Can Security Survive in an Increasingly Insecure World?
2013 was not a good year in terms of cyber security. Despite companies spending an increasingly significant percent of revenue on security technology – systems designed to thwart, detect and prevent hackers from gaining access to their networks and sensitive data – attacks continue to succeed.
Recently, the trend has shifted to attacking point of sale (POS) systems. While Target is the largest example, similar attacks have occurred in industries ranging from department stores to hospitals to hotel chains. Basically anywhere large scale financial transactions take place. The focus on POS systems doesn’t come as a surprise. Cybercriminals have always been after money. What is surprising, however, is how long it takes for the attacked to realize they’ve been compromised – and that’s what I’ll discuss in this blog.
I’ve chosen to use Target as an example for two reasons. First, the size and sophistication of the compromise is interesting and ideal for analysis, and the second being that Target’s example is very common to other similar attacks in the scope of realizing an attack has occurred.
So let’s start by reviewing a few facts we now know about the Target breach. While the attack began collecting credit card transaction data on November 27th, precisely timed with Black Friday to capture as much data as possible, it wasn’t discovered until December 15th – and it wasn’t Target who made the discovery, rather US law enforcement connected the dots and Target was informed. This is very concerning and, unfortunately, is very much the norm for most compromises. The 2013 Verizon Risk report found that in 62% of breaches, the attack went unnoticed for months or years!
Looking again at Target, we know when the collection of data began, but the initial compromise of their network happened nearly two weeks prior on November 15th. Apparently, an employee for a HVAC service company fell for a phishing attack which ultimately infected his computer with a password stealing trojan. Target eventually used this company to assess their power and AC consumption and had provided a few employees with credentials to access their network. Once the employee with the infected PC connected to Target’s network, his credentials were stolen and later used in the attack. The big lesson here is that you are only as secure as those you trust with access to your network. In this case, a few clicks by an unsuspecting HVAC employee led to one of the largest credit card data breaches on record.
So how could all this have happened, especially to the #2 US retailer? Why was Target unable to detect the initial compromise of their network, and then unable to identify the attack once it was underway?
To answers to these questions, we first need to understand the Data Security Standards (DSS) which are provided by the Payment Card Industry (PCI) Security Standards Council or more commonly known as PCI DSS 3.0. These standards, of which Target was certified as compliant (though details of the attack show they were clearly not followed), detail 12 specific requirements to protect cardholder data, build and maintain secure networks and systems, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks and provide an information security policy. The document is very comprehensive, and PCI DSS 3.0 does a good job of providing a framework to protect against compromise – but compromises still occur.
Some might say that PCI DSS 3.0 is to blame, and that their recommendations are not sufficient to defend against today’s sophisticated attacks – and they might be right – but I think the problem goes beyond that. While I cannot say which specific vendor security solutions were in use at Target, I know they were in place because it is required to be PCI DSS 3.0 compliant. PCI DSS 3.0 does not tell you which vendors to use, just that you must use software to protect systems from malware, or similarly, a firewall to protect your network. Here in lies the real issue – not all vendor security solutions provide the same capability or level of functionality. When considering the fact that most attacks go unnoticed for months if not longer, it seems the focus should be on technology and processes designed to frequently confirm the integrity of all involved systems. This is actually spelled out in PCI DSS 3.0 under sections 10 and 11 but the trouble is that the burden of awareness falls back to the security solution in place. And unfortunately, many endpoint solutions today are not capable of reacting to a missed infection.
So back to my original questions – how could this have happened and why did it take so long to detect?
The answer is twofold. First, Target failed to strictly follow PCI DSS 3.0 standards, especially with respect to tracking and monitoring all access to network resources and systems – and they are not alone. This is one of the more challenging standards to follow, especially for larger retailers with hundreds if not thousands of locations. But the blame isn’t solely on PCI DSS 3.0 or retailers who attempt apply their standards. The second factor is the underlying technology which is trusted and relied upon by retailers. This is a more complex issue. Retailers lack information about the metrics which matter in defending against complex and targeted attacks. Upfront detection rates are meaningless as malware for these attacks is always custom built and specific to the targeted environment. With this fact in mind, what becomes much more important is understanding a solutions ability to react to a missed threat – to understand the reaction time from first observation to identification and notification.
The attack on Target, and analysis from hundreds of other compromises, exposes there is a real weakness with awareness. Companies spend millions on security technology, trusting their investment will prevent a compromise, but the majority of today’s solutions are unable to provided what is needed – the ability to react to something new – something never encountered before.
