Monthly UAE Report on Technology, MONTHLY UAE Trends and Other Information Security SECURITY REPORT Subjects

JULY - 2015 Monthly UAE report on technology, MONTHLY UAE trends and other information security SECURITY REPORT subjects

Disclaimer: Information gathered is from aeCERT constituents. Incidents covered are those detected/reported. Does not reﬂect all UAE "uncovered" sectors Monthly Report July Advisory, Education and Awareness

SECURITY AWARENESS PROGRAMS - DEMOGRAPHICS aeCERT conducts a number of workshops under the advisory, education and awareness services. These workshops emphasizes its role in spreading information security awareness across the corporate level and the role of the employees in protecting their organization.

ATTENDEES ------55 - UMM AL RAS AL AJMAN FUJAIRAH AL AIN SAHRJAH ABU DHABI DUBAI QUWAIN KHAIMAH 2015 u Dhab Ab i SESSIONS 1

INDUSTRY VERTICAL

aeCERT conducts workshops at various industry verticals. Breakdown of top three is shown below. 434 1777 FRIENDS FOLLOWERS 100%

CONSTITUENTS The constituents are the targeted beneﬁciaries of the 82 1710 459 awareness campaign. FOLLOWERS VIEWS CONNECTIONS

AUDIENCE SESSIONS BREAKDOWN Here is a breakdown The workshops under the information security awareness campaign cover a wide range of of the audience from topics. The graph below displays the number of sessions conducted for each topic. various industry sectors where workshops were CIA conducted. Physical security 1 Wireless Security Constitunets Social Networking Conﬁdential Data Browser Security Security Policy Mobile Security Password Security Email Security Protecting your Computer Hacking your Mind You’re the Target General Topic

0 0.5 1 1.5 2 2.5 3 3.5

1 Monthly Report July Incident Response aeCERT provides incident handling to support selected constituents. This service includes information and evidence gathering to internationally acceptable evidentiary standards. ATTACK VECTORS Following is a breakdown of incidents grouped by types that aeCERT team handled and responded at various and constituents sectors. GOVERNMENT PHISHING is the act of attempting to acquire information such as usernames, Government sector experienced 18 17 passwords, and ﬁnancial data by 4 Phishing attack. 16 masquerading as a trustworthy entity. 1 Web Defacement. 14 17 Inappropriate Content. 12 1 Unauthorized Access 10

WEBSITE 8 DEFACEMENT is an attack on a website that 6 4 changes the visual appearance of 4 the site or a webpage. These are typically the work of attackers, 2 1 1 who break into a web server and 0 0 0 0 0 replace the hosted website with 0 one of their own.

MALICIOUS CODE is used to disrupt computer operation, gather sensitive PRIVATE information, or gain access to private computer systems. 3.5 Private sector experienced 3 3 Web Defacement 3

2.5 DENIAL OF SERVICE is an attempt to make a machine 2 or network resource unavailable to its intended users. 1.5

0.5

0 0 0 0 0 0 0 0 0 SCAN is an attack to a server or host for identifying open ports.

BANKING UNAUTHORIZED Banking sector experienced 3.5 ACCESS 3 Phishing 3 occurs when an attacker 3 attempts to access an area of a 2 Denial of Service system they should not be 2.5 accessing. 2 2

1.5

INAPPROPRIATE 1 CONTENT 0.5 is the prohibited information. 0 0 0 0 0 0 0 These include, but are not limited 0 to child abuse, pornography, illegal activities, and terrorist-related material.

2 Monthly Report July

IMPACT OF INCIDENTS Following is a breakdown of incidents grouped by impact that aeCERT team handled and responded at various and constituents sectors.

GOVERNMENT CRITICAL denotes an incident through Government sector experienced Informational Low Medium High Critical which an intruder gained the most of number of serious control at the administrator incidents with 2 Medium impact 11% level of any affected host. and 17 Low This class of incidents poses the highest risk for a system-wide compromise of the network. 89%

SEMI-GOVERNMENT HIGH denotes an incident through Semi-Government sector Informational Low Medium High Critical which an intruder could gain experienced 1 Medium incident access to the host at the this month administrator level or could possibly access sensitive Information stored on the host. While this class of incident is extremely serious,

the risk of a breach or 100% compromise is not as urgent as with a critical incident. PRIVATE

