), which steals money from users making calls to premium numbers, rose from fifteenth to ninth. Due to its use of administrator rights, it resists attempts to remove it from an infected device.
Occupying fifteenth this quarter was Trojan-Ransom.AndroidOS.Zebt.a, the first ransom Trojan in this Top 20 rating in 2017. This is a fairly simple Trojan whose main goal is to block the device with its window and demand a ransom. Zebt.a tends to attack users in Europe and Mexico.
Trojan.AndroidOS.Hiddad.an (1.48%) fell to sixteenth after occupying second and third in the previous two quarters. This piece of malware imitates various popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to withstand removal. The main purpose of Trojan.AndroidOS.Hiddad.an is the aggressive display of adverts. Its main ‘audience’ is in Russia.The geography of mobile threats
Top 10 countries attacked by mobile malware (ranked by percentage of users attacked):Country* % of attacked users** 1 Iran 35.12 2 Bangladesh 28.30 3 China 27.38 4 Côte d’Ivoire 26.22 5 Algeria 24.78 6 Nigeria 23.76 7 Indonesia 22.29 8 India 21.91 9 Nepal 20.78 10 Kenya 20.43
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.
For the third quarter in a row Iran was the country with the highest percentage of users attacked by mobile malware – 35.12%. Bangladesh came second, with 28.3% of users there encountering a mobile threat at least once during Q3. China (27.38%) followed in third.
Russia (8.68%) came 35th this quarter (vs 26th place in Q2), France (4.9%) was 59th, the US (3.8%) 67th, Italy (5.3%) 56th, Germany (2.9%) 79th, and the UK (3.4%) 72nd.
The safest countries were Georgia (2.2%), Denmark (1.9%), and Japan (0.8%).Mobile banking Trojans
Over the reporting period we detected 19,748 installation packages for mobile banking Trojans, which is 1.4 times less than in Q2 2017.
Banker.AndroidOS.Asacub.ar became the most popular mobile banking Trojan in Q3, replacing the long-term leader Trojan-Banker.AndroidOS.Svpeng.q. These mobile banking Trojans use phishing windows to steal credit card data and logins and passwords for online banking accounts. In addition, they steal money via SMS services, including mobile banking.
Top 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked):Country* % of attacked users** 1 Russia 1.20 2 Uzbekistan 0.40 3 Kazakhstan 0.36 4 Tajikistan 0.35 5 Turkey 0.34 6 Moldova 0.31 7 Ukraine 0.29 8 Kyrgyzstan 0.27 9 Belarus 0.26 10 Latvia 0.23
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.
In Q3 2017, the Top 10 countries attacked by mobile banker Trojans saw little change: Russia (1.2%) topped the ranking again. In second and third places were Uzbekistan (0.4%) and Kazakhstan (0.36%), which came fifth and tenth respectively in the previous quarter. In these countries the Faketoken.z, Tiny.b and Svpeng.y families were the most widespread threats.
Of particular interest is the fact that Australia, a long-term resident at the top end of this rating, didn’t make it into our Top 10 this quarter. This was due to a decrease in activity by the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher mobile banking families.Mobile ransomware
In Q3 2017, we detected 108,073 mobile Trojan-Ransomware installation packages, which is almost half as much as in the previous quarter.
In our report for Q2, we wrote that in the first half of 2017, we had discovered more mobile ransomware installation packages than in any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. However, in the third quarter of this year we observed a decline in this family’s activity.
Trojan-Ransom.AndroidOS.Zebt.a became the most popular mobile Trojan-Ransomware in Q3, accounting for more than a third of users attacked by mobile ransomware. Second came Trojan-Ransom.AndroidOS.Svpeng.ab. Meanwhile, Trojan-Ransom.AndroidOS.Fusob.h, which topped the rating for several quarters in a row, was only third in Q3 2017.
Top 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked):1 US 1.03% 2 Mexico 0.91% 3 Belgium 0.85% 4 Kazakhstan 0.79% 5 Romania 0.70% 6 Italy 0.50% 7 China 0.49% 8 Poland 0.49% 9 Austria 0.45% 10 Spain 0.33%
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.
The US (1.03%) again topped the rating of countries attacked most by mobile Trojan-Ransomware; the most widespread family in the country was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of about $500 from victims to unblock their devices.
In Mexico (0.91%), which came second in Q3 2017, most mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Zebt.a. Belgium (0.85%) came third, with Zebt.a the main threat to users there too.Vulnerable apps exploited by cybercriminals
Q3 2017 saw continued growth in the number of attacks launched against users involving malicious Microsoft Office documents. We noted the emergence of a large number of combined documents containing an exploit as well as a phishing message – in case the embedded exploit fails.
Although two new Microsoft Office vulnerabilities, CVE-2017-8570 and CVE-2017-8759, have emerged, cybercriminals have continued to exploit CVE-2017-0199, a logical vulnerability in processing HTA objects that was discovered in March 2017. Kaspersky Lab statistics show that attacks against 65% users in Q3 exploited CVE-2017-0199, and less than 1% exploited CVE-2017-8570 or CVE-2017-8759. The overall share of exploits for Microsoft Office was 27.8%.
There were no large network attacks (such as WannaCry or ExPetr) launched in Q3 using vulnerabilities patched by the MS17-010 update. However, according to KSN data, there was major growth throughout the quarter in the number of attempted exploitations of these vulnerabilities that were blocked by our Intrusion Detection System component. Unsurprisingly, the most popular exploits have been EternalBlue and its modifications, which use an SMB protocol vulnerability; however, KL statistics show that EternalRomance, EternalChampion and an exploit for the CVE-2017-7269 vulnerability in IIS web servers have also been actively used by cybercriminals. EternalBlue, however, accounts for millions of blocked attempted attacks per month, while the numbers for other exploits are much lower.
The distribution of exploits by the type of attacked application this quarter was practically the same as in Q2. First place is still occupied by exploits targeting browsers and browser components with a share of 35.0% (a decline of 4 p.p. compared to Q2.) The proportion of exploits targeting Android vulnerabilities (22.7%) was almost identical to that in Q2, placing this type of attacked application once again in third behind Office vulnerabilities.Online threats (Web-based attacks)
These statistics are based on detection verdicts returned by the web antivirus module that protects users at the moment when malicious objects are downloaded from a malicious/infected web page. Malicious sites are specifically created by cybercriminals; infected web resources include those whose content is created by users (e.g. forums), as well as legitimate resources.Online threats in the banking sector
These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 these statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats.
In Q3 2017, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs capable of stealing money via online banking on 204,388 computers.Geography of attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.
TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)Country* % of users attacked** 1 Togo 2.30 2 China 1.91 3 Taiwan 1.65 4 Indonesia 1.58 5 South Korea 1.56 6 Germany 1.53 7 United Arab Emirates 1.52 8 Lebanon 1.48 9 Libya 1.43 10 Jordan 1.33
These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by banking Trojan malware attacks as a percentage of all unique users of Kaspersky Lab products in the country.
The table below shows the Top 10 malware families used in Q3 2017 to attack online banking users (in terms of percentage of users attacked):Name* % of attacked users** 1 Trojan-Spy.Win32.Zbot 27.9 2 Trojan.Win32.Nymaim 20.4 3 Trojan.Win32.Neurevt 10.0 4 Trickster 9.5 5 SpyEye 7.5 6 Caphaw 6.3 7 Trojan-Banker.Win32.Gozi 2.0 8 Shiz 1.8 9 ZAccess 1.6 10 NeutrinoPOS 1.6
* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.
The malware families Dridex and Tinba lost their places in this quarter’s Top 10. One of their former positions was occupied by the Trickster bot (accounting for 9.5% of attacked users), also known as TrickBot, a descendant of the now defunct Dyre banker. There was a small change in the leading three malicious families. First and second places are still occupied by Trojan-Spy.Win32.Zbot (27.9%) and Trojan.Win32.Nymaim (20.4%) respectively, while third place is now occupied by Trojan.Win32.Neurevt (10%) whose share grew by nearly 4 p.p.Cryptoware programs Q3 highlights Crysis rises from the dead
In our Q2 report we wrote that the cybercriminals behind the Crysis ransomware cryptor halted distribution of the malware and published the secret keys needed to decrypt files. This took place in May 2017, and all propagation of the ransomware was stopped completely at that time.
However, nearly three months later, in mid-August, we discovered that this Trojan had come back from the dead and had set out on a new campaign of active propagation. The email addresses used by the blackmailers were different from those used in earlier samples of Crysis. A detailed analysis revealed that the new samples of the Trojan were completely identical to the old ones apart from just one thing – the public master keys were new. Everything else was the same, including the compilation timestamp in the PE header and, more interestingly, the labels that the Trojan leaves in the service area at the end of each encrypted file. Closer scrutiny of the samples suggests that the new distributors of the malware didn’t have the source code, so they just took its old body and used a HEX editor to change the key and the contact email.
The above suggests that this piece of ‘zombie’ malware is being spread by a different group of malicious actors rather than its original developer who disclosed all the private keys in May.Surge in Cryrar attacks
The Cryrar cryptor (aka ACCDFISA) is a veteran among the ransomware Trojans that are currently being spread. It emerged way back in 2012 and has been active ever since. The cryptor is written in PureBasic and uses a legitimate executable RAR archiver file to place the victim’s files in password-encrypted RAR-sfx archives.
In the first week of September 2017 we recorded a dramatic rise in the number of attempted infections with Cryrar – a surge never seen before or since. The malicious actors used the following approach: they crack the password to RDP by brute force, get authentication on the victim’s system using the remote access protocol and manually launch the Trojan’s installation file. The latter, in turn, installs the cryptor’s body and the components it requires (including the renamed RAR.EXE file), and then automatically launches the cryptor.
According to KSN data, this wave of attacks primarily targeted Vietnam, China, the Philippines and Brazil.Master key to original versions of Petya/Mischa/GoldenEye published
In July 2017, the authors of the Petya Trojan published their master key, which can be used to decrypt the Salsa keys required to decrypt MFT and unblock access to systems affected by Petya/Mischa or GoldenEye.
This happened shortly after the ExPetr epidemic which used part of the GoldenEye code. This suggests that the authors of Petya/Mischa/GoldenEye did so in an attempt to distance themselves from the ExPetr attack and the outcry that it caused.
Unfortunately, this master key won’t help those affected by ExPetr, as its creators didn’t include the option of restoring a Salsa key to decrypt MFT.The number of new modifications
In Q3 2017, we identified five new ransomware families in this classification. It’s worth noting here that this number doesn’t include all the Trojans that weren’t assigned their own ‘personal’ verdict. Each quarter, dozens of these malicious programs emerge, though they either have so few distinctive characteristics or occur so rarely that they and the hundreds of others like them remain nameless, and are detected with generic verdicts.
The number of new cryptor modifications continues to decline compared to previous quarters. This could be a temporary trend, or could indicate that cybercriminals are gradually losing their interest in cryptors as a means of making money, and are switching over to other types of malware.The number of users attacked by ransomware
July was the month with the lowest ransomware activity. From July to September, the number of ransomware attacks rose, though it remained lower than May and June when two massive epidemics (WannaCry and ExPetr) struck.The geography of attacks
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000)
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.
Most of the countries in this Top 10 are from Asia, including Myanmar (0.95%), a newcomer to the Top 10 that swept into first place in Q3. Vietnam (0.92%) came second, moving up two places from Q2, while China (0.58%) rose one place to fifth.
Brazil, Italy and Japan were the leaders in Q2, but in Q3 they failed to make it into the Top 10. Europe is represented by Germany (0.62%) and Austria (0.49%).
Russia, in tenth the previous quarter, ended Q3 in sixth place.Top 10 most widespread cryptor families Name Verdict* % of attacked users** 1 WannaCry Trojan-Ransom.Win32.Wanna 16.78% 2 Crypton Trojan-Ransom.Win32.Cryptoff 14.41% 3 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 6.90% 4 Locky Trojan-Ransom.Win32.Locky 6.78% 5 Cerber Trojan-Ransom.Win32.Zerber 4.30% 6 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 3.99% 7 Shade Trojan-Ransom.Win32.Shade 2.69% 8 Spora Trojan-Ransom.Win32.Spora 1.87% 9 (generic verdict) Trojan-Ransom.Win32.Gen 1.77% 10 (generic verdict) Trojan-Ransom.Win32.CryFile 1.27%
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.
Wannacry (16.78%) tops the rating for Q3, and the odds are that it’s set to remain there: the worm has been propagating uncontrollably, and there are still huge numbers of computers across the globe with the unpatched vulnerability that Wannacry exploits.
Crypton (14.41%) came second. This cryptor emerged in spring 2016 and has undergone many modifications since. It has also been given multiple names: CryptON, JuicyLemon, PizzaCrypts, Nemesis, x3m, Cry9, Cry128, Cry36.
The cryptor Purgen (6.90%) rounds off the top three after rising from ninth. The rest of the rating is populated by ‘old timers’ – the Trojans Locky, Cerber, Cryrar, Shade, and Spora.
