Fujitsu Security Operations Centre 2014 Annual Review & 2015

Fujitsu Security Operations Centre 2014 Annual Review & 2015 Predictions Secure Thinking

Contents

1. Foreword 3

2. 2014 Annual Review 4

2.1 Significant threats during 2014 5

2.1.1 DDoS attacks 5

2.1.2 Crypto Ransomware infections 6

2.1.3 Phishing campaigns 6

2.1.4 Multi-platform threats and the rise of malware 7

2.1.5 The Branded Security Vulnerability 7

2.1.6 Threat to Retail – Point of Sale malware 8

2.1.7 Significant compromises 9

2.1.8 The insider threat 10

3. Predictions 2015 11

3.1 Threat intelligence 11

3.2 DDoS attacks 11

3.3 State sponsored cyber espionage and cyber war 11

3.4 Increasingly complex spam campaigns 12

3.5 Virtual desktop image security 12

3.6 Mobile platform threat 12

3.7 DDoS / Crimeware as a service 13

3.8 Banking Trojans 13

3.9 ATM Jackpotting 13

3.10 Agility and the risk of frequent security updates 14 Secure Thinking

1. Foreword

Security will always have one foot in the past and one in the future. It’s about analysing the last threat and anticipating the next one. As a result, this report straddles 2014 and 2015 – what happened last year and what we think will happen this year. The goal of both perspectives is to help protect your business.

A brief word on 2014 In 2014, we saw an unprecedented rise in reports of high-profile security threats, such as Poodle and Heartbleed. It was also the year that government-sponsored attacks came to the fore. In this report, you’ll gain insight into those threats and a lot more. For example, we also look at how:

■ Organised gangs are responsible for 50% of security attacks ■ State-sponsored attacks are changing ■ Identity and access management systems are reducing internal attacks.

What to expect in 2015 In addition to our reflections on 2014, we’ve also made some predictions for 2015. The broad message is that attacks will increase again – in both number and sophistication. Of course, in light of recent high-profile attacks, businesses are more aware of the impact of attacks. However, this visibility counts for nothing if you don’t deploy counter measures.

Preparing for 2015 At Fujitsu, we have one of the largest dedicated security practices in the UK and Ireland. Our aim is to keep our customers one step ahead of the bad guys. That could be through our 24/7 Security Operations Centre or our security consultants. Either way, we’re ready to help businesses navigate these difficult times. With that in mind, here are a few simple tips to start you off:

■ Increase the level of basic knowledge about computer security breaches in your organisation ■ Get people doing the simple things, like only opening emails from trusted sources ■ Ensure your company’s applied the latest software patches ■ Prepare for a breach (it’s inevitable – even if you have firewalls, intrusion detection or prevention technology, and antivirus software) ■ Think about how quickly you can detect and respond to a breach.

I hope you find this report of what our security teams have seen in 2014 and what they see in 2015 useful in protecting your business. Once you’ve read it, feel free to get in touch with one of our experts.

