DOCSLIB.ORG

Milware: Identification and Implications of State Authored Malicious Software

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Milware: Identification and Implications of State Authored Malicious Software Trey Herr, Eric Armbrust The George Washington University Abstract and non-state authored code but its primary contribution is to highlight five major implications of milware: The difference between state and non-state authored code Public disclosure is not as effective. States have little is typically described in vague terms of sophistication, to fear from public disclosure of their activities and so the contributing to the inaccurate confirmation bias of many traditional paradigm of revealing tactics and techniques in the policy community that states simply ’do it bet- to dissuade attackers and aid defenders is less effective. ter’. Leveraging the results of reverse engineering sev- States may be doing R&D for all malicious actors. eral malware samples, including Sandworm and Tinba, States have far more resources to develop new techniques this paper is an interdisciplinary effort to distinguish be- and exploits than non-state actors. The eventual prolifer- tween state authored code, milware, and that produced ation of this code by individuals and criminals means the by non-state actors, malware. Working through this ini- state of the art will continue to advance, funded by gov- tial set of samples, the paper describes a new analytic ernments. framework for differentiating state authored code from Even where they do not build the capabilities, states other samples. This MAlicious Software Sophistication may be distorting the market. State’s financial re- or MASS index relies on a set of characteristics which sources may price defenders out of the market for ex- describe the behavior and construction of malicious soft- ploits and even bring new sellers into play. ware: propagation to and within a target network, ex- Existing legal tools presume the targets of prose- ploit severity, and payload customization. Highlighting cution are non-state actors. Law enforcement targets these distinctions then serves to support a larger analy- individuals and non-state groups but states are operating sis of the policy implications these separate categories of under this same legal regime, allowing them to act with malicious code have. By identifying a systematic differ- relative impunity. ence between non-state authored code and that created Milware privileges access over effects. States have by states, this pilot project is an effort to generate a new taken advantage of the current emphasis on defensive and analytic asset for the technical community and highlight information assurance standards over software developer attendant policy implications. liability. Before understanding the implications of this dis- 1 Introduction tinct category of code, our first task is to recognize its existence. Previous work presented has attempted to Pervasive development and use of milware constitutes move beyond the simple sophisticated/unsophisticated not only a direct technical challenge of decomposing and dichotomy and succeeded in developing a metric that analyzing well obfuscated code but also threatens a set measured social engineering tactics. [1] We advance this of key assumptions underpinning the current information scholarship by focusing on the functional characteristics security research and defense paradigm. States operate in malicious code and comparing the work of state and non- a different legal regime than criminal groups and individ- state actors to better understand what is common to ma- uals, inverting the power relationship between attacker licious software and what depends on the unique opera- and defender and altering what is possible in the defense tional demands of state versus non-state actors. against and prosecution of sources of information assur- Starting with a description of the samples analyzed ance threats. This paper develops the MASS index as a and our selection process, this paper explains the char- rudimentary tool for analysts to distinguish between state acteristics we developed to delineate between milware and malware. Walking through an example reversing work [2] has a distinct purpose and works in combination process, the paper describes the key features in the sam- with the others to constitute a malicious package. ple, highlighting where they tend to differ between the Differentiating between sophisticated and unsophisti- categories. Milware has a higher frequency of 0day cated samples is not a new area of work in the infor- use and generally employs vulnerabilities with a more mation security community; static and dynamic analy- severe CVE classification. While the targets of mal- sis techniques have been in use and evolving for several ware, and milware overlap, their movement within target decades. [4, 5, 6, 7, 8] The origin of samples has come networks differs; milware propagates to particular high to the foreground more in the past decade as efforts have value nodes in a deliberate, often human directed, fash- shifted to understand the nature of threats and their ac- ion while malware reflects an automated, scattershot ap- tivities beyond the network perimeter. As part of this proach. change, the motivations of attackers and their political status has become a factor of interest. [1, 9] Analytically, 2 Background the next step is understanding the relationship between the complexity and capability of a piece of malicious Malicious software analysis has long been focused on in- code and the nature of its authors. We do this by focusing dividually functional components in code, using infor- on the discrete components outlined above, the propaga- mation gleaned from particular modules to describe the tion method, exploits, and payload, an approach which function of an entire sample in a sound but somewhat has seen some use. [10] limiting bottom up approach. Our approach attempts to work top down, establishing three broad components 3 Data Collection of all malicious samples; propagation methods, exploits, and payloads. [2] We selected a set of malware and milware samples for Propagation is the means of transporting malicious both accessibility and their chronological proximity. Our code from origin to target; this could be as simple as a ability to work directly with the milware samples was mass email for spear phishing attacks or as complex as a limited by agreement and so relies in part on open source crafted dropper module. Exploits act to enable the prop- documentation. Malware selection was driven by three agation method and payloads operation. The payload is key factors: scope of impact, availability of samples, code written to achieve some desired malicious end. and knowledge of lineage. Using malware samples with The three components work in concert but each have a long history of use allowed us to consider crossover substantially different roles; the propagation method between samples and select more complete instances of moves the entire software package from origin to tar- code. get while the payload is written to manipulate system To achieve the clearest possible distinction be- resources and create some effect on a computer system. tween milware and malware, we selected two sam- Exploits are not themselves malicious, but rather act to ples from each category. Malware samples included support the propagation method and payload. Achiev- Game Over Zeus (GOZ) and Tinybanker (Tinba) while ing root access on a machine does not create an effect by Sandworm and code used in the Sony Attacks were se- itself; rather it makes such an operation possible, creden- lected as our milware samples. Each code has had wordl- tials theft for example. This terminology is at odds with wide impact of one type or another and propagates using some usage, which combines the payload’s function into a different method. the exploit and uses the combination as a verb, to ’ex- ploit’ a system. [3] This approach however limits our ability to categorize 4 Methods and understand malicious code; the two are logically dis- tinct both in sequence and form as exploits are written to To gain a fuller understanding of our samples, we un- a particular vulnerability present in some piece of soft- dertook to reverse engineer each in a controlled lab en- ware while payloads are written to achieve a particular vironment using both static and dynamic analysis. This effect. This distinction, between writing to the target and process leveraged existing and widely used tools, includ- writing to the effect, make for divergent practices in de- ing IDA Pro [11], BOCHS [12], WinDBG [13], Immu- veloping, selling, and integrating exploits and payloads. nity [14], and SysAnalyzer [15], in a live running envi- Without one or several exploits, a payload would almost ronment. These tools helped document the changes our never be able to execute on a target computer - these ex- samples made to the testing system and parsed each bi- ploits serve to manipulate the target system into giving naries, enabling us to work with readable machine code. malicious code access and user privileges necessary to This analysis also considered how samples interacted function. Each of the three components of this frame- with their surrounding network so we included TCP- 2 DUMP [16] and WireShark [17] to gather and analyze hole Exploit Kit demonstrates a common feature of mal- outbound traffic. ware; reliance on pre-existing third-party exploit pack- ages. This is directly at odds with Sandworm’s use of 4.1 Milware a more particularly selected and applied exploit to gain access to target systems.
Recommended publications
  • Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018

    Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018

    Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018 By Kathleen Kuczma 2019-0319 This analysis focuses on an exploit kit, phishing attack, or remote access trojan co-occurrence with a vulnerability from January 1, 2018 to December 31, 2018. We analyzed thousands of sources, including code repositories, deep web forum postings, and dark web sites. This is a follow-up to our 2017 report, and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments. Executive Summary Many vulnerability management practitioners face the daunting task of prioritizing vulnerabilities without adequate insight into which vulnerabilities are actively exploited by cybercriminals. Here, we’ll attempt to shed light on this by determining the top 10 vulnerabilities from 2018. It is imperative that security professionals have insight into those vulnerabilities that impact a company’s technology stack and are included in exploit kits, used to distribute a remote access trojan (RAT), or are currently being used in phishing attacks. In 2018, we observed more exploits targeting Microsoft products than Adobe ones. Eight out of 10 vulnerabilities exploited via phishing attacks, exploit kits, or RATs targeted Microsoft products, and only one Adobe Flash vulnerability made the top 10, likely due to a combination of better patching and Flash Player’s impending demise in 2020. Like in past years, the development of new exploit kits has continued to drop amid the shift to more targeted attacks and less availability of zero-day vulnerabilities. Exploit kits in previous years took advantage of Adobe product vulnerabilities, which have continued to dwindle. Key Judgments • For the second year in a row, Microsoft was consistently targeted the most, with eight of the top 10 vulnerabilities impacting its products.
  • What Is Exploit Kit and How Does It Work? [1]Ade Kurniawan, [2]Ahmadfitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia

    What Is Exploit Kit and How Does It Work? [1]Ade Kurniawan, [2]Ahmadfitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia

    International Journal of Pure and Applied Mathematics Volume 118 No. 20 2018, 509-516 ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu What is Exploit Kit and How Does it Work? [1]Ade Kurniawan, [2]AhmadFitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia Abstract— In the Year 2016 to mid-2017, the analysts have claimed those years as the years of Malware especially Ransomware. The number, spread, infection and impact of malware have caused many users, businesses, governments, and organizations to be anxious, one of the tools to spread it by using exploit kits. A popular method of mass distribution used the perpetrators of cyber criminals is using the exploit kit. Exploit kit has become more effective, cheaper and sophisticated tools to spread malware to their victims. Therefore, in this paper, we provide this research using the Network Forensic Method. The results which are done will explain the chain of events about what the exploit kit is and how the exploit kit works, including actors, campaigns, payload, and terminology involved in the spreading of malware Index Terms—Exploit Kit, Payload, Malware, Ransomware, and Chain of events. I. INTRODUCTION In our digital era, everything is connected and Network Forensics Method. Network forensics is a everyone is vulnerable. The development, part of Digital Forensic conducted with scientific dependability, and complexity of computer software methods to identify, analyse and reconstruct events have brought immediate implications for global based on digital evidence/logs from the network safety and security, especially physical objects such [14][15][16].
  • Threat Landscape Report Q4 2017 Table of Contents

    Threat Landscape Report Q4 2017 Table of Contents

    THREAT LANDSCAPE REPORT Q4 2017 TABLE OF CONTENTS TABLE OF CONTENTS Introduction and Key Findings . 3 Sources and Measures . 4 Infrastructure Trends . 6 Threat Landscape Trends . 9 Exploit Trends . 10 Mini Focus: Exploit Kits . 13 Malware Trends . 14 Mini Focus: Cryptomining Malware . 17 Botnet Trends . 18 Mini Focus: Zero-Day Research . 21 Exploratory Analysis . 22 Conclusions and Recommendations . 25 2 Q4 2017 HIGHLIGHTS AND KEY FINDINGS Q4 2017 INTRODUCTION AND KEY FINDINGS In many ways, the fourth quarter of 2017 was a montage of what played out before our Q4 2017 BY THE NUMBERS: eyes throughout the year. No one theme or threat stole the show such that everything Exploits else disappears into the background with time § 5,988 unique detections (+0.3%) Reaper breathed new life into threats targeting the Internet of Things (IoT). Key § 274 detections per firm (+82%) Reinstallation Attacks (KRACK) against WPA2 protocol pushed the word “nonce” out § 2% saw severe exploits (-7%) of the cryptographer’s lexicon and into the mainstream. Ransomware added some Malware sinister-sounding monikers like “Asasin” and “Bad Rabbit.” Cryptocurrencies surged § 17,671 unique variants (+19%) then crashed in value, and cryptomining attacks surged and crashed systems. The § 3,317 different families (+27%) Andromeda takedown warmed our hearts, but FALLCHILL reversed that feeling. § 22% detected ransomware (0%) Botnets Thank you for joining us once again as we process the past quarter together so we’re all better prepared for those ahead. As always, we begin with some highlights and then § 259 unique botnets detected (+2%) dive into the details as seen by our global array of sensors.
  • What You Should Know About Kaspersky