The Jaff cryptor appeared in the spring of 2017, going straight into fourth place in the Q2 rating, and then stopped spreading just as suddenly.Top 10 countries where online resources are seeded with malware
The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In the third quarter of 2017, Kaspersky Lab solutions blocked 277,646,376 attacks launched from web resources located in 185 countries around the world. 72,012,219 unique URLs were recognized as malicious by web antivirus components.
In Q3 2017, the US (3.86%) was home to most sources of web attacks. The Netherlands (25.22%) remained in second place, while Germany moved up from fifth to third. Finland and Singapore dropped out of the top five and were replaced by Ireland (1.36%) and Ukraine (1.36%).
Countries where users faced the greatest risk of online infection
In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.
This rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.Country* % of users attacked** 1 Belarus 27.35 2 Algeria 24.23 3 Russia 23.91 4 Armenia 23.74 5 Moldova 23.61 6 Greece 21.48 7 Azerbaijan 21.14 8 Kyrgyzstan 20.83 9 Uzbekistan 20.24 10 Albania 20.10 11 Ukraine 19.82 12 Kazakhstan 19.55 13 France 18.94 14 Venezuela 18.68 15 Brazil 18.01 16 Portugal 17.93 17 Vietnam 17.81 18 Tajikistan 17.63 19 Georgia 17.50 20 India 17.43
These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.
On average, 16.61% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.
The countries with the safest online surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%) and Cuba (4.44%).Local threats
Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).
Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.
In Q3 2017, Kaspersky Lab’s file antivirus detected 198,228,428 unique malicious and potentially unwanted objects.
Countries where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.
The rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.Country* % of users attacked** 1 Yemen 56.89 2 Vietnam 54.32 3 Afghanistan 53.25 4 Uzbekistan 53.02 5 Laos 52.72 6 Tajikistan 49.72 7 Ethiopia 48.90 8 Syria 47.71 9 Myanmar 46.82 10 Cambodia 46.69 11 Iraq 45.79 12 Turkmenistan 45.47 13 Libya 45.00 14 Bangladesh 44.54 15 China 44.40 16 Sudan 44.27 17 Mongolia 44.18 18 Mozambique 43.84 19 Rwanda 43.22 20 Belarus 42.53
These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.
This Top 20 of countries has not changed much since Q2, with the exception of China (44.40%), Syria (47.71%) and Libya (45.00%) all making an appearance. The proportion of users attacked in Russia amounted to 29.09%.
On average, 23.39% of computers globally faced at least one Malware-class local threat during the third quarter.
The safest countries in terms of local infection risks included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czechia (7.89%), Ireland (6.86%) and Japan (5.79%).
All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.
In July, we reported on the recent activities of a targeted attack group called ‘Spring Dragon’ (also known as LotusBlossom), whose activities data back to 2012. Spring Dragon makes extensive use of spear-phishing and watering-hole attacks. The group’s targets include high-profile government agencies, political parties, educational institutions and telecommunication around the South China Sea – including Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia and Thailand.
Most of the malicious tools implemented by Spring Dragon over the years are backdoors designed to steal data, execute additional malware components and run system commands on victim’s computers. These give the attackers the ability to undertake a variety of different malicious activities on their victims’ computers. The group maintains a large C2 infrastructure, comprising more than 200 unique IP addresses and C2 domains.
The large number of samples that we have collected have customized configuration data, different sets of C2 addresses with new hardcoded campaign IDs, as well as customized configuration data for creating a service for malware on a victim’s system – all of which makes detection more difficult.
We think it is likely that Spring Dragon, like many other targeted attack campaigns, is likely to re-surface in this region, so it is important for organisations to make effective use of good detection mechanisms such as YARA rules and IDS signatures.
You can read our report on Spring Dragon here.Stepping-stones
One of the most striking aspects of the ExPetr attacks earlier this year was its primary attack vector: the attackers specifically targeted a company supplying accounting software to Ukrainian companies. Most of the victims of this wiper were located in Ukraine. However, it recently became clear that the attack has had a significant impact on some companies that operate worldwide. Among them are Maersk, the world’s largest container ship and supply vessel company. The company indicated in its earnings report that it expected losses of between $200 and $300 as a result of ‘significant business interruption’ caused by the ExPetr attack. Another was FedEx, which revealed that the operations of its TNT Express unit in Europe were ‘significantly affected’ by the attack, costing the company around $300 in lost earnings.
In recent months, we have seen further cases of attackers compromising software supply chain providers and using this as a stepping-stone into their chosen targets.
In July, we discovered suspicious DNS requests on the network of a customer working in the financial services industry: we found the requests on systems used to process transactions. The source of the DNS queries was a package for popular server management software developed by NetSarang. Customers of NetSarang, which has headquarters in South Korea and the United States, include companies working in financial services, energy, retail, technology and media. The attackers had modified one of the updates to include a backdoor.
NetSarang quickly removed the compromised update, but not before it had been activated at least once (we were able to confirm an activation on a computer in Hong Kong).
The attackers hide their malicious intent in several layers of encrypted code. The tiered architecture means that the business logic of the backdoor is not activated until a special packet has been received from the first tier C2 (Command and Control) server. Until then, it transfers basic information every eight hours: this includes computer, domain and user names. The payload is only activated through a crafted ‘dns.txt’ record for a specific domain. This allows the attackers to glean system information and send a decryption key to unlock the next stage of the attack, activating the backdoor itself.
This backdoor, called ShadowPad, is a modular platform that lets the attackers download and execute arbitrary code, create processes and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim.
You can read more about ShadowPad here.
Another supply-chain attack occurred in September, when attackers compromised an update to the Windows clean-up utility CCleaner, published by Avast. Researchers at Cisco Systems Talos Group discovered that attackers had modified the installer for CCleaner 5.3 to drop their malware on the computers of anyone who downloaded the utility. The malware, which was signed with a valid certificate, was active for a month and infected around 700,000 computers. The attackers used a two-stage infection process. The first delivered a profile of the victim to the attackers C2 servers, while the second was reserved for specific targets. You can find details of the analysis here.
It is sometimes tempting for companies to imagine that no one would want to target them – perhaps because they are not a large company, or because they do not believe that they have anything of significance to an attacker. However, even quite apart from their intellectual property, or personal information belonging to customers, they can be valuable as a stepping-stone into another organisation.The bear facts
In August, we provided an update on an interesting APT that we call ‘WhiteBear’, related to the Turla group. Like Turla, WhiteBear uses compromised web sites and hijacked satellite connections for its C2 infrastructure. The project also overlaps with other Turla campaigns such as ‘Skipper Turla’ (or ‘WhiteAtlas’) and ‘Kopiluwak’ (both of which we detailed for subscribers to Kaspersky APT intelligence reports). In addition, we have found WhiteBear components on a subset of systems that were previously targeted by WhiteAtlas, with the same file-paths and identical filenames. Nevertheless, we have been unable to firmly tie the delivery of WhiteBear to any specific WhiteAtlas components, and we believe that WhiteBear is the product of a separate development effort and has a distinct focus.