Rob Norris Director Enterprise & Cyber Security

3 Secure Thinking

2. 2014 Annual Review

Last year saw a shift in the perception of Security, it made mainstream news on multiple occasions and our Security Operations Centre has had to evolve significantly to respond to this ever changing threat landscape. We emphasise Cyber Security should no longer be seen as an IT Department issue but one that extends from the end user to the boardroom. Everyone has a responsibility for Cyber Security, whether that’s understanding the potential threat to their computer by opening an unknown attachment or understanding the threat to a business through the potential damage to reputation and / or loss of data. This document aims to outline what we have observed in the SOC and what we foresee. During the last 12 months, sectors from Government to Retail to Banking have been the subject of Cyber-attacks with the year ending with the most noteworthy attack in recent times on Sony Pictures. This was attributed by the US Government to the Democratic People’s Republic of Korea; 2014 was a year where the US Government also charged 5 Chinese military personnel with Cyber Espionage. There were a total of 695 Critical vulnerabilities with a CVSS score of 9 or 10 and we also saw numerous ‘branded’ vulnerabilities last year such as Heartbleed, Shellshock and Poodle, these all hit the mainstream media and were front page headlines. The UK National Crime Agency, partnering with the FBI announced ‘Cybergeddon’ to the media in April in relation to a two week campaign targeting Cyber Criminals hosting the GameOver Zeus Botnets. There has also been a major change in the DDoS attack vector utilising various UDP protocols such as DNS and NTP. In December, Network Time Protocol Daemon (NTPd) was found to have a major vulnerability allowing Remote Command Execution which led to Apple releasing its first ever automatic patch deployment. There have been countless issues in cryptography with vulnerabilities affecting OpenSSL, Schannel, SSLv3 and SHA-1, the latter significant enough to result in major browser vendors winding down official support for the encryption hash algorithm. The threat of malware also increased significantly in 2014. There was further state sponsored malware such as Regin, new variants of W97 Macro viruses and multiple variants such as BlackPOS targeting Retailers and Point of Sale systems. The increase in phishing campaigns in particular had an impact on the SOC with several each week to investigate, analyse and respond to across our customer and vendor base. Adobe, Oracle and Microsoft have all had significant vulnerabilities. Many have been Critical Zero Day exploits that would allow Remote command execution. Microsoft finally ended support of Windows XP in April and will follow through with End of Life for their Windows 2003 Server Operating System in 2015. We have also seen new threats against other Operating Systems such as iOS, OS X and malware variants specifically targeting Linux platforms. The trend of Mobile Malware is also growing significantly including the introduction of Botnets for the Android platform.

4 Secure Thinking

2.1 Significant threats during 2014

2.1.1 DDoS attacks In our February Threat Intelligence Report, the SOC highlighted there had been an increase in DDoS amplification attacks. New attacks using NTP had been spotted by Symantec over Christmas 2013 following on from previous attacks seen using DNS amplification. Attackers were able use Botnets to spoof IP addresses and send large UDP requests to targets supporting NTP. Cloudflare reported an attack in May that peaked at nearly 400Gbps. The SOC worked with various business units to identify public facing NTP servers and ensure any running the Monlist command were updated. The SOC have also seen attacks against some customers using port 80 over UDP. Further information can be read in the UK Government Advisory on DOS. During December, the SOC attended the latest Botnet Conference, a 3 day event attended by Google, Cloudflare and the NCA amongst others. The NCA presented on Operation Tovar, which was a collaboration with the FBI to take down the GameOver Zeus Botnet. This Botnet was responsible for the delivery of the Cryptolocker malware family and was successful as it automatically and dynamically generated new domains making it difficult for network defenders to protect against the new Domains. The Enforcement Agencies were able to crack the Domain Generation Algorithm and as such were able to purchase, in advance, the following two weeks of new domains to be generated achieving 100% sinkholing leaving the threat redundant. The two week window brought about a media campaign led by the NCA dubbed ‘Cybergeddon’ where they pleaded with businesses and end users on TV and through the National Media to ensure they had the latest patches and Antivirus definitions. The Botnet was reported to have stolen more than $100 million from businesses and consumers, however, we were told at the Conference this is conservative and is estimated to be more like $500m. Incapsula reported that 29% of traffic monitored over a 90 day period related to ‘Bad’ botnets with the intention of taking services down, website hijacking, data theft. Spamhaus also detail in their annual report that they “detected 7,182 distinct IP addresses that hosted a botnet controller (Command & Control server - C&C). That is an increase of 525 (or 7.88%) botnet controllers over the number we detected in 2013. Those C&Cs were hosted on 1,183 different networks”.

