DOCSLIB.ORG

ENISA Threat Landscape

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
ENISA Threat Landscape ENISA Threat Landscape Responding to the Evolving Threat Environment [Deliverable – 2012-09-28] ENISA Threat Landscape I Responding to the Evolving Threat Environment Contributors to this report This report was produced by ENISA using publicly available information on incidents and threats. Authors of this report in alphabetical order are: Louis Marinos, European Network and Information Security Agency and Andreas Sfakianakis, European Network and Information Security Agency The authors would like to thank all ENISA colleagues and external experts who provided information on existing threat resources and have contributed through discussions on the subject matter. II ENISA Threat Landscape Responding to the Evolving Threat Environment About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact details For contacting ENISA for general enquiries on this report, please use the following details: E-mail: [email protected] Internet: http://www.enisa.europa.eu Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Reproduction is authorised provided the source is acknowledged. © European Network and Information Security Agency (ENISA), 2012 ENISA Threat Landscape III Responding to the Evolving Threat Environment Contents 1 Executive Summary ............................................................................................................... 2 2 Introduction .......................................................................................................................... 4 3 Scope and Definitions ........................................................................................................... 6 3.1 Scope .............................................................................................................................. 6 3.1.1 What is threat landscape? ...................................................................................... 6 3.1.2 What are the factors leading to a change of threat landscape? ............................ 6 3.1.3 How many kinds of threat landscapes exist? .......................................................... 7 3.1.4 Threat landscape vs. risk landscape ........................................................................ 7 3.1.5 Objectives of this work ........................................................................................... 8 3.1.6 What is beyond the scope of this report? .............................................................. 9 3.1.7 Processed material ................................................................................................ 10 3.2 Definitions .................................................................................................................... 10 4 Top Threats: The Current Threat Landscape ...................................................................... 13 4.1.1 Drive-by Exploits ................................................................................................... 13 4.1.2 Worms/Trojans ..................................................................................................... 14 4.1.3 Code Injection Attacks .......................................................................................... 14 4.1.4 Exploit Kits ............................................................................................................. 15 4.1.5 Botnets .................................................................................................................. 16 4.1.6 Denial of service .................................................................................................... 17 4.1.7 Phishing ................................................................................................................. 17 4.1.8 Compromising confidential information............................................................... 18 4.1.9 Rogueware/Scareware .......................................................................................... 18 4.1.10 Spam ...................................................................................................................... 19 4.1.11 Targeted Attacks ................................................................................................... 20 4.1.12 Physical Theft/Loss/Damage ................................................................................. 21 4.1.13 Identity Theft......................................................................................................... 21 4.1.14 Abuse of Information Leakage .............................................................................. 22 4.1.15 Search Engine Poisoning ....................................................................................... 23 4.1.16 Rogue certificates.................................................................................................. 23 IV ENISA Threat Landscape Responding to the Evolving Threat Environment 5 Overview of Threat Agents ................................................................................................. 24 6 Threat Trends: The Emerging Threat Landscape ................................................................ 27 6.1 Threat Trends in Mobile Computing ............................................................................ 28 6.2 Threat Trends in Social Technology ............................................................................. 29 6.3 Threat Trends in Critical Infrastructures ...................................................................... 32 6.4 Threat Trends in Trust Infrastructure ........................................................................... 33 6.5 Threat Trends in Cloud Computing .............................................................................. 35 6.6 Threat Trends in Big Data ............................................................................................. 38 7 Concluding remarks ............................................................................................................ 41 Annex .......................................................................................................................................... 43 Drive-by Exploits ..................................................................................................................... 43 Worms/Trojans ....................................................................................................................... 46 Code Injection Attacks ............................................................................................................ 50 Exploit Kits ............................................................................................................................... 55 Botnets .................................................................................................................................... 57 Denial of service ...................................................................................................................... 62 Phishing ................................................................................................................................... 64 Compromising confidential information ................................................................................. 68 Rogueware/Scareware ............................................................................................................ 71 Spam ........................................................................................................................................ 72 Targeted Attacks ..................................................................................................................... 76 Physical Theft/Loss/Damage ................................................................................................... 81 Identity theft ........................................................................................................................... 82 Abuse of information leakage ................................................................................................