For much of 2016, WhiteBear activity was narrowly focused on embassies and consulates around the world – all related to diplomatic and foreign affairs organisations. This shifted in mid-2017 to include defence-related organizations.
Although we’re not sure of the delivery vector for WhiteBear components, we strongly suspect that the group sends spear-phishing e-mails to its targets containing malicious PDF files.
The encryption implemented in the main module, the WhiteBear orchestrator, is particularly interesting. The attackers encrypt/decrypt, and pack/decompress the resource section with RSA+3DES+BZIP2. This implementation is unique and includes the format of the private key as stored in the resource section. 3DES is also present in Sofacy and Duqu 2.0 components, but they are missing in this Microsoft-centric RSA encryption technique. The private key format used in this schema and the RSA crypto combination with 3DES is (currently) unique to this group.
Most WhiteBear samples are signed with a valid code-signing certificate issued for ‘Solid Loop Ltd’, a once-registered British organization. This is probably a front organization or a defunct organization; and the attackers have assumed its identity to abuse the name and trust, in order to create deceptive digital certificates.
You can find full technical details of WhiteBear here.(Un)documented Word feature abused by hackers
If a targeted attack is to be successful, the attackers must first gather intelligence on their prospective victims. In particular, they need details about the operating system and key applications, so that they can deliver the appropriate exploit.
During an investigation of a targeted attack, we found some spear-phishing e-mails with interesting Word documents attached to them. At first sight, they seemed unremarkable: they contained no macros, exploits or other active content.
However, on closer inspection, we found that they contained several links to PHP scripts located on third-party web resources. When we attempted to open these files in Microsoft Word, we found that the application addressed one of the links and, as a result, provided the attackers with information about software installed on the target computer. The documents were in OLE 2 (Object Linking and Embedding) format. OLE allows authors to embed objects and link to multiple objects or resources in a single Word document. For example, an author can created a field in a document that points to a graphic file, rather than simply embedding the graphic file.
We found a field in the document called ‘INCLUDEPICTURE’. The link to the image in this field should be in ASCII, but in this case, it was in Unicode. Microsoft documentation provides virtually no information about this field. However, the attackers manipulated the Unicode framework to trigger a GET request to malicious and obfuscated URLs contained in the underlying code of the Word document. These links then point to PHP scripts located on third-party web sites, enabling the attackers to gather information about the software installed on the computer.
This feature is not only present in Word for Windows, but also in Microsoft Office for iOS and in Microsoft Office for Android.
You can read further details about our investigation here.Information security incidents and how to respond to them
Our growing dependence on technology, connectivity and data means that businesses present a bigger attack surface than ever. Targeted attackers have become more adept at exploiting their victims’ vulnerabilities to penetrate corporate defences while ‘flying under the radar’. Unfortunately, corporate information security services are often unprepared. Their employees underestimate the speed, secrecy and efficiency of modern cyber-attacks and businesses often fail to recognize how ineffective the old approaches to security are. Even where companies supplement traditional prevention tools such as anti-malware products, IDS/IPS and security scanners with detection solutions such as SIEM and anti-APT, they may not be used to their full potential.
You can’t manage what you can’t measure. One of the key factors in responding effectively to a targeted attack is to understand the nature of the incident.
In August, our incident response team used the example of a bank attack to present the key stages of a targeted attack (known as the kill chain) and the steps required for an effective incident response process. You can read the report here, but the following is a summary of the key elements.
The basic principles of a successful targeted attack include thorough preparation and a step-by-step strategy. The stages of the kill chain are:
- RECONNAISSANCE (learning about the target)
- WEOPANISATION (choosing the method of attack)
- DELIVERY (deciding on the attack vector)
- EXPLOITATION (exploiting a vulnerability to gain an initial foothold)
- INSTALLATION (installing the malware)
- COMMAND-AND-CONTROL (connecting to the attackers’ server for further instructions)
- ACTIONS ON OBJECTIVE (achieving the attackers’ goals)
The basic principles behind the work of information security staff are the same as the attackers – careful preparation and a step-by-step strategy. The objectives, of course, are fundamentally different: to prevent incidents and, if one occurs, to restore the initial state of the system as soon as possible.
There are two main stages involved in responding to a specific incident: investigation and system restoration. The investigation must determine
- The initial attack vector
- The malware, exploits and other tools use by the attackers
- The target of the attack (affected networks, systems and data)
- The extent of the damage (including reputational damage) to the organisation
- The stage of the attack (whether or not it was completed and the attackers’ goals were achieved)
- Timeframes (when the attack started and ended, when it was detected and the response time of the information security service)
Once the investigation has been completed, it is necessary to use the information learned to create a system recovery plan or, if one exists, to assess how it can be improved.
The overall strategy includes the following steps.
- PREPARATION (develop the tools, policies and processes needed to defend the organisation)
- IDENTIFICATION (decide if an incident has occurred by identifying pre-defined triggers)
- CONTAINMENT (limit the scope of the incident and maintain business continuity)
- ERADICATION (restore the system to its pre-incident state)
- RECOVERY (re-connect the affected systems to the wider network)
- LESSONS LEARNED (how well did the information security team deal with the incident and what changes need to be made to the strategy)
In the event of the information security team having to respond to multiple incidents simultaneously, it’s important to correctly set priorities and focus on the main threats. The key factors involved in determining the severity of an incident include:
- The network segment where the compromised computer is located
- The value of the data stored on that computer
- The type and number of incidents that affect the same computer
- The reliability of the IoCs (Indicators of Compromise) for this incident
The choice of computer, server or network segment to deal with first will depend on the specific nature of the organisation.Malware stories The hidden advertising threat
As well as banking Trojans, ransomware and other threats that can clearly be defined as malware, people also face numerous borderline programs – including advertising bots and modules, and partnership programs – which are typically referred to as ‘potentially unwanted programs’. They are borderline because there is sometimes a fine line between classifying something as an outright Trojan or adware. One such program is Magala, a Trojan-Clicker.
Such programs imitate a user click on a particular web page, thus boosting advertisement click counts. Magala doesn’t actually affect the person whose computer it is installed on, other than consuming some of their computer’s resources. The victims are those who pay for the advertising – typically small business owners doing business with unscrupulous advertisers.