5 Secure Thinking

2.1.2 Crypto Ransomware infections Cryptolocker first appeared late 2013, infecting end user machines and encrypting local files and files stored on mounted network shares. The malware authors then retained the decryption key until payment was made via a pre-paid voucher or Bitcoin. Fox-IT estimated the total amount paid to be $3 million and approx. 50,000 endpoints a month were infected. In collaboration with FireEye, they released a site in August which allowed users to decrypt any infected files. Cryptowall and Torrentlocker have followed suit in 2014 using the same ransomware principle of infecting users and encrypting files before asking for the ‘decryption ransom’. Torrentlocker, a new variant of ransomware using the same components as Cryptolocker and Cryptowall seemed to target Turkish and Australian users via Spam. Phishing campaigns and Advertisement pages were used as a mechanism to spread the malware. Cryptowall is estimated to have infected 625,000 hosts globally and encrypted 5.25 billion files, with 40,000 UK machines impacted. The malware authors made $1.1 million over a 6 month period. There was one instance of a user / company paying $10k in ransom. The Cryptowall authors made less that the authors of Cryptolocker due to the reliance on Bitcoin payment.

2.1.3 Phishing campaigns A significant change in 2014 was the month on month increase in the number of phishing campaigns seen across our Customer Accounts. The Spam authors continually changed their methods to bypass Email security rules and also targeted specific vendors with campaigns they know will go undetected; in many cases it has been an arms race with the likes of ourselves as Network Defenders working with the Security vendors against the Malware authors. The campaigns were typically ‘Invoice’ and ‘Fax’ style campaigns utilising a new variant of the W97M. Downloader virus as the initial attack vector. The infection mechanism was triggered when users opened a Word document and enabled Macro’s allowing malicious content to be delivered. The resulting malware was typically part of the Cridex and Dridex family. This malware can sit dormant on a user’s machine until they visit an online banking site when it will attempt to re-direct them to a fake site allowing them to steal banking credentials and make fraudulent transactions. The SOC has been tracking this activity across multiple customers and blocking the Command and Control infrastructure found during analysis; this will undoubtedly continue during 2015 as new variants are released. The APWG Phishing Trends report for Q2 reported that from April through June 2014 - they saw the second highest number of phishing sites ever observed in a quarter with 128,378 phishing sites observed.

6 Secure Thinking

2.1.4 Multi-platform threats and the rise of malware It was reported last year that nearly 1/5th of all malware was created in 2013 and records have been broken again with a drastic increase in 2014. Pandalabs reported in their Q3 report that 20 million new strains of malware were created in the 3rd quarter of the year alone, roughly equating to 228,000 new pieces of malware every single day. The study reports 78% of all of those samples were Trojans delivering backdoors, ransomware, rootkits, spyware and downloaders. The highest infection rate was in China accounting for nearly 50% of all infections. The SOC analysed multiple malware samples this year in our lab and several of those had successfully bypassed traditional Antivirus signatures. One of those samples analysed had been ported across to Windows having been seen previously as a Chinese DDoS affecting Linux platforms and this threat has continued throughout the year with further malware samples found targeting Linux platforms particularly where vulnerable versions of Bash were present. Mobile malware has also been on the rise this year with Botnets observed targeting mobile devices. The Android platform is present on approximately 85% of mobile devices and accounts for 98% of Mobile malware overall. A new variant of the NotCompatible Botnet, detailed by Lookout and reported to be the most advanced Botnet to date using encryption for peer to peer connection, is capable of compromising enterprise handsets and in addition to stealing data and sending premium SMS, use them for malicious activity such as Spam campaigns, fraudulent and bulk ticket purchasing and password brute force. In addition to the iCloud vulnerability, Apple has also not been safe this year with the creation of the Wirelurker malware which affected their iOS and OS X platforms. The malware authors trojanised 467 applications in a 3rd party Chinese App Stores for Mac’s. Mobile devices were infected when the iOS device was connected to an infected OS X device ‘over the wire’. The malware could then be used on the mobile device to steal data or wait for commands from Command and Control Servers. Kaspersky reported that “6.2 billion malicious attacks on user computers and mobile devices were blocked by Kaspersky Lab antivirus products in 2014, one billion more than in 2013”.