    What You Should Know About Kaspersky

    What you should know Proven. Transparent. about Kaspersky Lab Independent. Fighting for your digital freedom Your data and privacy are under attack by cybercriminals and spy agencies, so you need a partner who is not afraid of standing beside you to protect what matters to you most. For over 20 years, Kaspersky Lab has been catching all kinds of cyberthreats. No matter whether they come from script kiddies, cybercriminals or governments, or from the north, south, east or west. We believe the online world should be free from attack and state-sponsored espionage, and will continue fighting for a truly free and safe digital world. Proven Transparent Independent Kaspersky Lab routinely scores the highest We are totally transparent and are making As a private company, we are independent marks in independent ratings and surveys. it even easier to understand what we do: from short term business considerations and institutional influence. • Measured alongside more than 100 other • Independent review of the company’s well-known vendors in the industry source code, software updates and We share our expertise, knowledge • 72 first places in 86 tests in 2017 threat detection rules and technical findings with the world’s • Top 3 ranking* in 91% of all product tests • Independent review of internal security community, IT security vendors, • In 2017, Kaspersky Lab received processes international organizations, and law Platinum Status for Gartner’s Peer • Three transparency centers by 2020 enforcement agencies. Insight** Customer Choice Award 2017, • Increased bug bounty rewards with up in the Endpoint Protection Platforms to $100K per discovered vulnerability Our research team is spread across the market world and includes some of the most renowned security experts in the world.
  • NAVIGATING the CYBERSECURITY STORM

    NAVIGATING the CYBERSECURITY STORM

    NAVIGATING the CYBERSECURITY STORM A Guide for Directors and Officers BY PAUL A. FERRILLO EDITED BY BILL BROWN published by sponsored by sponsored by 1 © 2015 by Paul A. Ferrillo. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any other information storage or retrieval system without prior written permission. To use the information contained in this book for a greater purpose or application, contact Paul A. Ferrillo via [email protected] 2 Is your company protected from the Internet of RiskSM? With CyberEdge® cyber insurance solutions you can enjoy the Business Opportunity of Things. 20 billion objects are connected to the Internet, what everyone is calling the Internet of Things. This hyperconnectivity opens the door both to the future of things, and to greater network vulnerabilities. CyberEdge end-to-end cyber risk management solutions are designed to protect your company from this new level of risk. So that you can turn the Internet of Things into the next big business opportunity. To learn more and download the free CyberEdge Mobile App, visit www.AIG.com/CyberEdge Insurance, products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Insurance and services may not be available in all jurisdictions, and coverage is subject to actual policy language. For additional information, please visit our website at www.AIG.com. ABOUT PAUL A. FERRILLO Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations.
  • What You Should Know About Kaspersky 3 About Kaspersky

    What You Should Know About Kaspersky 3 About Kaspersky

    What You Should Know Proven. Transparent. About Kaspersky Independent. Fighting for Your Digital Freedom Your data and privacy are under attack by cybercriminals and spy agencies, so you need a partner who is not afraid of standing beside you to protect what matters to you most. For over 20 years, Kaspersky has been catching all kinds of cyberthreats. No matter whether they come from script kiddies, cybercriminals or governments, or from the north, south, east or west. We believe the online world should be free from attack and state-sponsored espionage, and will continue fighting for a truly free and safe digital world. Proven Transparent We share our expertise, knowledge and technical findings with the world’s Kaspersky routinely scores the highest We are totally transparent and are making security community, IT security vendors, marks in independent ratings and surveys. it even easier to understand what we do: international organizations and law • Measured alongside more than 100 other • Independent review of the company’s enforcement agencies. well-known vendors in the industry source code, software updates and threat Our research team is spread across the • 73 first places in 88 tests in 2018 detection rules world and includes some of the most • Independent review of internal processes • Top 3 ranking* in 91% of all product tests renowned security experts in the world. • In 2017 and 2018, Kaspersky received • Three transparency centers by 2020 We detect and neutralize all forms of Platinum Status for Gartner’s Peer • Increased bug bounty rewards with up to advanced APTs, regardless of their origin Insight** Customer Choice Award 2017, in $100K per discovered vulnerability or purpose.
  • Exploit Kit Traffic Analysis

    Exploit Kit Traffic Analysis

    UNIVERSITY OF PIRAEUS School of Information & Communication Technologies Postgraduate Studies DIGITAL SYSTEMS SECURITY THESIS Exploit Kit Traffic Analysis Postgraduate Student: KAPIRIS STAMATIS Student ID number: MTE14040 Supervisor Professor: CHRISTOFOROS DADOYAN DEPARTMENT OF DIGITAL SYSTEMS Piraeus, June 2017 Keywords: Exploit Kit, PCAP Network Traffic Analysis, Malware Analysis, Ransomware, Cyber Threat, Angler EK, RIG EK, Security Onion, Python TABLE OF CONTENTS Table of Contents .........................................................................................................................................................1 Prologue ..........................................................................................................................................................................3 CHAPTER 1 : Introduction .......................................................................................................................................4 Related Work .......................................................................................................................................................5 Motivation .............................................................................................................................................................6 CHAPTER 2 - Characteristics of Exploit Kits ....................................................................................................7 What is an exploit kit? .....................................................................................................................................7
  • Symantec Corporate Template

