DOCSLIB.ORG

Finding Threats in Linux® Memory the Value of Memory Integrity Verification

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Finding Threats in Linux® Memory the Value of Memory Integrity Verification WHITE PAPER Finding Threats in Linux® Memory The Value of Memory Integrity Verification Linux powers critical web and cloud infrastructure for organizations around the world. Not surprisingly, it has become a major target for cybercrime and cyber espionage. In the past year, financially motivated attackers have launched large-scale Linux-targeted threat attack campaigns across critical infrastructure, retail, healthcare, and financial and brokerage organizations. This white paper explores the magnitude of threats against Linux systems, and why organizations are looking at memory integrity as a superior approach for detecting threats on Linux systems. Memory integrity ensures that systems are running exactly the software they are supposed to be running, and flagging anything that should not be there. www.Raytheon.com/cyberproducts 2 WHITE PAPER - Finding Threats in Linux® Memory Contents 1. Linux® Systems: A Major Target 4 2. Threat Attacks on the Upswing 4 3. Threats Spare No Industry 5 Critical Infrastructure 5 Retail 5 Healthcare 5 Financial and Brokerage Services 5 4. How SureView® Memory Integrity Works 6 SureView Memory Integrity Graphical User Interface 7 Integration with SIEMS 7 5. Conclusion 8 6. About Raytheon|Websense 8 866.230.1307 3 WHITE PAPER - Finding Threats in Linux® Memory Linux Systems: A Major Target servers.3 The Linux botnet Mayhem, which spread through Linux is an open source operating system beloved by enthusiasts ShellShock exploits, affected 1,400 servers.4 Unfortunately, because the price is right and the license provides the freedom to Operation Windigo and Mayhem are still active using the tinker. From its earliest days, Linux has powered numerous web ShellShock Bash vulnerability and other means to spread to new servers and other Internet infrastructures worldwide. victims. Over the past decade, Linux has increasingly been adopted for Throughout 2014, Linux continued to be hounded by commercial use. Today, Linux is widely used in corporate data longstanding, widespread, and easily exploited vulnerabilities, centers and is a formidable presence in nearly all realms of such as the aforementioned ShellShock, a.k.a. Bashdoor. computing. What is even more surprising is that only 58% of IT ShellShock enables the processing of requests that an attacker professionals indicated they run antivirus on both Windows and can use to gain unauthorized access to assets. One report noted Linux servers.1 that it was unclear how many systems ShellShock affected, but it was likely in the millions.5 Threat Attacks on the Upswing In early 2014, Syngress published the Malware Forensics Field Guide for Linux Systems, which stated that: “Trends in malware incidents targeting Linux systems – combined with the ability of modern Linux malware to avoid common security measures – make malware incident response and forensics a critical component of any risk management strategy in any organization that utilizes Linux systems.” 2 Those words were prophetic. It turns out that 2014 was the Marketoonist, LLC biggest year to date for cyber-attacks, and there is no indication that things are about to slow down. Given the incredible number Then there were the targeted cyber-espionage operations that of threat attacks reported in 2014, and the fact that Linux used custom threats targeting Linux systems attributed to systems are a growing threat target, this paper assumes that a government-resourced attackers, such as Evanescent Bat and major percentage of past and future attacks have and will target Turla. The Turla campaign, also known as Epic Turla, spread Linux systems. into 45 countries in an infection spree aimed at government operations and pharmaceutical companies. Nearly every large organization has business critical systems based on Linux—including critical infrastructure providers, utilities and energy companies, banks and other financial Linux Attacks Were On The Move in 2014 services, health care companies, media and entertainment firms, and high-tech companies. Windigo Infects ShellShock Continues 500,000 Computers to Infect Millions March September As it has moved from niche player to a core technology underpinning for global enterprises, Linux has become a major target for cybercrime and cyber espionage. In 2014, Linux fell victim to several large-scale threat campaigns July December run by financially motivated attackers. Operation Windigo Mayhem Infects Turla Affects 45 1,400 Servers Countries infected more than 500,000 computers and 25,000 dedicated 3 Source: http://www.symantec.com/connect/blogs/25000-linux-and-unix- 1 Source: Sophos Research Report, “You might be surprised by how few servers-compromised-operation-windigo and http://thehackernews. businesses protect their Linux servers with antivirus.” May 26, 2015. John com/2014/03/operation-windigo-linux-malware.html Zorabedian. https://blogs.sophos.com/2015/05/26/you-might-be-sur- 4 Source: http://www.itnews.com.au/News/390053,new-mayhem-malware- prised-by-how-few-businesses-protect-their-linux-servers-with-antivirus/ targets-linux-unix-servers.aspxhtml. 