The first stage of the infection involves the Trojan checking which version of Internet Explorer is installed and locating it in the system. The Trojan doesn’t run if it’s version 8 or earlier. Otherwise, it initialises a virtual desktop, used to perform all subsequent activities. Then it runs a sequence of utility operations (typical for this type of malware): it sets up autorun, sends a report to a hardcoded URL, and installs the required adware. To interact with the content of an open page, Magala uses IHTMLDocument2, the standard Windows interface that makes it easy to use DOM tree. The Trojan uses it to load the MapsGalaxy Toolbar, installs this on the system and adds the site ‘hxxp://hp.myway.com’ to the system registry, associating it with MapsGalaxy so that it becomes the browser’s home page.
The Trojan then contacts the remote server and requests a list of search queries for the click counts that it needs to boost. The server returns this list in plain text. Magala uses the list to send the requested search queries and clicks on each of the first 10 links in the search results, with an interval of 10 seconds between each click.
The average cost per click in a campaign of this sort is $0.07. So a botnet consisting of 1,000 infected computers clicking 10 web site addresses from each search result, performing 500 search requests with no overlaps in the search results, could earn the cybercriminals up to $350 from each infected computer. However, this is just an estimate as the costs can vary greatly in each situation.
Statistics from March to early June 2017 indicate that most Magala infections occur in the United States and Germany.
This class of program typically doesn’t present as much of a threat to consumers as, for example, banking Trojans or ransomware. However, two things make it tricky to deal with. First, such programs straddle the borderline between legitimate and malicious software and it’s vital to determine whether a specific program is part of a secure and legal advertising campaign or if it’s illegitimate software making use of similar functions. Second, the sheer quantity of such programs means that we need to use a fundamentally different approach to analysis.
You can read more about Magala here.It started with a link
Cybercriminals are constantly on the lookout for ways of luring unsuspecting victims into doing things that compromise their security and capture personal data. In August, David Jacoby from Kaspersky Lab and Frans Rosen from Detectify teamed up to expose one such campaign that used Facebook Messenger to infect people.
It started with a link to a YouTube video. The cybercriminals behind the scam used social engineering to trick their victims into clicking on it: the message contained the recipient’s first name, plus the word ‘Video’ – for example ‘David Video’ – and then a bit.ly link.
This link pointed to Google Drive, where the victim would see what looks like a playable movie, with a picture of them in the background and what seems to be a ‘Play’ button.
If the victim tried to play the video in the Chrome browser, they were redirected to what looked like a YouTube video and were prompted to install a Chrome extension –in fact, this was the malware. The malware waited for the victim to sign in to their Facebook account and stole their login credentials. It also captured information about their Facebook contacts and sent malicious links to their friends – so spreading the infection further.
Anyone using a different extension was nagged into updating their Adobe Flash Player instead – but the file they downloaded was adware, earning money for the cybercriminals through advertising.
This attack relied heavily on realistic social interactions, dynamic user content and legitimate domains as middle steps. The core infection point of the spreading mechanism was the installation of a Chrome Extension. It’s really important to be careful about allowing extensions to control your browser interactions and also to make sure that you know exactly what extensions you are running in your browser. In Chrome, you can type ‘chrome://extensions/’ into the address field of your browser to get a list of enabled extensions. On top of this, of course, be wary about clicking on links. If you’re in any doubt about whether it’s legitimate or not, contact the sender to check if it was really them who sent it.Undermining your security
We have seen a substantial growth in crypto-currency miners this year. In 2013, our products blocked attempts to install miners on the computers of 205,000 people protected by Kaspersky Lab products. In 2014, this increased to 701,000. In the first eight months of 2017, this increased to 1.65 million.
Crypto-currency mining is not illegal. However, there are groups of people who trick unwitting people into installing mining software on their computers, or exploit software vulnerabilities to do so. The criminals obtain crypto-currency, while the computers of their victims slow down. We have recently detected several large botnets designed to profit from concealed crypto mining. We have also seen growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the business processes of the target organisations suffer because data processing speeds fall substantially.
The main method used to install miners is adware installers spread using social engineering. There are also more sophisticated propagation methods – one is using the EternalBlue exploit published in April 2017 by the Shadow Brokers group. In this case, the cybercriminals tend to target servers – these provide them with a more powerful asset.
We recently detected a network made up of an estimated 5,000 plus computers on which Minergate, a legal console miner, had been installed without the knowledge or consent of the victims. The victims had downloaded the installer from a file-hosting service, under the guise of a freeware program or keys to activate licensed products. This installer downloader the miner’s dropper file to their computer. This installed the Minergate software to the computer, ensuring that it is loaded each time the computer boots and re-installing it if it is deleted.
Often, crypto-miners come with extra services to maintain their presence in the system, launch automatically every time the computer boots and conceal their operation. Such services could, for example try to turn off security software, monitor system activities or ensure that the mining software is always present by restoring it if the files are deleted.
Concealed miners are very difficult to detect because of their specific nature and operating principles. Anyone can choose to install this kind of software and legally use it to mine a crypto-currency.
Monero (XMR) and Zcash are the two currencies most often used in concealed mining. They both ensure the anonymity of transactions – this is clearly very useful for cybercriminals. Even according to conservative estimates, a mining network can generate up to $30,000 per month for its owners.
The above image shows a wallet coded into the miner’s configuration data. At the time of writing, 2,289 XMR had been transferred from this wallet, which at the current exchange rate is equivalent to $208,299.
You can read more here.Connected hospitals
Technology now reaches into more parts of society than ever before. As a result, organisations that previously didn’t need to think about cyber-security now face cyber-attacks. One example of this is the healthcare industry. Medical information that has traditionally existed in paper form is now to be found in databases, portals and medical equipment.
Data security in medicine is more serious than it seems at first glance. The obvious issue might be the theft and resale of medical data on the black market. However, the possibility of diagnostic data being modified by attackers is even more alarming. Regardless of the goals of the attackers (extortion or attacks targeted at specific patients), there’s a serious risk to patients: after receiving incorrect data, doctors may prescribe the wrong course of treatment. Even if the attempt to substitute data is detected in time, the normal operation of the medical facility may be disrupted, prompting the need to verify all of the information stored on compromised equipment. According to a report by the Centre for Disease Control and Prevention (CDC), the third leading cause of death in the United States comes from medical errors. Establishing a correct diagnosis depends not only on the knowledge and skill of a doctor, but on the correctness of data received from medical devices and stored on medical servers. This makes the resources for connected medicine a more attractive target for attackers. Unfortunately, in some cases, the security of the network infrastructure of healthcare facilities is neglected, and resources that process medical information are accessible from outside sources.