Webroot is a pioneer in this space and the SecureAnywhere line of products were designed around improving awareness and being able to rapidly identify and instantly protect against emerging and targeted threats. This is accomplished within the Webroot Intelligence Network by focusing on what our users encounter. This approach ensures we have the necessary visibility to identify even the most targeted of attacks and applies to our endpoint, mobile and Web solutions. For more information, feel free to shoot me an email at gmilbourne@webroot.com or visit our website at http://www.webroot.com/.
Spamvertised ‘You received a new message from Skype voicemail service’ themed emails lead to Angler exploit kit
We’ve just intercepted a currently circulating malicious spam campaign that’s attempting to trick potential botnet victims into thinking that they’ve received a legitimate Voice Message Notification from Skype. In reality though, once socially engineered users click on the malicious link found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Angler exploit kit.
More details:
Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits
Cybercriminals continue to populate their botnets, with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam.
We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the fake emails.
More details:
DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure
Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case.
‘Hacking for hire’ teams occupy multiple underground market segments, monetize their malicious ‘know how’
In a series of blog posts published throughout 2012, we’ve been highlighting the existence of a vibrant underground market segment, namely, that of ‘hacking for hire’ services, email hacking in particular. Commercially available as a service for years, the practice’s growth was once largely fueled by the release of DIY Web-based popular email provider hacking tools, which once acquired by prospective cybercriminals, quickly became the foundation for a successful business model. How have things changed nowadays, in terms of tactics, techniques and procedures? Profoundly.
Case in point, we’ve been tracking two such ‘hacking for hire’ services, both of which offer a diversified portfolio of malicious services to prospective customers, such as email hacking, Web site hacking, DDoS for hire, DDoS protection, and grade modification. What type of tactics, tools and procedures do they rely on? Let’s find out.
Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through the Magnitude exploit kit
In a cybercrime ecosystem populated by commercially available WordPress brute-forcing and mass vulnerable WordPress installation scanning tools, cybercriminals continue actively capitalizing on the platform’s leading market share within the Content Management System’s market segment. Successfully exploiting tens of thousands of installations on a daily basis, for the purpose of utilizing the legitimate infrastructure to achieve their fraudulent/malicious campaign objectives, the tactic is also largely driven by the over-supply of compromised/accounting data, usually embedded within sophisticated Web-based attack platforms like the ones we’ve profiled in the past.
We’ve recently intercepted a malicious campaign exclusively relying on rogue WordPress sites, ultimately serving client-side exploits to users through the Magnitude Web malware exploitation kit. Despite its relatively low profile in terms of proliferation — we believe the campaign is in its early stages — it exposes a pseudo-randomly generated sub-domains based fraudulent infrastructure that is worth keeping an eye on.
ThreatVlog Episode 13: Unwanted Applications, Audio Ads, and Microsoft
In the first ThreatVlog of 2014, Marcus Moreno discusses the increase in Potentially Unwanted Applications/Programs and their impact on machines, productivity, and the user experience. Also in the video is a talk on the wonderful audio ads that have been infecting machines and annoying computer users, discussing how they get into the machine and where to find them. Finally, he talks about Microsoft’s call for all security companies to come together to help end malicious malware families.
http://youtu.be/LzaC-XIKaCA
Managed TeamViewer based anti-forensics capable virtual machines offered as a service
Operational Security (OPSEC) has always been an inseparable part of the cybercrime ecosystem, especially in the context of preventing law enforcement agencies from tracking down the activities of fraudulent and malicious adversaries online. Throughout the years, the industry has witnessed active utilization of malware-infected hosts (Socks4/Socks5) as anonymization ‘stepping stones’ and the use of cybercrime-friendly VPN providers, bypassing internationally accepted data retention regulations, as some of the primary anonymization tactics used by cybercriminals. Nowadays, this set of tactics has evolved into a diversified mix of legitimate and purely malicious infrastructure that provides value-added services such as APIs supporting Socks4/Socks5 services, DIY real-time Socks4/Socks5 syndicating tools, and the development of hybrid based type of anonymous ‘solutions’. These services empower cybercriminals with the necessary ‘know-how’ to conceal their activities online, and there is a as clear attempt to standardize this ‘know-how’ through the distribution of commercial OPSEC training manuals.
Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ boutique E-shops online
The rise of boutique cybercrime-friendly E-shops, which we’ve extensively profiled in our “A Peek Inside a Boutique Cybercrime-Friendly E-Shop” series, continues further expanding as a market segment within the underground marketplace. Driven by the proliferation of public/commercially obtainable DIY (do it yourself) type of malware/botnet generating tools along side the ongoing standardization of the monetization process offered by opportunistic cybercriminals acting as intermediaries between those possessing the fraudulently obtained assets and their prospective customers, the market segment is prone to expand.