2 Source: Cameron H. Malin, Eoghan Casey, James M. Aquilina, Malware 5 Source: http://www.technologyreview.com/view/531286/why-the- Forensics Field Guide for Linux Systems (Syngress, 2014), 42. shellshock-bug-is-worse-than-heartbleed/ www.raytheoncyber.com 4 WHITE PAPER - Finding Threats in Linux® Memory Threats Spare No Industry Healthcare Threats are not limited to specific industries. Hackers follow With millions of records that contain personally identifiable the money and attack critical infrastructure, retail, healthcare, information, healthcare is especially vulnerable to attack. In one and financial sectors. One key component of successful attacks, healthcare related attack, an operator of more than 200 hospitals regardless of industry, is that overburdened IT and security in the U.S. experienced 4.5 million patient records stolen. teams fail to notice the incursions until it is too late. With threats spanning industries and use of Linux systems on the rise, it is The records included names, Social Security numbers, physical likely that Linux is a threat target in every organization. addresses, birthdays and telephone numbers. In August 2014, the Washington Post reported that healthcare breaches hit 30 Critical Infrastructure million patients. The report notes that, “since federal reporting According to the Department of Homeland Security (DHS), requirements kicked in, the U.S. Department of Health and an unnamed U.S. public utility was attacked in 2014.6 The hack Human Services’ database of major breach reports (those sought access to the utility’s control system network. The report affecting 500 people or more) has tracked 944 incidents affecting notes that, “hackers may have launched the latest attack through personal information from about 30.1 million people. A an Internet portal that enabled workers to access the utility’s majority of those records are tied to theft (17.4 million people), control systems.” This brute force attack was not the only one followed by data loss (7.2 million people), hacking (3.6 million) launched on critical infrastructure. DHS also reported that an and unauthorized access accounts (1.9 million people).9 Given attacker gained access to a utility’s “mechanical device” and the incredible number of threat attacks reported in 2014, and the maintained access over a period of time. Although the number fact that Linux systems are a growing threat target, this paper of Linux systems affected was not specifically reported, it can be assumes that a major percentage of past and future attacks have assumed that some number of them were Linux based. and will target Linux systems. Retail Financial and Brokerage Services The retail business is littered with attacks. Target™ is the most In February 2015, the Carbanak hacking group stole $1 billion high-profile example, and that was a damaging incursion that from banks around the globe. The operation struck banks in will take years for the company to recover from. However, about 30 countries, according to a report of Kaspersky’s finding there were others in retail that suffered from attacks, including in ZDNet.10 In its report, Kaspersky notes that the use of a Neiman Marcus, Michaels, eBay® and Home Depot®. The breach Secure Shell (SSH) backdoor “to communicate with the C2 of Target cost the company $148 million.7 To date, Home Depot server in 190.97.165.126 (operatemesscont.net)… indicates that chalked up $48 million for its data breach.8 the attackers did not limit themselves to Microsoft Windows environments.”11 THE COST OF A BREACH What is Your Reputation Worth? The infamous Target data breach cost the retailer more than just financial loss, but the dollars and cents were staggering. Forbes reported the retailer’s profit fell nearly 50% in the last quarter of 2013 and more than a third for all of 2013. The magazine also reported the hard loss from the data breach came in at $148 million. However, there were other costs as well. The CEO lost his job, and the company suffered a loss of reputation that is incalculable. Maybe your business is not as high profile as Target. So how does a major breach affect you? Ponemon Institute’s Cost of a Data Breach study shows that the average cost of a data breach is about $3.5 million. The average cost for a compromised record is more than $194. 6 Source: http://www.reuters.com/article/2014/05/21/us-usa-cybercrime- infrastructure-idUSBREA4J10D20140521 9 Source: http://www.washingtonpost.com/blogs/wonkblog/wp/2014/08/19/ 7 Source: http://www.nytimes.com/2014/08/06/business/target-puts-data- health-care-data-breaches-have-hit-30m-patients-and-counting/ breach-costs-at-148-million.html 10 Source: http://www.zdnet.com/article/carbanak-hacking-group-steal- 8 Source: https://threatpost.com/home-depot-breach-cost-company-43-mil- 1-billion-from-banks-worldwide/ lion-in-third-quarter/109629 11 Source: https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf 866.230.1307 5 WHITE PAPER - Finding Threats in Linux® Memory How SureView® Memory Integrity Works backdoors, injected code, unauthorized processes, and other Threat detection, based on memory integrity verification, signs of intrusions.