    Symantec Corporate Template

    Security Threat Intelligence & Response Deepak Maheshwari Head – Government Affairs, India Region Combo, Sri Lanka March 26, 2015 Council of Europe – International Conference on Assessing the Threat of Cybercrime 1 Symantec Security Response – Major Investigations ESPIONAGE: TURLA (2014) ESPIONAGE: REGIN (2014) A campaign which has A complex and stealthy systematically targeted the spying tool used for mass governments and surveillance and embassies of former intelligence gathering by Eastern nation states. Bloc countries MASS SURVEILLENCE, TARGETS GOVERNMENT EMBASSIES TARGETS COMMUNICATIONS METHODS SPEAR PHISHING, SOCIAL ENGINEERING, WATER HOLE METHODS WATER HOLE SABOTAGE: STUXNET (2010) FINANCIAL FRAUD: PLOUTUS (2013) The first computer Criminals compromising software threat that was ATMs with customer used as a cyber-weapon. Trojan and mobile Targeted nuclear facility in phone. Can command Iran. Used multiple zero- day exploits. ATM to issue cash using SMS. TARGETS NUCLEAR FACILITY TARGETS BANKS ZERO-DAY EXPLOITS, PHYSICAL ACCESS METHODS SUPPLY CHAIN METHODS Council of Europe – International Conference on Assessing the Threat of Cybercrime 2 Symantec Security Response – Leaders in Protection & Intelligence GLOBAL REACH WEB REQUESTS THREAT INTELLIGENCE ROUND THE CLOCK 24 x 7 x 365 100s OF 7 SITES, 13 BILLION DAILY INVESTIGATIONS MALWARE DETECTION IPS PROTECTION EMAIL PROTECTION > 31M SIGNATURES > 2M BLOCKED DAILY > 1.7B BLOCKED DAILY SOME OF LANDMARK INVESTIGATIONS STUXNET REGIN DRAGONFLY TURLA HIDDEN LYNX RAMNIT NITRO PLOUTUS ATM 3
  • Regin Platform Nation-State Ownage of Gsm Networks

    Regin Platform Nation-State Ownage of Gsm Networks

    THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS Kaspersky Lab Report Version 1.0 24 November 2014 2 Contents Introduction, history ..................................................................................................................................................... 3 Initial compromise and lateral movement .................................................................................................................. 3 The Regin platform ....................................................................................................................................................... 4 Stage 1 – 32/64 bit ............................................................................................................................................... 4 Stage 2 – loader – 32-bit ...................................................................................................................................... 7 Stage 2 – loader – 64-bit ...................................................................................................................................... 8 Stage 3 – 32-bit – kernel mode manager “VMEM.sys” ....................................................................................... 8 Stage 3 – 64-bit ...................................................................................................................................................... 9 Stage 4 (32-bit) / 3 (64-bit) – dispatcher module, ‘disp.dll’ ...............................................................................
  • Threatpost | the First Stop for Security News