Load more

Recommended publications
  • Click Trajectories: End-To-End Analysis of the Spam Value Chain
    Click Trajectories: End-to-End Analysis of the Spam Value Chain ∗ ∗ ∗ ∗ z y Kirill Levchenko Andreas Pitsillidis Neha Chachra Brandon Enright Mark´ Felegyh´ azi´ Chris Grier ∗ ∗ † ∗ ∗ Tristan Halvorson Chris Kanich Christian Kreibich He Liu Damon McCoy † † ∗ ∗ Nicholas Weaver Vern Paxson Geoffrey M. Voelker Stefan Savage ∗ y Department of Computer Science and Engineering Computer Science Division University of California, San Diego University of California, Berkeley z International Computer Science Institute Laboratory of Cryptography and System Security (CrySyS) Berkeley, CA Budapest University of Technology and Economics Abstract—Spam-based advertising is a business. While it it is these very relationships that capture the structural has engendered both widespread antipathy and a multi-billion dependencies—and hence the potential weaknesses—within dollar anti-spam industry, it continues to exist because it fuels a the spam ecosystem’s business processes. Indeed, each profitable enterprise. We lack, however, a solid understanding of this enterprise’s full structure, and thus most anti-spam distinct path through this chain—registrar, name server, interventions focus on only one facet of the overall spam value hosting, affiliate program, payment processing, fulfillment— chain (e.g., spam filtering, URL blacklisting, site takedown). directly reflects an “entrepreneurial activity” by which the In this paper we present a holistic analysis that quantifies perpetrators muster capital investments and business rela- the full set of resources employed to monetize spam email— tionships to create value. Today we lack insight into even including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, the most basic characteristics of this activity. How many broad crawling of naming and hosting infrastructures, and organizations are complicit in the spam ecosystem? Which over 100 purchases from spam-advertised sites.
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Downloading and Running
    City Research Online City, University of London Institutional Repository Citation: Meng, X. (2018). An integrated networkbased mobile botnet detection system. (Unpublished Doctoral thesis, City, Universtiy of London) This is the accepted version of the paper. This version of the publication may differ from the final published version. Permanent repository link: https://openaccess.city.ac.uk/id/eprint/19840/ Link to published version: Copyright: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. Reuse: Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. City Research Online: http://openaccess.city.ac.uk/ [email protected] AN INTEGRATED NETWORK- BASED MOBILE BOTNET DETECTION SYSTEM Xin Meng Department of Computer Science City, University of London This dissertation is submitted for the degree of Doctor of Philosophy City University London June 2017 Declaration I hereby declare that except where specific reference is made to the work of others, the contents of this dissertation are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University. This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration, except where specifically indicated in the text.
    [Show full text]
  • SHS Branding LAUNCH
    MESSAGELABS INTELLIGENCE MESSAGELABS INTELLIGENCE FEBRUARY 2010 Spam Surges in February while Message Size Shrinks Welcome to the February edition of the MessageLabs Intelligence monthly report. This report provides the latest threat trends for February 2010 to keep you informed regarding the ongoing fight against viruses, spam and other unwelcome content. REPORT HIGHLIGHTS Spam – 89.4% in February (an increase of 5.5% since January) Viruses – One in 302.8 emails in February contained malware (an increase of 0.02% since January) Phishing – One in 456.3 emails comprised a phishing attack (an increase of 0.04% since January) Malicious websites – 4,998 websites blocked per day (an increase of 184% since January) 41.6% of all malicious domains blocked were new in February (a decrease of 0.1% since January) 13.3 of all web-based malware blocked was new in February (an increase of 1.2% since January) Grum and Rustock to Blame for February Spam Surge While Volume Grows, Spam File Size Shrinks Waledac Botnet Makes a Comeback before its Demise Olympics-Themed Targeted Malware Gumblar Update REPORT ANALYSIS Grum and Rustock to Blame for Surge in February Spam As expected this time of year, spammers launched a number of spam campaigns related to St. Valentine‟s Day, celebrated on February 14. Around this time, spammers often change their spam runs to include references to the special date. However, the 5.5% increase in spam this month cannot be completely blamed on St. Valentine‟s Day alone. Figure 1 highlights the most recent spam surges in February, and further analysis reveals the underlying cause of these increases.