Load more

Recommended publications
  • 2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals
    THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit.
    [Show full text]
  • Moonlight Maze,’ Perhaps the Oldest Publicly Acknowledged State Actor, Has Evaded Open Forensic Analysis
    PENQUIN’S MOONLIT MAZE The Dawn of Nation-State Digital Espionage Juan Andres Guerrero-Saade, Costin Raiu (GReAT) Daniel Moore, Thomas Rid (King’s College London) The origins of digital espionage remain hidden in the dark. In most cases, codenames and fragments of stories are all that remains of the ‘prehistoric’ actors that pioneered the now- ubiquitous practice of computer network exploitation. The origins of early operations, tools, and tradecraft are largely unknown: official documents will remain classified for years and decades to come; memories of investigators are eroding as time passes; and often precious forensic evidence is discarded, destroyed, or simply lost as storage devices age. Even ‘Moonlight Maze,’ perhaps the oldest publicly acknowledged state actor, has evaded open forensic analysis. Intrusions began as early as 1996. The early targets: a vast number of US military and government networks, including Wright Patterson and Kelly Air Force Bases, the Army Research Lab, the Naval Sea Systems Command in Indian Head, Maryland, NASA, and the Department of Energy labs. By mid-1998 the FBI and Department of Defense investigators had forensic evidence pointing to Russian ISPs. After a Congressional hearing in late February 1999, news of the FBI’s vast investigation leaked to the public.1 However, little detail ever surfaced regarding the actual means and procedures of this threat actor. Eventually the code name was replaced (with the attackers’ improved intrusion set dubbed Storm Cloud’, and later ‘Makers Mark’) and the original ‘MM’ faded into obscurity without proper technical forensic artefacts to tie these cyberespionage pioneers to the modern menagerie of APT actors we are now all too familiar with.
    [Show full text]
  • Cyber News for Counterintelligence / Information Technology / Security Professionals 13 November 2014
    Cyber News for Counterintelligence / Information Technology / Security Professionals 13 November 2014 Purpose Stuxnet worm entered Iran's nuclear facilities through hacked suppliers Educate recipients of cyber events to aid in protecting Engadget, 13 Nov 2014: You may have heard the common story of how Stuxnet electronically stored DoD, spread: the United States and Israel reportedly developed the worm in the mid- corporate proprietary, and/or Personally Identifiable 2000s to mess with Iran's nuclear program by damaging equipment, and first Information from theft, unleashed it on Iran's Natanz nuclear facility through infected USB drives. It got compromise, espionage out of control, however, and escaped into the wild (that is, the internet) sometime Source later. Relatively straightforward, right? Well, you'll have to toss that version of This publication incorporates open source news articles events aside -- a new book, Countdown to Zero Day, explains that this digital educate readers on security assault played out very differently. Researchers now know that the sabotage- matters in compliance with oriented code first attacked five component vendors that are key to Iran's nuclear USC Title 17, section 107, program, including one that makes the centrifuges Stuxnet was targeting. These Para a. All articles are truncated to avoid the companies were unwitting Trojan horses, security firm Kaspersky Lab says. Once appearance of copyright the malware hit their systems, it was just a matter of time before someone brought infringement compromised data into the Natanz plant (where there's no direct internet access) Publisher and sparked chaos. As you might suspect, there's also evidence that these first * SA Jeanette Greene Albuquerque FBI breaches didn't originate from USB drives.