This term ‘connected medicine’ refers to a large number of workstations, servers, and dedicated medical equipment that are connected to the network of a medical institution (a simplified model is shown in the figure below).
Diagnostic devices can be connected to the LAN of an organization or to workstations- for example, through a USB connection. Medical equipment quite often processes data (for example, a patient’s photographs) in DICOM format, an industry standard for images and documents. In order to store them and provide access to them from outside, PACS (Picture Archiving and Communication Systems) are used, which can also be of interest to cybercriminals.
We have put together some recommendations for securing medical facilities. You can find the details here, but the following is a summary of the key points:
- Prevent public access to all nodes that process medical data
- Assign counter-intuitive names to resources
- Periodically update installed software and remove unwanted applications
- Don’t connect expensive equipment to the main LAN
- Ensure timely detection of malicious activity on the LAN
The authors of malware use various techniques to circumvent defensive mechanisms and conceal harmful activity. One of them is the practice of hiding malicious code in the context of a trusted process. Typically, malware that uses concealment techniques injects its code into a system process, e.g. explorer.exe. But some samples employ other interesting methods. We’re going to discuss one such type of malware.
Our eye was caught by various samples for .NET that use the trusted application InstallUtil.exe from the Microsoft .NET Framework (information from Microsoft’s website: “The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies. This tool works in conjunction with classes in the System.Configuration.Install namespace”).
The technique was described by information security researcher Casey Smith aka subTee (Proof of Concept). Briefly, the console utility InstallUtil.exe runs a malicious .NET assembly, bypassing the entry point of the assembly; all malicious activity is then hidden in the context of the trusted process.
The spreading of malicious samples follows a standard pattern: they basically reach the user in a password-protected archive, and the executable file icons in most cases are chosen specially so that the victim perceives the file as a normal document or photo. We also encountered executable files masquerading as a key generator for common software. To begin with, the malicious content of the generator got inside the %TEMP% folder, where it was run later in the described manner.Analysis
All the malicious files we encountered were heavily obfuscated, which complicated their manual analysis. We took the sample 263dc85de7ec717e8940b1ccdd6ee119 and deobfuscated its strings, classes, methods, and fields. Here’s how the file looked before deobfuscation:
InstallUtil.exe allows file execution to start not from the .NET assembly entry point: execution begins from a class inherited from System.Configuration.Install.Installer. To facilitate manual analysis, this class was renamed InstallUtilEntryClass in the sample under investigation. The code in static class constructors is known to execute first when the assembly is loaded into memory, a feature utilized by the authors of this piece of malware.
Let’s examine the behavior of the malicious file in the order of methods execution. First up is FirstMainClass, since its constructor is marked with the keyword “static” and assembly execution begins with it:
The constructor does the following:
- CheckSandboxieEnvironment() determines whether the file is running in Sandboxie by attempting to load the SbieDll.dll library. If the library can be loaded, the malicious process terminates;
- CheckVirtualBoxEnvironment() searches for the vboxmrxnp.dll library, which belongs to VitrualBox. If the library can be found, the malicious process likewise terminates;
- AddResourceResolver() adds a method for handling the resource load event. This method unpacks the assembly, which is packed by the Deflate algorithm, from a specific resource and loads the assembly into memory;
- The UnpackAllAssemblies() method of the AssemblyResourceLoader class iterates through all the assembly resources and, if the resource name contains the string “+||”, unpacks the assemblies from these resources. The assemblies unpacked by this method are required by the malicious file to operate, and are legitimate libraries: Interop.MSScript.Control, Interop.TaskScheduler, SevenZipSharp;
- RemoveZoneIdentifier() deletes the NTFS alternate stream Zone.Identifier through the command line to prevent a warning at startup if the file was downloaded from the Internet. The authors made a slight mistake in the command line (“cmd.exe /c (echo. > file path:Zone.Identifier) 2 > Null”) by leaving a space between the characters 2 and >, which produces an error in the console:
- The ElevatePrivilegesProxy() method is the wrapper for the ElevatePrivileges() method, which in turn uses the known UAC bypass technique described by Matt Nelson aka enigma0x3.
Control then passes to the traditional entry point—the Main() method, which is located in the Form5 class:
We see that a WMI object is retrieved after a 30-second pause. Next, the ScriptControlClassInstance object is customized, which the language (Visual Basic script) and the body of the script are transferred to:
The AddCode() method adds and executes a VB script that runs the current assembly using InstallUtil.exe. After that, the current process is closed by calling Environment.Exit(0).
At the next stage, the malicious object is run using the InstallUtil tool and once more executes the static constructor of the FirstMainClass class examined above; control passes to the static constructor of the InstallUtilEntryClass class, which, as mentioned, is inherited from System.Configuration.Install.Installer:
The functions of this class include:
- Copying the malicious file to %APPDATA%\program\msexcel.EXE, setting the Hidden+System attributes for the “program” folder, running msexcel.EXE, and terminating the current process;
- Adding the copied file to autorun (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run);
- Creating a task called “filesqmaepq0d.tnk” that runs msexcel.EXE every minute to ensure survival on the victim’s computer;
- Checking if the malicious process is already running. An event with the name “78759961M” is created, and if such an event already exists in the system, the new process terminates;
- Creating the Form5 class and calling its destructor.
Let’s sum up the interim results: all the actions described above (entrenchment in the system, elevation of privileges, startup from a trusted application) are essentially laying the foundation for the main task. Let’s move on to analyzing the next stage of the preparatory actions, which will take us closer to the heart of the malicious activity.
The malicious assembly contains, inter alia, five classes inherited from System.Windows.Forms.Form. Inheritance from the Form class is not accidental: in its inheritance hierarchy it implements several interfaces, one of which is IDisposable, which allows to override the Dispose() method for its own purposes. Dispose() methods are called by the garbage collector in order to free up unmanaged resources used by the class when closing or unloading the assembly. Now let’s look at the source code of the Dispose() method of the Form5 class:
As we can see, various methods are executed at each iteration of the cycle, and the results are saved. Let’s take a closer look:
- At the first iteration, the full path to the RegAsm.exe utility from .NET Framework is retrieved;
- A chain of nested methods is called with a view to decoding strings from Base64 that are stored in another class and unpacking the resulting array using the SevenZipExtractor library. As a result, we get an array that is the remote administration tool NanoCore Client;
- The PERun.dll library is loaded from the assembly that was previously unpacked from the resource into memory;
- A class with the name “RunPE” and the Run method of this class are sought in this library;
- At the final iteration, the parameters are transferred and the Run method is called.