Private sector experienced 0 Informational Low Medium High Critical impact. MEDIUM denotes an incident that may allowed an intruder to gain access to speciﬁc information stored on the host, including security settings. While not immediately associated with a compromise of an affected host, these incidents allow intruders to gain access to BANKING information that may be used to compromise the host in Banking sector experienced 4 Informational Low Medium High Critical the future. Medium & 2 High incident this month

33%

LOW denotes that intruders may 67% have collected sensitive information from the host, such as the precise version of software installed. With this information, intruders can ENERGY easily exploit known

vulnerabilities speciﬁc to. Informa onal Low Medium High Cri cal Energy sector experienced 0 ti ti incident this month

INFORMATIONAL denotes incident that do not pose an immediate threat to the host or the network.

3 Monthly Report July

TOP INCIDENTS aeCERT provides support and advice during remediation and recovery from security incidents. Following is a breakdown of incidents grouped by categories that aeCERT team handled and responded.

PHISHING / FRAUD Insufﬁcient authentication occurs when an application permits an attacker to access sensitive content or 22% functionality without having to properly authenticate.

WEB DENIAL OF DEFACEMENT SERVICE 16% 06% An application weakness where an Results when an application does application reveals sensitive data, not perform adequate such as technical details of the authorization checks to ensure web application, environment, or that the user is performing a user-speciﬁc data. function or accessing data in a manner consistent with the security policy.

MALICIOUSE CODE UNAUTHORIZED 00% ACCESS One of the most common weaknesses 03% identified across applications today. Poorly handled input is a leading cause behind critical These attacks exploit configuration vulnerabilities that exist in systems and weaknesses found in OS and servers. applications. Many servers come with unnecessary default and sample files, including applications, configuration files, scripts and web pages.

INAPPROPRIATE OTHER CONTENT 53% 00% An application weakness where an application These attacks exploit conﬁguration weaknesses found reveals sensitive data, such as technical in applications. Many applications come with details of the web application, environment, or unnecessary and unsafe features, such as debug and user-speciﬁc data. QA features, enabled by default.

SPAM 00%

Due to lack of security awareness and the failure to follow security rules and policies by staff.

4 Monthly Report July Botnet Analysis

TOP COUNTRIES WITH COMMAND AND CONTROL (C&C)

“Command and Control” (C&C) servers are centralized machines that are able to send commands and receive outputs of machines part of a botnet. Anytime attackers who wish to launch an attack can send special commands to their botnet’s C&C servers with instructions to perform an attack on a particular target, and any infected machines communicating with the contacted C&C server will comply by launching coordinated attack.

US 18257 Netherlands 2235 Canada 1254

Philippines 12746 Germany 2164

The above map highlights countries hosting most number of Botnet C&C (Command & Control) servers. US has topped the list followed by Philippines, Netherland and Germany, while Canada has least number of servers.

The use of HTTP as a botnet C&C mechanism has increased in recent years as malware authors have moved beyond the first generation of malicious bots, although HTTP bots are still responsible for fewer infections than IRC bots. HTTP has the advantage of being the primary protocol for web browsing, which means that botnet traffic may be more difficult to detect and block. HTTP may be used to facilitate control either by having the bot sign in to a site that the bot controller operates, or by having the bot connect to a website on which the bot controller has placed information that the bot knows how to interpret as commands. This latter technique has an advantage in that the controller doesn’t need to have an affiliation with the website. Some botnets even use blogs or social networking accounts for C&C.

The HTTP protocol is also commonly used by bots to download updates and other malware, regardless of which C&C mechanism the bots use. Many bots include their own HTTP servers for hosting phishing websites or illegal content such as child pornography, or to provide an HTTP proxy that enables bot-herders to hide the location of their main (and usually illegal) websites.

5 Monthly Report July Malware Analysis

TOP MALWARE INFECTIONS Following is a breakdown of top malware infections in UAE’s internet space captured through various threat intelligence sources. Virut.n is a polymorpic parasitic virus. It will infect PE and HTML ﬁles in the system and download other malware.

Ramnit is a worm that spreads through removable drives. The worm also functions as a back door allowing a remote attacker to access the compromised computer. gameover-zeus-peer: (Category: Botnet) Enhanced form of ZeuS that communicates with hidden command and control server using peer-to-peer network topology.