    [Show full text]
  • 00079-141173.Pdf (5.08
    CHRIS JAY HOOFNAGLE Adjunct Full Professor School of Information School of Law Faculty Director Berkeley Center for Law & Technology August 22, 2017 University of California, Berkeley VIA THE WEB Berkeley, CA Tel: 5 Federal Trade Commission https://hoofnagle.berkeley.edu Office of the Secretary 600 Pennsylvania Avenue NW. Suite CC–5610 (Annex B) Washington, DC 20580 Re: Comment of Chris Hoofnagle on Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN–SPAM Rule, 16 CFR part 316, Project No. R711010) Dear Mr. Brown, Thank you for soliciting public comment on the CAN–SPAM Rule. My comments below focus on the need for the CAN–SPAM Rule, the costs that spam imposes on consumers and the economy, the prospect that technical interventions on intermediaries can be effective, that spam senders strategically use transaction costs to deter recipients from opting out, that senders impose privacy penalties on those who opt out, for the FTC to consider third-party lookups for email addresses to be an aggravated violation of CAN–SPAM, to revisit that the idea of a Do-Not-Email Registry, and finally, to keep the computer science literature on spam in focus. There is a Continuing Need for the CAN–SPAM Rule Because the Injuries Caused by Spam Are Economic and Social and Are on Par with Serious Crimes In a 2001 speech, FTC Chairman Timothy Muris identified spam messages as injurious under the Commission’s “harm-based” approach.1 Today, the majority of e-mail is spam. Senders of marketing e- mails can leverage the technical and economic properties of the internet to send tens of billions of messages a day.
    [Show full text]
  • Cyren Globalviewtm Threat Trends Q3 2016
    JANUARY 2017 CYBERTHREAT Report Botnets The Clone Armies of Cybercrime TABLE OF CONTENTS Botnets Rising ......................................................................................................................................2 Botnets 101: How A Botnet Works .........................................................................................................3 Botnet Anatomy .....................................................................................................................................4 The Growing Threat: Internet of Things Botnets ....................................................................................5 ET Phone Home: Legitimate Botnets .....................................................................................................5 Build, Buy, or Lease? The 15-Minute Botnet ..........................................................................................6 All-Purpose Networks: What Botnets Do ..............................................................................................9 The Evolution of Botnets: A Timeline ...................................................................................................11 Interview with a Botnet Hunter ............................................................................................................12 24 Hours in the Life of a Necurs Bot ....................................................................................................16 Hiding in the Shadows: How Botnets Obscure Communications ..........................................................19
    [Show full text]
  • Characterization and Modeling of Top Spam Botnets
    Network Protocols and Algorithms ISSN 1943-3581 2012, Vol. 4, No. 4 Characterization and Modeling of Top Spam Botnets Nuno Rodrigues Polytechnical Institute of Bragança/Instituto de Telecomunicações Campus Universitário de Santiago, 3810-193 Aveiro, Portugal Tel: 351-234-377-900 E-mail: [email protected] Rui Sousa University of Aveiro, DETI/Instituto de Telecomunicações Campus Universitário de Santiago, 3810-193 Aveiro, Portugal Tel: 351-234-377-900 E-mail: [email protected] Paulo Salvador University of Aveiro, DETI/Instituto de Telecomunicações Campus Universitário de Santiago, 3810-193 Aveiro, Portugal Tel: 351-234-377-900 E-mail: [email protected] António Nogueira University of Aveiro, DETI/Instituto de Telecomunicações Campus Universitário de Santiago, 3810-193 Aveiro, Portugal Tel: 351-234-377-900 E-mail: [email protected] Received: July 6, 2012 Accepted: November 17, 2012 Published: December 16, 2012 DOI: 10.5296/npa.v4i4.2058 URL: http://dx.doi.org/10.5296/ npa.v4i4.2058 1 www.macrothink.org/npa Network Protocols and Algorithms ISSN 1943-3581 2012, Vol. 4, No. 4 Abstract The increasing impact of the Internet in the global economy has transformed Botnets into one of the most relevant security threats for citizens, organizations and governments. Despite the significant efforts that have been made over the last years to understand this phenomenon and develop detection techniques and countermeasures, this continues to be a field with big challenges to address. Several approaches can be taken to study Botnets: analyze its source code, which can be a hard task because it is usually unavailable; study the control mechanism, particularly the activity of its Command and Control server(s); study its behavior, by measuring real traffic and collecting relevant statistics.
