Understanding the Cyber Threat Landscape

Richard Hummel, ASERT Threat Intelligence Manager Agenda

• DDoS

• IoT Threats/

• Advanced Persistent Threat

DDoS Trends & Attack Vector Analysis NETSCOUT’s 4th biannual Threat Report

• Lucky Seven for Attackers • Mew Methods Pump Up Attacks, Bypass Traditional Defenses • ISPs and Satellite Telecom Pay the Price • Mobile Networks, Devices in Attacker Crosshairs • IoT = Intensification of Threats

https://netscout.com/threatreport NETSCOUT Cyber Threat Horizon

• Cyber Threat Horizon™, is a free threat intelligence portal that offers network and security operators greater visibility into DDoS attacks in real-time and historically • Backed by the NETSCOUT’s Active Threat Level Analysis System (ATLAS), Horizon provides one the situational awareness / context needed to understand the threat of DDoS attacks https://www.netscout.com/horizon Remember, Remember 8.4 Million 8,400,000 = 23,000/day & 16/minute – the number of DDOS attack in 2019

NETSCOUT identified 7 new, or increasingly used DDoS Attack Vectors in 2019

A projected 20.4 Billion IoT devices will connect to the internet in 2020

The number of variants and samples in the wild increased 57% from 2018 to 2019, putting those 20.4 Billion IoT devices in greater risk. Top Four Targeted Verticals Hot Attack Targets DDoS Attackers Innovate & Adapt

• Advanced Reconnaissance • Attackers understand target environments allowing them to easily adapt and overcome obstacles. • Changing Tactics on the Fly • Attackers monitor the efficacy of attacks and pivot accordingly until finding a vector and technique to penetrate defenses. • Adding New Techniques • Attacks add new techniques like TCP Reflection + Carpet Bombing to overwhelm networks. DDoS Attack Vectors

• Seven new or increasingly used vectors in 2019 • COAP (version 1 & 2), ARMS, HTML5, IPMI/RMCP, OpenVPN, WS_DD, and Ubiquiti • Observed amplification factors vary wildly • Low: 1.1:1 – IPMI/RMCP • High: 51,200:1 - Memcached • Availability of vulnerable devices are alarming • Low: 6,372 – Memcached • High: 8,712,042 - SIP DDoS Vector Research – A Life & Death Story

One of the many things NETSCOUT evaluates is the viability of using known vulnerable devices or protocols to launch DDoS Attacks. During our research we asked the following questions: • How long does it take to clean up a vector? • Does a vector decay or grow? • Which vectors post the greatest risk?

Cannot predict now. DDoS Vector Research – Part 2 DDoS Vector Research – Part 3 The research into Attack Vectors further yields interesting insights such as: • The majority of DDoS attacks leverage less than 5% of the available reflectors/amplifiers • CLDAP is a significant outlier using more than 85% of the available reflectors/amplifiers (approximately 10,000 available as of Dec. 31, 2019) • Large attacks only need a tiny population of servers to launch devastating attacks • COAPv2 leveraged less than .5% of available servers while NETSCOUT observed COAPv2 attacks in the 300Gbps+ range. Internet of Things (IoT) Threats & Malware IoT Malware

20.4 Billion devices forecast to connect in 2020

57% Increase in 57% Mirai-based variants from 2018

51% Increase in brute- 51% forcing attempts against our IoT Honeypots

87% Increase in exploitation attempts 87% against our IoT Honeypots

16+ Different architectures targeted by Mirai operators (right) Brute Force vs. Exploitation…FIGHT!

Telnet Brute-force & Exploitation attempts against our IoT Honeypots

Top Ten usernames and password in 2019 Brute Force vs. Exploitation…ROUND 2! • Both brute-forcing and exploitation of IoT devices continues to increase in number and complexity. • Malware such as ECHOBOT, leverages more than 70 exploits in a single malware family. • Small concessions are being made to ensure IoT security such as: • OWASP IoT Project • ETSI Specification TSS 103 645 • California’s Senate Bill 327 – bans the use of hard-coded default passwords in consumer IoT devices starting in 2020. Advanced Persistent Threat

Weaponizing Mobility Invasion • Tracking Dissent • APT adversaries of use mobile malware to monitor and track dissidents and protestors in their own country just as often as they use it to monitor internationals of interest. • There’s an app for that! • Many times APT actors lack the expertise in building their own apps so they turn to commercial services to build mobile malware solutions for them. • Breathtaking Vulnerability • Shockingly, only about 50% of mobile devices users take any steps to protect against mobile malware, making it a bountiful target for APT actors. APT Mobile Operations

Vietnam has a long When an organization lacks history of using mobile expertise and manpower, malware to surveil they outsource. APT groups journalists, activists, and are no different, seeking non-profits both outside help with mobile malware and inside their borders from organizations like (below) HackingTeam or FinFisher to fulfil their needs

China’s FIVE POISONS Iran leverages tools like uses mobile malware like GolfSpy or MobonoGram POISONCARP, CallerSpy, 2019 to spy on the Iranian and other fake apps to population and expatriates, monitor and thwart especially during internal dissidents and protestors unrest. Apps like these even (above) found their way to a legitimate app store. Crimeware

Deep Dive: Crimeware – A financial empire Estimated revenue for ? Approximately 1 billion annually • Defend at the Source • Threats abound everywhere and it is increasingly harder to defend against every possible threat in the world, which is why defending at the source is so important. • More Samples = More Victims (right) • Black Hats Never Rest • Innovate, innovate, innovate! Such is the motto of many would be businesses and startups, and also emulated by crimeware groups like the Emotet malware authors. Their constant innovation and change make it an ever-evolving threat that only gets more complex with time. Target the Source

• Both Emotet (left) and Trickbot (right) - a common secondary payload of Emotet - saw massive increases in samples. • Nearly equal in the number of samples, both Emotet (left) and Trickbot (right), remain dominant in both downloader and banking malware for cyber criminals • During the same second half of 2019 when we observed massive increases in samples, we also noticed a rather large disparity in victims. • 300k notifications for victims of Emotet malware • Only 50k Trickbot alerts. • Though Trickbot has other distribution mechanisms, we believe one of the reasons for less victims is that we stop Trickbot from being installed by blocking Emotet. Thank You.

If you have any questions, please contact Richard Hummel, [email protected]

netscout.com