Having already profiled a managed hosting service, empowering novice cybercriminals possessing compromised/hacked accounting information with efficient ways to monetize the stolen data, we continue finding factual evidence that further confirms an ongoing standardization of the monetization process. In this post, I’ll discuss a market leading managed hosting service that is currently hosting 2500+ boutique E-shops offering access to a vast amount of compromised/hacked accounting data, with hosting services, through a convenient Web-based E-shop management interface.
Keeping your digital life safe at the Sochi Olympics
Digital security is not the first thing that comes to mind when thinking about during the Sochi Olympics, but should be something that is on your mind when travelling to popular areas. Just as scams are popular in tourist areas around the world, hacking is on the rise where media professionals, security, and large groups of travelers will be gathering. In the past, malicious attacks through the digital infrastructure have occurred at the Olympics and other such events, and the Sochi Olympics will not be any different. So, as you get ready to hit the Russian mountains, here are some tips to keep you and your digital work safe.
Before you head into Olympic Village
- Ask yourself if you really do need that laptop with you. If not, leave it at home.
- Ensure all your programs are updated to their latest versions including browsers, e-mail, and antivirus. Double check your drivers as well.
- Backup your full computer onto an external device that is staying home.
- Clear your cache and temporary internet files, and remove all remembered passwords from the browsers.
- Encryption is your friend. There are many solutions out there that can provide full disk encryption, or even just encryption of vital folders.
- Setup cloud based backup solutions that maintain strong security around login procedure (Webroot/Dropbox/Box). Backup and save all the files you will be working on while travelling to the cloud server and revert back upon return from the games.
While at the Olympics
- Your Wi-Fi and Bluetooth connections are the fastest and easiest to exploit. If you do not need to be using these connections, keep them turned off. This tip goes for phones, tablets, and computers.
- Do not plug any USBs into your computer that you find on the ground or are given to you by people you do not trust. The largest breach in US National Security occurred from a rogue USB drive, and while your data might not have the same impact, the method of breach is still one of the more common.
- If you can connect to the internet through a wired connection in your room, do so. This helps keep you off rogue Wi-Fi signals that could gather your data.
- Avoid logging into private websites, banking websites, and any other website where your private information could be compromised.
- If connecting for work, use your VPN to connect and stay secured.
Remember, digital security should not be forgotten when traveling, and hackers are getting increasingly more innovative with each digital advance. The best security you can provide for your digital work is to leave your laptop at home, but if you insist on bringing it, ensure you remember you are the first line of defense in protecting yourself.
Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application
Since its inception in 1996, Alexa has positioned itself as primary Web metrics data portal, empowering Web masters, potential investors, and marketers with access to free analytics based on data gathered from toolbars installed on millions of PCs across the world. Successfully establishing itself as the most popular, publicly accessible Web site performance benchmarking tool, throughout the years, the Alexa PageRank has acted as a key indicator for the measurement of a Web site’s popularity, growth and overall performance, often used in presentations, competitive intelligence campaigns, and comparative reviews measuring the performance/popularity of particular Web sites.
Operating in a world dominated by millions of malware-infected hosts, converted to Socks4/Socks5 for, both, integration within automatic account registration tools, DoS tools, in between acting as anonymization ‘stepping-stones’, cybercriminals continue utilizing this legitimate, clean IPs-based infrastructure for purely malicious and fraudulent purposes. Their latest target? Utilizing the never-ending supply of malware-infected hosts to influence Alexa’s PageRank system. A newly released, commercially available, DIY tool is pitching itself as being capable of boosting a given domain/list of domains on Alexa’s PageRank, relying on the syndication of Socks4/Socks5 malware-infected/compromised hosts through a popular Russian service.
Cybercriminals release new Web based keylogging system, rely on penetration pricing to gain market share
In need of a fresh example of penetration pricing, within the cybercrime ecosystem, used by a cybercrime-friendly vendor in an attempt to quickly gain as much market share as possible in the over-supplied market segment for keylogging-specific systems? We’re about to give you a very fresh one.
A newly released, commercially available PHP/MySQL based, keylogging-specific malware/botnet generating system, with full Unicode support, is currently being offered for $5o, with the binary re-build priced at $20, in a clear attempt by the vendor to initiate basic competitive pricing strategies to undermine the market relevance of competing propositions. Just like the Web based DDoS/passwords-stealing tool that we profiled yesterday, this most recently released keylogging system is once again acting as a very decent example of a “me too” type of underground market release, whose overall success in the short term would mostly rely on basic branding, and whose long term success relies on the systematic introduction of new features.
To get a better view of the tool’s core functions, let’s take a peek at its administration panel.