    [Show full text]
  • Doc Title Click 'Properties' to Modify
    Internet Threats Trend Report October 2012 Internet Threats Trend Report – October 2012 In This Report Android malware – compromised email accounts target mobile OS Page 2 Grum Botnet taken down – spam levels unaffected Page 4 Olympic Games – scammers exploit once-in-four-year opportunity Page 8 The same malware gang again – this time abusing Wells Fargo Page 8 Zombie hotspots – Germany moves up to 6th place Page 10 Q3 2012 Highlights 87 billion Pharmacy ads Average daily spam/phishing emails sent Most popular spam topic (31.3% of spam) Page 4 Page 7 304,000 Zombies India Daily turnover Country with the most zombies (20%) Page 4 Page 10 1.9 billion Education Average daily emails sent with attached Website category most likely to contain malware malware Page 3 Page 8 blog.commtouch.com www.commtouch.com Internet Threats Trend Report - October 2012 Overview The third quarter of 2012 provided further proof of the growing menace of Android malware with attacks that exclusively targeted the Google OS. The convincingly named “update” app requires user installation but provided its distributors with a platform for a mobile Android botnet or a vehicle for theft of corporate data. July provided yet another botnet takedown – this time the Grum spam botnet. Although spam and zombie levels appeared to drop, the effect proved to be temporary. Spammers rallied quickly to recruit new zombies and resume spam-sending operations within a matter of days. This quarter’s Trend Report also covers Olympic Games scams, careless spammers, and the “calling card” that one malware gang keeps using. Malware Trends Android malware Android malware continues to grow – both in volume and in the number of variants of Trojans and viruses.
    [Show full text]
  • Internet Security THREAT REPORT 2013 P
    2012 Trends, Volume 18, Published April 2013 INTERNET SECURITY THREAT REPORT 2013 p. 2 Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 CONTENTS 03 Introduction 31 Social Networking, Mobile, and the Cloud 04 Executive Summary 32 Introduction 32 Data 06 2012 Security Timeline 35 Analysis 09 2012 in Numbers 35 Spam and Phishing Move to Social Media 37 Mobile Threats 13 Targeted Attacks, Hacktivism, and Data Breaches 38 Cloud Computing Risks 14 Introduction 14 Data 40 Malware, Spam, and Phishing 17 DDoS Used as a Diversion 41 Introduction 17 Data Breaches 42 Data 19 Analysis 42 Spam 19 Cyberwarfare, Cybersabotage, and Industrial Espionage 45 Phishing 20 Advanced Persistent Threats and Targeted Attacks 46 Malware 20 Social Engineering and Indirect Attacks 48 Website Exploits by Type of Website 21 Watering Hole Attacks 49 Analysis 49 Macs Under Attack 23 Vulnerabilities, Exploits, and Toolkits 50 Rise of Ransomware 24 Introduction 51 Long-term Stealthy Malware 24 Data 51 Email Spam Volume Down 26 Analysis 51 Advanced Phishing 26 Web-based Attacks on the Rise 27 The Arms Race to Exploit New Vulnerabilities 53 Looking ahead 27 Malvertising and Website Hacking 56 Endnotes 28 Web Attack Toolkits 57 About Symantec 29 Website Malware Scanning and Website 57 More Information Vulnerability Assessment 29 The Growth of Secured Connections 29 Norton Secured Seal and Trust Marks 29 Stolen Key-signing Certificates p. 3 Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 Introduction Symantec has established some of the most In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of comprehensive sources of Internet threat more than 51,644 recorded vulnerabilities (spanning more than data in the world through the Symantec™ two decades) from over 16,687 vendors representing over 43,391 Global Intelligence Network, which is made products.