Knowing that the legalProgramPath variable contains the full path to the legitimate utility RegAsm.exe, PEFileByteArray contains the executable file in the form of a byte array, while the class name is RunPE; it is not hard to figure out that the Run() method employs the technique of hiding malicious code in the address space of the trusted process RunPE. This technique is widely known and described here, for instance.
Deep inside the Run() method, a legitimate utility process is created in CREATE_SUSPENDED state (the sixth parameter is 4u):
Eventually, the RegAsm.exe process is loaded in the address space and starts to execute the payload: the remote administration tool NanoCore Client. Only trusted processes remain in the list of running processes, and even an experienced user might not realize that the system is compromised:
RegAsm.exe was chosen as the “carrier” because (a) it is a legitimate utility from Microsoft, (b) it is located in the same directory as InstallUtil.exe, and (c) a utility from .NET Framework calling another utility from the same framework is less suspicious than calling, say, notepad.exe. In fact, the use of RegAsm.exe is not critical: the “carrier” could be any program that does not arouse the suspicion of security software and users. It is also important that all actions involving a malicious module are executed in memory, which allows file scanners to be bypassed.
As we’ve mentioned, this sample contains NanoCore Client, which can be used to control the victim’s computer, take screenshots, record keystrokes, download files, and much more. It should be noted that the payload here can be anything: from “fashionable” encrypters and miners to advanced Trojans.Conclusion
Malware writers employ various tricks to conceal malicious activity, and the above technique allowing the execution of malicious code in the context of two legitimate programs is an obvious example. Detecting this kind of concealment method requires a behavioral analysis of the program. Kaspersky Lab’s security solutions detect this behavior as PDM: Trojan.Win32.Generic and PDM: Exploit.Win32.Generic.IOC (MD5)
263DC85DE7EC717E8940B1CCDD6EE119 payload: EF8AF3D457DBE875FF4E3982B34F1DE9
3E4825AA1C09E27C2E6A1309BE8D6382 payload: 82709B139634D74DED404A516B7952F0
7E3863F827C1696835A49B8FD7C02D96 payload: D1A9879FFCB14DF70A430E59BFF5EF0B
8CB8F81ECF1D4CE46E5E96C866939197 payload: D8652841C19D619D2E3B5D7F78827B6E
FDF4086A806826503D5D332077D47187 payload: BF4A3F4B31E68B3DE4FB1F046253F2D0
In the third quarter of 2017, the trends of the preceding quarters continued to develop further. The number of DDoS attacks in China, the United States, South Korea and Russia increased, which were reflected in the statistics we gathered for botnets. A sharp surge in the number (more than 450 daily) and power (up to 15.8 million packets per second) of attacks was registered in the ‘Australian sector’. The cost of protection increased accordingly: for example, in early September, six IB vendors entered into a $50 million contract with the Singapore government (the previous three-year contract cost the state half that amount).
The biggest success in combating DDoS attacks was the taking down of the huge (hundreds of thousands of devices in more than a hundred countries) WireX botnet. The botnet had been secretly working on Android devices and proliferating via legitimate Google Play applications. The joint actions of Google, Samsung and several large IT security vendors were required to take down the botnet. Given the deplorable state of security on the Internet of things and in micro-applications, such findings are now likely to occur on a fairly regular basis.
Cybercriminals are using their brains as well as their brawn. In mid-August, Imperva described Pulse Wave technology capable of increasing the power of a DDoS attack thanks to a vulnerability in hybrid and cloud technologies. The analysts at Imperva believe that most DDoS attacks will soon follow a similar pattern: short but powerful sudden “punctuated” attacks that last for several hours or several days.
The targets within the scope of the cybercriminals’ interest remain the same. In the political arena, the increase in the number of attacks has even triggered a process of qualitative change: some are voicing the belief that DDoS attacks are a legitimate form of democratic protest. However, the effectiveness of this method is still questionable: the two most notable political acts of the third quarter (an attack on the DreamHost hosting provider and on a libertarian site) achieved nothing apart from greater publicity for the attacked resources.
Cases of blackmail involving DDoS attacks – or rather, attempts that aren’t always very well executed –have become more frequent. While in the previous quarter companies preferred to pay off the attackers, mass mailings with threats are now often perceived as just another wave of spam.
As a means of applying pressure, DDoS attacks are still more beneficial in industries where downtime and communication failures lead to lost profits and reputation. The gaming industry is becoming even more attractive for cybercriminals: the profits here are estimated in the hundreds of billions of dollars, while security is still far from perfect, with hybrid gaming platforms vulnerable to attacks via the links between resources and applications.
In Q3, there were three high-profile incidents involving gaming platforms (not including the DDoS attack on Final Fantasy’s servers, which, according to Square Enix, began in June and lasted till the end of July).
Firstly, in mid-August, Blizzard Entertainment reported a flood of junk traffic that caused problems for players of Overwatch and World of Warcraft.
Secondly, at the beginning of September, the Americas Cardroom online poker site began to experience difficulties. The attack (not the first to target the resource) followed the notorious pattern “demonstrate force, demand a ransom”. The site’s management refused to pay, but was forced to cancel – or more precisely, to delay – a poker championship that was already under way.
At the end of the quarter, on 30 September, the site of the UK National Lottery was seriously affected: for 90 minutes players were unable to place their stakes online or via applications, which caused the service serious losses.
It appears that constant DDoS attacks on the entertainment industry is becoming the new normal: the largest companies will either have to seriously reconsider their approach to security or put customer loyalty at risk. Some of them have started eliminating possible vectors on their own. For example, Netflix (yet another entertainment platform that could lose customers due to a loss of communication) found a serious vulnerability in API and developed two tools to deal with the infected applications.
Probably the most curious attack of the quarter was also related to the entertainment and gaming industry: the cybercriminals hacked a US casino via a smart fish tank. It had nothing to do with DDoS attacks, but it’s interesting that criminals managed to break through to the mainframe and steal 100 GB of confidential data from the organization, although the fish tank was installed on its own VPN. It is highly likely that in the near future the entertainment and gaming sector will be on a par with the financial sector when it comes to the scope and ingenuity of large-scale attacks.Quarter Trends
In term of trends, there was a fairly new vector of attacks related to the now notorious crypto- currencies. More and more attacks are targeting Initial Coin Offering (ICO) platforms – a type of crowdfunding. Since blockchain technology allows transactions to be conducted safely, ICOs are quickly gaining in popularity. But there are risks as well: with the rapid growth and the increasing turnover of crypto-currencies, such platforms are subjected to cyberattacks, including DDoS attacks. The broad availability of the platform guarantees reliable and secure transactions, while DDoS attacks are aimed at breaking the operability of the service and thus discrediting it or, even worse, creating a smokescreen for more sophisticated types of attacks.