2.1.5 The Branded Security Vulnerability The branding / naming of vulnerabilities is a useful mechanism to assist in helping to create an understanding and ongoing reference point to track and monitor against a threat and it’s relatively new. AV vendors have long given viruses names with Code Red being one of the most memorable released in previous years. This year, however, it’s certainly intensified with Heartbleed in particular being released with its own bleeding heart logo and domain name – heartbleed.com. Heartbleed was a bug affecting the TLS heartbeat extension of the OpenSSL library. It was found independently by Google and Finnish Security researchers at Codenomicon. The bug allowed attackers to anonymously request information held in memory from servers running the vulnerable version of OpenSSL and that could include content such as passwords and private keys. Half a million websites were reported to be affected and several were exploited including the Canadian Revenue Agency with arrests following soon after. Mobile devices and even Smart Meters were impacted by the vulnerability.

7 Secure Thinking

Shellshock followed in September relating to a vulnerability in the very widely used ‘Bash’ shell used in Unix-based platforms. It is a program used to execute command lines and command scripts. The vulnerability was assigned the highest CVSS score of 10 for all 3 ratings, for base, impact and exploitability. The vulnerability affected half a billion servers and devices worldwide and when exploited allowed arbitrary code execution on a server without authentication. Exploits were available for the vulnerability almost immediately and Akamai and the US Department of Defence were the target of a DDoS Attack by a botnet dubbed ‘Wopbot’. Malware dubbed Elf_Bashlite was also created allowing the execution of multiple commands and also has the capability to carry out a brute force login. Further reported attack vectors include HTTP, SSH, DHCP, FTP, SIP, SMTP and VPNs. Poodle, an acronym for ‘Padding Oracle On Downgraded Legacy Encryption’, followed shortly after in October and was reported by Security researchers at Google detailing a ‘Man in the Middle’ padding attack against CBC-Ciphers in SSLv3. If exploited, the attacker could extract secrets from the intercepted session such as the session cookies to take over the active session. SSLv3 is 15 years old and nearly obsolete and as such the major browser vendors, Mozilla, Google and Microsoft all moved to disable SSLv3 in their browsers by default. The same browser vendors also announced the retirement of support for SHA-1 as an encryption hash algorithm. SHA-1 was first published in 1995, however since the Flame malware proved a collision attack was possible in MD5 and with the increase in computing power, there is significant concern that collisions would also be possible in SHA-1. Users will experience warnings in their browsers including coloured padlock changes during HTTPS sessions until 2017 when support will finally be removed.

2.1.6 Threat to Retail – Point of Sale malware Target made the headline news late in 2013 with one of the largest recorded Cyber Security breaches in history with 70 million personal and 40 million credit card details stolen. The store was breached using 3rd party credentials used by their supply chain, a Refrigeration company, and the attackers were able to install the ‘Blackpos’ malware on Target’s Point of Sale Terminals, allowing them to steal credit and debit card data. The fallout this year was substantial; class-action lawsuits followed, Senior Executives lost their positions at the company, 8 stores were closed, the company had to offer free Credit Card monitoring to customers and suffered significant loss of revenue. The company has since invested $5 million dollars in a Cyber Security coalition. Neiman Marcus followed Target with an announcement that they had also been breached in an attack that stole 350,000 credit and debit card details. 9,200 of those cards were used fraudulently. The company also faced lawsuits and reported the data breach has cost it $4.1 million so far in legal fees, investigations, customer communications and credit monitoring subscriptions.

8 Secure Thinking

US-Cert issued an announcement in July detailing a new Point of Sale malware variant dubbed ‘Backoff’ by Trustwave who initially identified the threat. US-Cert then followed up with a further announcement in August that they were “aware of Backoff malware compromising a significant number of major enterprise networks as well as small and medium businesses”. Security researchers at Trustwave estimate 600 businesses were impacted by the malware businesses including Staples, Michaels, K-Mart and UPS. In September, Home Depot were the victim of a massive data breach which drew parallels with Target with 53 million email addresses and personal details stolen and the initial attack vector stemming from 3rd party vendor credentials. The attackers then targeted Point of Sales Terminals specifically named ‘selfcheckout’ and stole details of 56 million credit and debit cards used between April and September. Forbes reported the cost of the breach was estimated so far at $62 million.