    [Show full text]
  • Internet Threats Trend Report October 2012
    Internet Threats Trend Report October 2012 Internet Threats Trend Report – October 2012 In This Report Android malware – compromised email accounts target mobile OS Page 2 Grum Botnet taken down – spam levels unaffected Page 4 Olympic Games – scammers exploit once-in-four-year opportunity Page 8 The same malware gang again – this time abusing Wells Fargo Page 8 Zombie hotspots – Germany moves up to 6th place Page 10 Q3 2012 Highlights 87 billion Pharmacy ads Average daily spam/phishing emails sent Most popular spam topic (31.3% of spam) Page 4 Page 7 304,000 Zombies India Daily turnover Country with the most zombies (20%) Page 4 Page 10 1.9 billion Education Average daily emails sent with attached Website category most likely to contain malware malware Page 3 Page 8 blog.commtouch.com www.commtouch.com Internet Threats Trend Report - October 2012 Overview The third quarter of 2012 provided further proof of the growing menace of Android malware with attacks that exclusively targeted the Google OS. The convincingly named “update” app requires user installation but provided its distributors with a platform for a mobile Android botnet or a vehicle for theft of corporate data. July provided yet another botnet takedown – this time the Grum spam botnet. Although spam and zombie levels appeared to drop, the effect proved to be temporary. Spammers rallied quickly to recruit new zombies and resume spam-sending operations within a matter of days. This quarter’s Trend Report also covers Olympic Games scams, careless spammers, and the “calling card” that one malware gang keeps using. Malware Trends Android malware Android malware continues to grow – both in volume and in the number of variants of Trojans and viruses.
    [Show full text]
  • Machine Learning-Based Botnet Detection in Software-Defined Network: a Systematic Review
    S S symmetry Article Machine Learning-Based Botnet Detection in Software-Defined Network: A Systematic Review Khlood Shinan 1,* , Khalid Alsubhi 1,† , Ahmed Alzahrani 1,† and Muhammad Usman Ashraf 2,† 1 Department of Computer Science Department, Faculty of Computing and Information Technology, King Abdulaziz University (KAU), Jeddah 21589, Saudi Arabia; [email protected] (K.A.); [email protected] (A.A.) 2 Department of Computer Science, University of Management and Technology Sialkot, Lahore 54770, Pakistan; [email protected] * Correspondence: [email protected] † These authors contributed equally to this work. Abstract: In recent decades, the internet has grown and changed the world tremendously, and this, in turn, has brought about many cyberattacks. Cybersecurity represents one of the most serious threats to society, and it costs millions of dollars each year. The most significant question remains: Where do these attacks come from? The answer is that botnets provide platforms for cyberattacks. For many organizations, a botnet-assisted attack is a terrifying threat that can cause financial losses and leave global victims in its wake. It is therefore imperative to defend organizations against botnet-assisted attacks. Software defined networking (SDN) has emerged as one of the most promising paradigms for this because it allows exponential increases in the complexity of network management and configuration. SDN has a substantial advantage over traditional approaches with regard to network management because it separates the control plane from network equipment. However, security Citation: Shinan, K.; Alsubhi, K.; challenges continue to arise, which raises the need for different types of implementation strategies to Alzahrani, A.; Ashraf, M.U.
    [Show full text]
  • Automatically Inferring the Evolution of Malicious Activity on the Internet
    Automatically Inferring the Evolution of Malicious Activity on the Internet Shobha Venkataraman David Brumley Subhabrata Sen AT&T Labs – Research Carnegie Mellon University AT&T Labs – Research [email protected] [email protected] [email protected] Oliver Spatscheck AT&T Labs – Research [email protected] Abstract ity at a particular point of time are of limited use because evil is constantly on the move. Administrators often even- Internet-based services routinely contend with a range of tually discover and clean up infected hosts, which causes malicious activity (e.g., spam, scans, botnets) that can po- attackers to target new vulnerabilities and attack new hosts tentially arise from virtually any part of the global Internet elsewhere. Indeed, operators care far more about the evolu- infrastructure and that can shift longitudinally over time. In tion of malicious activity than static snapshots, as the evo- this paper, we develop the first algorithmic techniques to au- lution provides warning signs of emerging threats from re- tomatically infer regions of the Internet with shifting secu- gions previously-considered benign. rity characteristics in an online fashion. Conceptually, our However, there has been little work on developing al- key idea is to model the malicious activity on the Internet as gorithms that can automatically infer how aggregations of a decision tree over the IP address space, and identify the malicious IPs evolve over time. Previous work has either dynamics of the malicious activity by inferring the dynamics
    [Show full text]