    Threatpost | the First Stop for Security News

    Threatpost | The first stop for security news Categories Category List Apple Cloud Security Compliance Critical Infrastructure Cryptography Government Category List Hacks Malware Microsoft Mobile Security Privacy Category List SAS SMB Security Social Engineering Virtualization Vulnerabilities Web Security Authors Dennis Fisher Michael Mimoso Christopher Brook Brian Donohue Anne Saita Additional Categories Slideshows The Kaspersky Lab News Service Featured Authors Dennis Fisher Michael Mimoso Christopher Brook Brian Donohue Anne Saita Guest Posts The Kaspersky Lab News Service Featured Posts All New BIOS Implant, Vulnerability Discovery Tool… Breach at Premera Blue Cross Affects… Apple Patches WebKit Vulnerabilities in Safari Podcasts Latest Podcasts All Threatpost News Wrap, March 13, 2015 Threatpost News Wrap, March 6, 2015 Patrick Gray on the State of… Threatpost News Wrap, February 27, 2015 Mike Mimoso on SAS 2015 Costin Raiu on the Equation Group… Recommended Robert Hansen on Aviator, Search Revenue and the $250,000 Security Guarantee Threatpost News Wrap, February 21, 2014 How I Got Here: Jeremiah Grossman Chris Soghoian on the NSA Surveillance and Government Hacking The Kaspersky Lab Security News Service Videos Latest Videos All Kris McConkey on Hacker OpSec Failures Trey Ford on Mapping the Internet… Christofer Hoff on Mixed Martial Arts,… Twitter Security and Privacy Settings You… The Biggest Security Stories of 2013 Jeff Forristal on the Android Master-Key… Recommended Twitter Security and Privacy Settings You Need to Know Lock
  • 2015 Internet Security Threat Report, Volume 20

    2015 Internet Security Threat Report, Volume 20

    APRIL 2015 VOLUME 20 INTERNET SECURITY THREAT REPORT 2 2015 Internet Security Threat Report MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX 4 Introduction 5 Executive Summary 9 2014 IN NUMBERS 60 TARGETED ATTACKS 61 Cyberespionage 18 MOBILE DEVICES 62 Industrial Cybersecurity & THE INTERNET OF THINGS 63 Securing Industrial Control Systems 19 Mobile Malware 65 Reconnaissance Attacks 23 SMS and the Interconnected Threat to Mobile Devices 66 Watering Hole Attacks 25 Mobile Apps and Privacy 69 Shifting Targets and Techniques 26 Internet of Things 70 Threat Intelligence 26 Wearable Devices 70 Techniques Used In Targeted Attacks 27 Internet-Connected Everything 27 Automotive Security 77 DATA BREACHES & PRIVACY 28 The Network As the Target 29 Medical Devices – Safety First, Security Second 83 Retailers Under Attack 84 Privacy and the Importance of Data Security 31 WEB THREATS 85 Data Breaches in the Healthcare Industry 32 Vulnerabilities 32 Heartbleed 87 E-CRIME & MALWARE 32 ShellShock and Poodle 88 The Underground Economy 33 High-Profile Vulnerabilities and Time to Patch 90 Malware 34 The Vulnerability Rises 93 Ransomware 35 SSL and TLS Certificates Are Still Vital to Security 93 Crypto-Ransomware 35 Vulnerabilities as a Whole 95 Digital Extortion: A Short History of Ransomware 41 Compromised Sites 97 Bots and Botnets 42 Web Attack Toolkits 98 OSX as a Target 43 Malvertising 100 Malware on Virtualized Systems 43 Malvertising at Large 101 APPENDIX 44 Denial of Service 102 Looking
  • The Evolving Cyber Threat Landscape & Data Protection

    The Evolving Cyber Threat Landscape & Data Protection

    CERT - MU Computer Emergency Response Team of Mauritius The Evolving Cyber Threat Landscape & Data P r o t e c t i o n Data Threats Phishing Ransomware Identity Theft Malware (backdoor trojans) Social Engineering Insider Threat African Statistics on Threat Mauritius ranked 5th and is among the top ten countries in the African region that has an Internet Threat profile Mauritius ranked 4th and is one among the top ten countries that has spam zombies in the African region Source: Symantec Corporation - Internet Security3 Threat Report: Volume 18 South Africa – Current Snapshot, February 28, 2013 4 Some of the Recent Incidents The US government notifies 3,000 companies that they were attacked and charges nation-backed hackers with economic espionage Compromises of retailers culminate in a recent breach of 56 million credit cards Heartbleed bug results in the loss of 4.5 million healthcare records 5 Some of the Recent Incidents Shellshock bug has compromised millions of devices and cause damage to web servers around the world Powerful malware infects hundreds of energy companies worldwide More than half of global securities exchanges are hacked Regin spy malware has been detected by Symantec which is extremely complex and dangerous 6 Some of the Recent Incidents.. Data Threats Phishing Ransomware Identity Theft Malware (backdoor trojans) Social Engineering Insider Threat Data Threats Phishing Ransomware Identity Theft Malware (backdoor trojans) Social Engineering Insider Threat Phishing Phishing Malware Backdoor