2.1.7 Significant compromises JP Morgan Chase, America’s largest bank, was the subject of a huge compromise of account information of 83 million households and small businesses. The compromise potentially started as early as April after a Corporate Challenge website being ran by a 3rd party company, Simmco Data, was hacked with attackers stealing usernames and passwords of employees which were then used to target the banks systems. The investigation into the breach found the same IP addresses in their logs and tracked the breach to 90 servers within the banks network. Apple were also in the spotlight again in August for the ‘Celebgate’ hack on iCloud which compromised 100’s of accounts leaking images of nude celebrities on Bulletin Board ‘4Chan’. The method of attack was reported to be via brute force password guessing due to a flaw in Apples ‘Findmyiphone’ feature which allowed 20,000 attempts at guessing the password and if successful allowed access to other iCloud features such as photos. Attackers used the opportunity to set up websites hosting the images which were known to deliver malware. Ebay were in the news in May when they issued a press release recommending users to change their passwords. The company announced there had been a breach of a database containing encrypted passwords and personal data including users names, Email addresses, physical addresses, phone numbers and date of births, information that is in some ways as valuable to hackers as a compromised credit card which can have a short shelf life after its stolen. Although Ebay did not believe any of the credentials had been used fraudulently, they recommended users change their passwords as good practice.

9 Secure Thinking

The compromise of Sony Pictures was without a doubt the big story of 2014. The breach and data leak was so vast, Sony had to take their entire Network offline for several days. Sony employees began receiving a message on their screens telling them they had been hacked by #GOP – Guardians of Peace and giving them a deadline of 11pm before leaking company data. The FBI and US Government attributed the attack to the North Korean Government (DPRK) who were allegedly motivated by retribution for a film Sony were due to release called ‘The Interview’ about the assassination of the country’s leader Kim Jong-Un. DPRK quickly denied they had any involvement but supported the action. The film release was subsequently postponed due to Cinema safety concerns over threats from the attackers, however, the film was shown in some cinemas on Christmas Day and released online. Substantial data leaks including personal data of Sony employees such as Social Security Numbers, Emails and passwords were released over the following weeks. The attackers also leaked un-released Sony Pictures movies online and even used Sony compromised servers to upload and seed the data via torrents. IP Addresses, multiple passwords, FTP passwords, passwords for access to media websites, YouTube credentials, SSL Certificates and Credit Card information were also leaked in a relentless publishing of Sony’s most valuable information. A further leak included Bank statements, financial forecasts, financial year reports, budget and overhead reports. Other leaks included offline copies of discussions between the Sony President and Co-Chairman’s discussions about Sony’s anti-piracy efforts and further Email spools from the Senior Executive Vice President and Chairman. Sony issued cease and desist letters to Security researchers and journalists who had downloaded the data which sparked online debate. The method and length of the Sony intrusion is still under debate, however, the FBI flash warning released shortly after the compromise was announced is thought to be related. The FBI warned recipients about malware named ‘wiper’ which overrides data on all hard drives and then deletes the master boot record so the computer can’t restart. The malware was researched by Kaspersky as Destover and analysed by the SOC.

2.1.8 The insider threat Edward Snowden and Bradley (now Chelsea) Manning are now names synonymous with the leaking of restricted, and in their case, national security information. In both cases, they underlined that the insider threat is still very much a real one. Morgan Stanley were the latest name in the media in 2014 to fall foul of a huge data leak courtesy of one of their employees. It is alleged that a financial advisor was able to gain access to a database and steal information of approximately 10% of its ‘wealth management’ client base. The staff member then posted a sample of 900 clients on Pastebin offering the opportunity to buy the data.