    [Show full text]
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • View Final Report (PDF)
    TABLE OF CONTENTS TABLE OF CONTENTS I EXECUTIVE SUMMARY III INTRODUCTION 1 GENESIS OF THE PROJECT 1 RESEARCH QUESTIONS 1 INDUSTRY SITUATION 2 METHODOLOGY 3 GENERAL COMMENTS ON INTERVIEWS 5 APT1 (CHINA) 6 SUMMARY 7 THE GROUP 7 TIMELINE 7 TYPOLOGY OF ATTACKS 9 DISCLOSURE EVENTS 9 APT10 (CHINA) 13 INTRODUCTION 14 THE GROUP 14 TIMELINE 15 TYPOLOGY OF ATTACKS 16 DISCLOSURE EVENTS 18 COBALT (CRIMINAL GROUP) 22 INTRODUCTION 23 THE GROUP 23 TIMELINE 25 TYPOLOGY OF ATTACKS 27 DISCLOSURE EVENTS 30 APT33 (IRAN) 33 INTRODUCTION 34 THE GROUP 34 TIMELINE 35 TYPOLOGY OF ATTACKS 37 DISCLOSURE EVENTS 38 APT34 (IRAN) 41 INTRODUCTION 42 THE GROUP 42 SIPA Capstone 2020 i The Impact of Information Disclosures on APT Operations TIMELINE 43 TYPOLOGY OF ATTACKS 44 DISCLOSURE EVENTS 48 APT38 (NORTH KOREA) 52 INTRODUCTION 53 THE GROUP 53 TIMELINE 55 TYPOLOGY OF ATTACKS 59 DISCLOSURE EVENTS 61 APT28 (RUSSIA) 65 INTRODUCTION 66 THE GROUP 66 TIMELINE 66 TYPOLOGY OF ATTACKS 69 DISCLOSURE EVENTS 71 APT29 (RUSSIA) 74 INTRODUCTION 75 THE GROUP 75 TIMELINE 76 TYPOLOGY OF ATTACKS 79 DISCLOSURE EVENTS 81 COMPARISON AND ANALYSIS 84 DIFFERENCES BETWEEN ACTOR RESPONSE 84 CONTRIBUTING FACTORS TO SIMILARITIES AND DIFFERENCES 86 MEASURING THE SUCCESS OF DISCLOSURES 90 IMPLICATIONS OF OUR RESEARCH 92 FOR PERSISTENT ENGAGEMENT AND FORWARD DEFENSE 92 FOR PRIVATE CYBERSECURITY VENDORS 96 FOR THE FINANCIAL SECTOR 96 ROOM FOR FURTHER RESEARCH 97 ACKNOWLEDGEMENTS 98 ABOUT THE TEAM 99 SIPA Capstone 2020 ii The Impact of Information Disclosures on APT Operations EXECUTIVE SUMMARY This project was completed to fulfill the including the scope of the disclosure and capstone requirement for Columbia Uni- the disclosing actor.
    [Show full text]
  • Cyber Warfare
    Downloaded by [University of Defence] at 23:51 30 May 2016 Cyber Warfare This book is a multidisciplinary analysis of cyber warfare, featuring contribu- tions by leading experts from a mixture of academic and professional backgrounds. Cyber warfare, meaning interstate cyber aggression, is an increasingly important emerging phenomenon in international relations, with state- orchestrated (or apparently state- orchestrated) computer network attacks occur- ring in Estonia (2007), Georgia (2008) and Iran (2010). This method of waging warfare – given its potential to, for example, make planes fall from the sky or cause nuclear power plants to melt down – has the capacity to be as devastating as any conventional means of conducting armed conflict. Every state in the world now has a cyber- defence programme and over 120 states also have a cyber- attack programme. While the amount of literature on cyber warfare is growing within disciplines, our understanding of the subject has been limited by a lack of cross- disciplinary engagement. In response, this book, drawn from the fields of computer science, military strategy, international law, political science and military ethics, provides a critical overview of cyber warfare for those approaching the topic from what- ever angle. Chapters consider the emergence of the phenomena of cyber warfare in international affairs; what cyber- attacks are from a technological standpoint; the extent to which cyber- attacks can be attributed to state actors; the strategic value and danger posed by cyber conflict; the legal regulation of cyber- attacks, both as international uses of force and as part of an ongoing armed conflict, and the ethical implications of cyber warfare.