Another detail of this quarter is the increase in the proportion of mixed, multi-component (SYN + TCP Connect + HTTP-flood + UDP flood) attacks. As forecasted earlier, they are gradually gaining in popularity. There is nothing fundamentally new in these attacks, but in the right hands they can be quite effective.Statistics for botnet-assisted DDoS attacks Methodology
Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of various complexity types and ranges. The experts of the company have been tracking the actions of botnets by using the DDoS Intelligence system.
Being part of the Kaspersky DDoS Prevention solution, the DDoS Intelligence system is intended to intercept and analyze commands sent to bots from command-and-control servers and requires neither infecting any user devices nor the actual execution of cybercriminals’ commands.
This report contains DDoS Intelligence statistics for the third quarter of 2017.
In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Also, bot requests originating from different botnets but directed at one resource count as separate attacks.
The geographical locations of DDoS-attack victims and C&C servers that were used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.
It is important to note that DDoS Intelligence statistics are limited only to those botnets that have been detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools for performing DDoS attacks; thus, the data presented in this report do not cover every single DDoS attack occurred during the indicated period.Q3 summary
- Resources in 98 countries were attacked in Q3 2017 vs. 86 in Q2 2017.
- As in Q2, around half of all attacks (51.56%) originated in China.
- China, the US, and South Korea remained leaders in terms of both number of attacks and number of targets. According to the number of reported C&C servers, the same countries are make up the TOP 3, though South Korea calimed first place this time.
- The longest DDoS attack was 215 hours, a decrease of 28% compared to Q2. At the same time, the share of attacks that lasted less than 50 hours remained practically unchanged (99.6% in Q3 vs. 99.7% in Q2).
- As in the previous quarter, there was a considerable drop in the proportion of attacks over TCP (down to 11.2% from 28.2%) and ICPM (down to 7.1% from 9.42%). This caused a rise in the percentage of SYN floods and HTTP attacks.
- The proportion of Linux botnets continued to grow. Such botnets were responsible for 69.62% of attacks in Q3 compared to 51.23% in Q2.
DDoS attacks were registered in 98 countries in Q3, where the largest number of the attacks were aimed at China (63.30% of all attacks), which is 5.3 p.p. higher than the previous quarter. South Korea’s share fell from 14.17% to 8.70%, moving it to third place. The US came second despite the percentage of attacks originating from this country falling from 14.03% to 12.98%.
The top 10 accounted for 93.56% of all attacks. Germany (1.24%) re-entered the top 10, replacing Italy out of the rating. Hong Kong (1.31%) dropped from 4th to 7th, having lost 1.07 p.p. Russia (1.58%) gained 0.35 p.p. and was once again in fourth place. The UK remained fifth while the Netherlands saw its share go up from 0.84% to 1.31%, moving it to sixth.
91.27% of all attacks were aimed at targets in the countries of the top 10 in Q3 2017.
China remained in first place: 51.56% of all targets were located in the territory of the country, an increase of 4.14 p.p. compared to Q2. At the same time, the US and South Korea remained second and third respectively, although the proportion of targets in the territories of both countries fell considerably: from 18.63% to 17.33% in the US, and from 16.35% to 11.11% in South Korea.
The share of targets located in the territory of Russia grew from 1.33% in Q2 to 2.24% in Q3, which saw Russia move up from seventh to fourth place. Australia and Italy left the top 10 and were replaced by France (1.43%) and Germany (1.65%).Dynamics of the number of DDoS attacks
The number of attacks per day ranged from 296 (24 July) to 1508 (26 September) in Q3 2017. The peak numbers were registered on 27 July (1399) and 24 September (1497). A relative downturn was registered on 28 July (300), 31 May (240), and 25 September (297).
In Q3 2017, Monday remained the quietest day for DDoS attacks (10.39% vs 11.78% in the previous quarter), while Thursday became the busiest day (17.54%). Last quarter’s leader, Saturday, came second (15.59%) followed by Sunday (14.89%) and Tuesday (14.79%).Types and duration of DDoS attacks
As in the previous quarter, the number of SYN DDoS attacks continued to grow, rising from 53.26% to 60.43% in Q3 2017. At the same time, the percentage of TCP DDoS attacks plummeted from 18.18% to 11.19%, which did not affect second position in the rating for this type of attack. Both UDP and ICMP attacks became quite rare: their share dropped from 11.91% to 10.15% and from 9.38% to 7.08% respectively. Meanwhile, the popularity of HTTP attacks increased from 7.27% to 11.6%, which placed them in third.
The number of long-term attacks remained almost unchanged from the previous quarter: 0.02% of attacks lasted more than 150 hours (vs 0.01%). The longest attack lasted for 215 hours, 62 hours shorter than the record in Q2. At the same time, the share of attacks that lasted 4 hours or less dropped from 85.93% in Q2 to 76.09% in Q3. Thus, the percentage of attacks lasting from 5 to 49 and from 50 to 99 hours increased, accounting for 23.55% and 0.3% of all attacks respectively.C&C servers and botnet types
The top 3 countries with the greatest number of detected C&C servers remained unchanged from Q2: South Korea, whose share grew from 49.11% to 50.16%, remained top. The US retained second place (16.94% vs 16.07% in Q2). China remained third although its share dropped from 7.74% to 5.86%. The top 3 countries accounted for 72.96% of C&C servers in total, which is only slightly more than in the previous quarter.
The top 10 included Italy (1.63%) and the UK (0.98%), which ousted Canada and Germany in Q3. Compared to Q2 2017, there was a significant increase in the shares of France (up to 2.93% from 1.79%) and Russia (up to 3.58% from 2.68%).
In Q3, Linux-based botnets continued to win back positions from Windows: the share of detected Linux-based botnets comprised 69.62%, while the percentage of Windows-based botnets dropped to 30.38%.Conclusion
In the third quarter of 2017, we registered a considerable increase in the number of both DDoS attacks and their targets. Traditionally, China is the country with the largest number of attack sources and targets. It was followed by the United States and South Korea. The popularity of Windows OS as a basis for creating a botnet has fallen noticeably, while the share of Linux-based botnets increased proportionally.
Among this quarter’s trends were increased attacks on ICO platforms: in Q3, crypto-currency was widely discussed both on the Internet and in the mass media, and cybercriminals did not ignore its popularity. Yet another detail of this quarter is the growth in the proportion of multi-component attacks, consisting of various combinations of SYN, TCP Connect, HTTP flood and UDP flood techniques.