10 Secure Thinking

3. Predictions 2015

3.1 Threat intelligence There are a lot of marketing words covering this topic at the moment such as ‘Actionable Intelligence’ and ‘Advanced Analytics’ and further blurred lines with Advanced Persistent Threat but the reality is Threat Intelligence is very much a requirement with the modern threat landscape. There is so much data and noise, it’s critical to be able to analyse and correlate across multiple security technologies, using threat intelligence feeds, vendor and open source tools and most importantly, good SOC personnel and process to obtain the factual detail. The ability to provide real time contextual awareness and carrying out action based on multiple intelligence feeds and the collation of multiple sources will become important for customers seeking to understand if they were targeted. Was the malware specific to the customer? Was it a target against their sector? What was the payload? Who did it try and communicate with? What are the associated Source IP’s and Domains? Can they be blocked on the Network?

3.2 DDoS attacks We have already seen crippling attacks in 2014 against Cloudflare and Spamhaus and expect to see this trend continue in 2015. US-Cert published a list of potential attack vectors for UDP amplification attacks and attacks were seen on many of those protocols using the vulnerable services to echo back large packets of data from small data requests, effectively causing a flood towards the target. SNMP hasn’t made headline news yet and we do expect this to be a targeted protocol at some point with a major DDoS attack affecting upstream providers and enterprise customers. The 400Gbps attack early in 2014 may seem small in comparison to potential future attacks of 600-800Gbps.

3.3 State sponsored cyber espionage and cyber war The APT1 report from Mandiant was the first detailed reported that attributed a state sponsored group attacking another country. Following on from the Snowden leaks we have seen similar reports this year, such as Regin being allegedly used by the NSA and GCHQ to target Belgacom to gain access to the Belgian Telecom infrastructure, the US Government bringing charges against Chinese Military personnel and more recently Sony Pictures where the attack was attributed by the US Government to the Democratic Republic of North Korea. The term ‘Cyber War’ was a hot topic particularly during the Sony attack with active discussion as to whether this was indeed a digital act of war. We expect this 5th domain to be debated further in 2015 as more details of State Sponsored Cyber Espionage emerge and targeted attacks increase.

11 Secure Thinking

3.4 Increasingly complex spam campaigns Attackers are not only using sophisticated methods to bypass Email Security rules, they’re also crafting mails that are convincing and appear to be very genuine and making fewer mistakes such as bad spelling. We have seen examples this year for Paypal, Amazon and Lloyds Bank which could all be genuine at a first glance and we predict this continuing in 2015. We expect to see further campaigns targeted towards specific Email Security vendors for higher success rates and the attack vector shifting from Macro documents to malicious links leading to landing pages for malicious downloads. Attackers will also continue to look for new ways to evade detection from Email Security platforms continuing to use more complex polymorphic Domain Generated Algorithms (DGA’s) that make it very difficult to maintain tracking and blocking.

3.5 Virtual desktop image security “AV is dead” that was the headline in 2014 based on comments from a Symantec Senior Executive. Antivirus (AV) solutions are capturing just 45% of all malware and finding it increasingly difficult to keep up with the malware authors. Of course, the reality is, AV isn’t dead and still has value in an Enterprise environment. Applications running in physical, virtual and cloud based environments are all exposed to the same risks and still require protection. Although traditional security can be used in VDI environments, it isn’t optimized for VDI. Using traditional AV solutions can result in specific challenges in a VDI environment such as; low VM consolidation rations, boot latency, AV Storms, outdated AV on virtual machines not in use and administrative bottlenecks. The benefits of a VDI based environment from a security perspective are a trade off in a number of areas such as; Management, performance and follow me desktop; our view is the perception of VDI Security will change in 2015.

3.6 Mobile platform threat Tablets and smartphones are now standard for not only consumers but are also ubiquitous across businesses with the introduction of BYOD and reducing handset costs. This year, we have already seen multiple threats against mobile devices and in particular, Android platforms. Android share 84% of the mobile device market across a reported 1.9 billion devices so the attack vector is huge. Malware has been written specifically for Android that has been used to manipulate devices to mine Bitcoins and Litecoins, force the device to be part of a botnet, steal data and send premium rate SMS messages. One malware example is the Xsser mobile remote access Trojan which previously only targeted Android devices but now has an iOS variant. We expect to see a lot more of this and tailored mobile banking Trojans in 2015.