    [Show full text]
  • Hacks, Leaks and Disruptions | Russian Cyber Strategies
    CHAILLOT PAPER Nº 148 — October 2018 Hacks, leaks and disruptions Russian cyber strategies EDITED BY Nicu Popescu and Stanislav Secrieru WITH CONTRIBUTIONS FROM Siim Alatalu, Irina Borogan, Elena Chernenko, Sven Herpig, Oscar Jonsson, Xymena Kurowska, Jarno Limnell, Patryk Pawlak, Piret Pernik, Thomas Reinhold, Anatoly Reshetnikov, Andrei Soldatov and Jean-Baptiste Jeangène Vilmer Chaillot Papers HACKS, LEAKS AND DISRUPTIONS RUSSIAN CYBER STRATEGIES Edited by Nicu Popescu and Stanislav Secrieru CHAILLOT PAPERS October 2018 148 Disclaimer The views expressed in this Chaillot Paper are solely those of the authors and do not necessarily reflect the views of the Institute or of the European Union. European Union Institute for Security Studies Paris Director: Gustav Lindstrom © EU Institute for Security Studies, 2018. Reproduction is authorised, provided prior permission is sought from the Institute and the source is acknowledged, save where otherwise stated. Contents Executive summary 5 Introduction: Russia’s cyber prowess – where, how and what for? 9 Nicu Popescu and Stanislav Secrieru Russia’s cyber posture Russia’s approach to cyber: the best defence is a good offence 15 1 Andrei Soldatov and Irina Borogan Russia’s trolling complex at home and abroad 25 2 Xymena Kurowska and Anatoly Reshetnikov Spotting the bear: credible attribution and Russian 3 operations in cyberspace 33 Sven Herpig and Thomas Reinhold Russia’s cyber diplomacy 43 4 Elena Chernenko Case studies of Russian cyberattacks The early days of cyberattacks: 5 the cases of Estonia,
    [Show full text]
  • ESET THREAT REPORT Q3 2020 | 2 ESET Researchers Reveal That Bugs Similar to Krøøk Affect More Chip Brands Than Previously Thought
    THREAT REPORT Q3 2020 WeLiveSecurity.com @ESETresearch ESET GitHub Contents Foreword Welcome to the Q3 2020 issue of the ESET Threat Report! 3 FEATURED STORY As the world braces for a pandemic-ridden winter, COVID-19 appears to be losing steam at least in the cybercrime arena. With coronavirus-related lures played out, crooks seem to 5 NEWS FROM THE LAB have gone “back to basics” in Q3 2020. An area where the effects of the pandemic persist, however, is remote work with its many security challenges. 9 APT GROUP ACTIVITY This is especially true for attacks targeting Remote Desktop Protocol (RDP), which grew throughout all H1. In Q3, RDP attack attempts climbed by a further 37% in terms of unique 13 STATISTICS & TRENDS clients targeted — likely a result of the growing number of poorly secured systems connected to the internet during the pandemic, and possibly other criminals taking inspiration from 14 Top 10 malware detections ransomware gangs in targeting RDP. 15 Downloaders The ransomware scene, closely tracked by ESET specialists, saw a first this quarter — an attack investigated as a homicide after the death of a patient at a ransomware-struck 17 Banking malware hospital. Another surprising twist was the revival of cryptominers, which had been declining for seven consecutive quarters. There was a lot more happening in Q3: Emotet returning 18 Ransomware to the scene, Android banking malware surging, new waves of emails impersonating major delivery and logistics companies…. 20 Cryptominers This quarter’s research findings were equally as rich, with ESET researchers: uncovering 21 Spyware & backdoors more Wi-Fi chips vulnerable to KrØØk-like bugs, exposing Mac malware bundled with a cryptocurrency trading application, discovering CDRThief targeting Linux VoIP softswitches, 22 Exploits and delving into KryptoCibule, a triple threat in regard to cryptocurrencies.