ZeroAccess also known as Max++ and/or Sirefef, is Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet mostly involved in Bitcoin mining and click fraud, while remaining hidden on a system using rootkit techniques.command and control server using domain generation algorithms (DGAs). gameover-zeus-peer: (Category: Botnet) Enhanced form of ZeuS that communicates with hidden command and control server using peer-to-peer network topology.

Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo. It affects computers running Microsoft Windows. gameover-zeus-DGA: (Category: Botnet) Enhanced form of ZeuS that communicates with hidden command and control server using peer-to-peer network topology.

Zeus (Category: Trojan) Trojan designed speci?cally to steal information such as banking details, system information and online credentials.

zeus 3.45%

gameover-zeus-dga 6.16%

cutwail 6.52%

gameover-zeus-proxy 7.26%

zeroaccess 13.34%

gameover-zeus-peer 13.81%

bitdefender-ramnit 19.87%

virut 29.59%

6 Monthly Report July Advisories

Recommendation of Oﬀ-site E-mail hosting Windows OpenType threats Front Driver Vulnerability Summary: Summary:

IaeCERT has noticed that there is a new critical It has been brought to our attention that some vulnerability associated with the latest Adobe government entities are hosting their email servers or services outside the United Arab Type Manager Library. A buffer overflow in a file called “atmfd.dll” in the mentioned library can Emirates based on numerous reasons. This is a allow remote code execution which can lead to huge threat to the entity itself as different complete control of the affected system. The countries have different regulations and privacy attacker is able to install programs, view, change laws and these email servers hosted outside the and delete data or even create new user accounts country are not falling under the UAE rules and with full user rights. The attacker is able to infect regulations. According to the UAE’s Federal systems by making a user open a specially Policy (Law Number 21 for Year 2013, Article crafted web page which embeds malicious. Number 4) all federal entities are strictly forbidden from hosting their e-mail servers outside the country by using third party e-mail Threat Details: service providers such as: Gmail, Hotmail, Yahoo…etc. As this could lead to several privacy Microsoft released an update to the Adobe Type issues and disclosure of confidential government information. This can create chaos for the entity if Manager Library. A buffer overflow to the file mentioned in the summary (amtfd.dll) can allow their servers and/or services are compromised an attacker to successfully remote execute and confidential information is exposed to the arbitrary commands and take full control of the public. This is further explained in the “Threat affected system. Attackers are able to have full Details” section below. administrator rights on the affected system. The way the attacker executes this attack is by Threat Details: creating a specially crafted web page which embed malicious OpenType fonts, then persuading the user to open the web page and Email is still an important means of communication between the entities. Recently once it is open, a buffer overflow attack is in place making the attacker able to remotely execute there has been noticed an increasing number of arbitrary commands. As of the moment this government entities outsourcing their email advisory was written, windows has unfortunately services to third party e-mail service providers located outside the country like Google, not released a hotfix/patch to this vulnerability and there a few workaround methods will be Yahoo...etc. for numerous reasons such as saving mentioned in the solution section to help mitigate operation cost or shortage of staff and so on. this vulnerability.

About aeCERT

The United Arab Emirates Computer Emergency Response Team (aeCERT) is a cyber-security coordination center established under the supervision of Telecommunications Regulatory Authority (TRA). The aim of aeCERT is to improve UAE’s overall cyber security condition by coordinating the cyber information sharing and proactively coping with the cyber risks associated to the UAE. aeCERT also focuses on providing advice to the UAE government and educational sectors regarding information security. C omputer Emergency Response Teams (CERTs) around the globe play a vital role in preventing cyber security incidents as they are recognized as a trusted and authoritative organization devoted to improve overall security of computer systems and networks. aeCERT coordinates response of internet security incidents with other CERTs and use a proactive approach to secure systems. aeCERT collaborates with different sectors of the government, law enforcement and education to design policies and methodologies to counter cyber threats. aeCERT coordinates with other CERTs around the globe and share their ﬁndings. This provides collaboration opportunities to researchers, which eventually improves the posture of information security.

7 Contact Us

aeCERT P.O. Box : 116688 Dubai, United Arab Emirates Tel +971 4 2300003 Fax +971 4 2300100

ae CERT Salim (aeCERT)

@aeCERT @salim_aecert [email protected] www.aecert.ae

salim_aecert aecert