12 Secure Thinking

3.7 DDoS / Crimeware as a service Sony and Microsoft gaming networks took a massive hit on Christmas day 2014 with a hacker group causing a DDoS to their infrastructure and preventing thousands of people from playing online games. The attack stopped when the founder of Mega Upload offered the group $300,000 in vouchers to stop the Denial of Service. The group, Lizard Squad, were offering the same service on the internet as a DDoS for hire, however, this isn’t unique to this particular group and whilst the majority of ‘crimeware as a service’ options are available via Darknets, there are still sites searchable on Google to find these services. We expect sites similar to Silk Road to re-appear with more Cyber- crime services on offer.

3.8 Banking Trojans We have seen numerous phishing campaigns this year leading to banking Trojans but the activity certainly ramped up in the second half of 2014. Dyre / Dyreza, Cridex and Dridex, Emotet were all banking malware linked with stealing banking information. The attacks were so persistent and varied, that they led to agencies issuing announcements. The SOC have been tracking the Cridex and Dridex family of malware for several months. The campaign, still active today, uses an old W97 Word macro Trojan so when users opened the word document and enabled the macros, this downloaded the payload of the malicious software. We expect malware authors to produce new variants and also tailored malware for specific operating systems and countries.

3.9 ATM Jackpotting The concept of ATM Jackpotting was first presented at Blackhat in 2010 by the late Barnaby Jack where he demonstrated compromising two cash machines to pay out like a winning jackpot machine. There have been several reports of copycat compromises over the last year using a USB drive to tell the ATM machine to pay out money and there was a report of two men allegedly stealing $400,000 over a period of months using nothing more than special sequences on a keypad and some insider knowledge. In October, Kaspersky reported on the Tyupkin malware which allowed attackers to reboot cash machines on a Sunday and Monday using a bootable CD and steal 40 notes at a time resulting in a theft of millions of dollars. Many of these machines still use Embedded or Windows XP and as such are vulnerable to attack. We expect to see the rise of ATM hacking continue until vendors are able to roll out more secure platforms.

13 Secure Thinking

3.10 Agility and the risk of frequent security updates With vulnerabilities on the rise, hotfixes released every other day and the vendor development teams moving to ‘agile’ teams, we are seeing the lifetime of a patch cycle decrease. Vendors now expect to release firmware patches ‘at least’ quarterly and this in itself will present business risk. It’s a Security ‘catch-22’ as in many cases, a patch will be required in order to fix a persistent and potentially dangerous issue, however, with the window of patch release being shorter, that presents its own risk in terms of introduction of new bugs, shorter testing period, change management, server reboots and compatibility checks with other applications. It will be interesting to see how this develops over the next 12 months and how businesses adapt to a more ‘agile’ approach. The monthly Threat Intelligence produced by the SOC will report the prevalence of these predictions on the supported technologies across our customer base throughout the year. The SOC will continue to work collaboratively with external bodies to ensure the use of available intelligence is maximised to protect our customers. The threat landscape will only continue to grow and gain profile, particularly as new attack vectors emerge and it’s important this message is understood and shared with customers.

Tel: +44 (0) 843 365 5160 Email: [email protected] Web: uk.fujitsu.com/securethinking

Copyright © Fujitsu Services Ltd 2015. All rights reserved. No part of this document may be reproduced, stored or transmitted in any form without prior written permission of Fujitsu Services Ltd. Fujitsu Services Ltd endeavours to ensure that the information in this document is correct and fairly stated, but does not accept liability for any errors or omissions. Whilst care has been taken to ensure that the information contained in this report is correct, no warranty (express or implied) has been made by Fujitsu with regards to its accuracy or completeness and Fujitsu accepts no liability for any loss (howsoever caused) sustained as a result of any error or omission in the same.