    [Show full text]
  • Bilan Cert-IST 2013
    Cert-IST annual review for 2014 regarding flaws and attacks 1) Introduction ..................................................................................................................................... 1 2) Most significant events of 2014 ...................................................................................................... 2 2.1 More sophisticated attacks that modify the risk level .............................................................. 2 2.2 Many attacks targeting cryptography ...................................................................................... 4 2.3 Cyber-spying: governments at the cutting edge of cyber attacks ........................................... 6 2.4 Flourishing frauds .................................................................................................................... 7 3) Vulnerabilities and attacks seen in 2014 ........................................................................................ 9 3.1 Figures about Cert-IST 2014 production ................................................................................. 9 3.2 Alerts and Potential Dangers released by the Cert-IST ........................................................ 11 3.3 Zoom on some flaws and attacks .......................................................................................... 12 4) Conclusions .................................................................................................................................. 15 1) Introduction Each year, the Cert-IST makes
    [Show full text]
  • Attributing Cyber Attacks Thomas Rida & Ben Buchanana a Department of War Studies, King’S College London, UK Published Online: 23 Dec 2014
    This article was downloaded by: [Columbia University] On: 08 June 2015, At: 08:43 Publisher: Routledge Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK Journal of Strategic Studies Publication details, including instructions for authors and subscription information: http://www.tandfonline.com/loi/fjss20 Attributing Cyber Attacks Thomas Rida & Ben Buchanana a Department of War Studies, King’s College London, UK Published online: 23 Dec 2014. Click for updates To cite this article: Thomas Rid & Ben Buchanan (2015) Attributing Cyber Attacks, Journal of Strategic Studies, 38:1-2, 4-37, DOI: 10.1080/01402390.2014.977382 To link to this article: http://dx.doi.org/10.1080/01402390.2014.977382 PLEASE SCROLL DOWN FOR ARTICLE Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should be independently verified with primary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content.
    [Show full text]
  • Threat Landscape Report – 1St Quarter 2018
    TLP-AMBER Threat Landscape Report – 1st Quarter 2018 (FINAL) V1.0 – 10/04/2018 This quarterly report summarises the most significant direct cyber threats to EU institutions, bodies, and agencies (EU-I or 'Constituents') in Part I, the development of cyber-threats on a broader scale in Part II, and recent technical trends in Part III. KEY FINDINGS Direct Threats • In Europe, APT28 / Sofacy threat actor (likely affiliated to Russia military intelligence GRU) targeted government institutions related to foreign affairs and attendees of a military conference. Another threat actor, Turla (likely affiliated to Russia’s security service FSB) executed a cyber-operation against foreign affairs entities in a European country. • A spear-phishing campaign that targeted European foreign ministries in the end of 2017 was attributed to a China-based threat actor (Ke3chang) which has a long track record of targeting EU institutions (since 2011). As regards cyber-criminality against EU institutions, attempts to deliver banking trojans are stable, ransomware activities are still in decline and cryptojacking on the rise. Phishing lures involve generic matters (’invoice’, ‘payment’, ‘purchase’, ‘wire transfer’, ‘personal banking’, ‘job application’) and more specific ones (foreign affairs issues, European think tanks matters, energy contracts, EU delegation, EU watch keeper). Almost all EU-I are affected by credential leaks (email address | password) on pastebin-like websites. Several credential- harvesting attempts have also been detected. Attackers keep attempting to lure EU-I staff by employing custom methods such as spoofed EU-I email addresses or weaponisation of EU-I documents. Broader Threats • Critical infrastructure. In the energy sector, the US authorities have accused Russian actors of targeting critical infrastructure (including nuclear) for several years and are expecting this to continue in 2018.
    [Show full text]
  • Glupteba: Hidden Malware Delivery in Plain Sight Inside a Self-Concealing Malware Distribution Framework with a Security-Resistant Ecosystem
    Glupteba: Hidden Malware Delivery in Plain Sight Inside a self-concealing malware distribution framework with a security-resistant ecosystem Luca Nagy, SophosLabs June, 2020 About a month ago, one of my colleagues noticed a spike in the number of samples belonging to the same malware campaign, most of them with the filename "app.exe." This malware, which turned out to belong to a family called Glupteba, spreads using EternalBlue, and downloads additional payloads. At the same time, we got some hints that the malware had been targeted at the online gaming community, and that this had been happening since mid-January. Coincidentally, another coworker called my attention to an interesting research warning about a rise in the use of pay-per-install networks, and the misconception that these services are only associated with adware. This research referenced cases in January where a variety of malware – including DreamBot, Raccoon Stealer, and Glupteba – were being spread by a pay-per- install adware vendor called InstallCapital. [1] At around the same time, malware researcher Vitali Kremez was issuing warnings about destructive malware that claimed to be ransomware, and maliciously misidentified Kremez as its creator. Based on some victims’ experience, the malware may have been downloaded by a Glupteba loader that had been promoted as a pirated software installer. Inspired by this confluence of coincidences, I decided to investigate Glupteba. What really grabbed my attention was the dropper’s self-defense capabilities: By continuously monitoring its components, even specific services, it was able to thwart efforts at removing it from an infected machine. Glupteba also takes a variety of approaches to lay low and avoid being noticed.
    [Show full text]