Fujitsu Security Operations Centre 2014 Annual Review & 2015 Predictions Secure Thinking Contents 1. Foreword 3 2. 2014 Annual Review 4 2.1 Significant threats during 2014 5 2.1.1 DDoS attacks 5 2.1.2 Crypto Ransomware infections 6 2.1.3 Phishing campaigns 6 2.1.4 Multi-platform threats and the rise of malware 7 2.1.5 The Branded Security Vulnerability 7 2.1.6 Threat to Retail – Point of Sale malware 8 2.1.7 Significant compromises 9 2.1.8 The insider threat 10 3. Predictions 2015 11 3.1 Threat intelligence 11 3.2 DDoS attacks 11 3.3 State sponsored cyber espionage and cyber war 11 3.4 Increasingly complex spam campaigns 12 3.5 Virtual desktop image security 12 3.6 Mobile platform threat 12 3.7 DDoS / Crimeware as a service 13 3.8 Banking Trojans 13 3.9 ATM Jackpotting 13 3.10 Agility and the risk of frequent security updates 14 Secure Thinking 1. Foreword Security will always have one foot in the past and one in the future. It’s about analysing the last threat and anticipating the next one. As a result, this report straddles 2014 and 2015 – what happened last year and what we think will happen this year. The goal of both perspectives is to help protect your business. A brief word on 2014 In 2014, we saw an unprecedented rise in reports of high-profile security threats, such as Poodle and Heartbleed. It was also the year that government-sponsored attacks came to the fore. In this report, you’ll gain insight into those threats and a lot more. For example, we also look at how: ■ Organised gangs are responsible for 50% of security attacks ■ State-sponsored attacks are changing ■ Identity and access management systems are reducing internal attacks. What to expect in 2015 In addition to our reflections on 2014, we’ve also made some predictions for 2015. The broad message is that attacks will increase again – in both number and sophistication. Of course, in light of recent high-profile attacks, businesses are more aware of the impact of attacks. However, this visibility counts for nothing if you don’t deploy counter measures. Preparing for 2015 At Fujitsu, we have one of the largest dedicated security practices in the UK and Ireland. Our aim is to keep our customers one step ahead of the bad guys. That could be through our 24/7 Security Operations Centre or our security consultants. Either way, we’re ready to help businesses navigate these difficult times. With that in mind, here are a few simple tips to start you off: ■ Increase the level of basic knowledge about computer security breaches in your organisation ■ Get people doing the simple things, like only opening emails from trusted sources ■ Ensure your company’s applied the latest software patches ■ Prepare for a breach (it’s inevitable – even if you have firewalls, intrusion detection or prevention technology, and antivirus software) ■ Think about how quickly you can detect and respond to a breach. I hope you find this report of what our security teams have seen in 2014 and what they see in 2015 useful in protecting your business. Once you’ve read it, feel free to get in touch with one of our experts. Rob Norris Director Enterprise & Cyber Security 3 Secure Thinking 2. 2014 Annual Review Last year saw a shift in the perception of Security, it made mainstream news on multiple occasions and our Security Operations Centre has had to evolve significantly to respond to this ever changing threat landscape. We emphasise Cyber Security should no longer be seen as an IT Department issue but one that extends from the end user to the boardroom. Everyone has a responsibility for Cyber Security, whether that’s understanding the potential threat to their computer by opening an unknown attachment or understanding the threat to a business through the potential damage to reputation and / or loss of data. This document aims to outline what we have observed in the SOC and what we foresee. During the last 12 months, sectors from Government to Retail to Banking have been the subject of Cyber-attacks with the year ending with the most noteworthy attack in recent times on Sony Pictures. This was attributed by the US Government to the Democratic People’s Republic of Korea; 2014 was a year where the US Government also charged 5 Chinese military personnel with Cyber Espionage. There were a total of 695 Critical vulnerabilities with a CVSS score of 9 or 10 and we also saw numerous ‘branded’ vulnerabilities last year such as Heartbleed, Shellshock and Poodle, these all hit the mainstream media and were front page headlines. The UK National Crime Agency, partnering with the FBI announced ‘Cybergeddon’ to the media in April in relation to a two week campaign targeting Cyber Criminals hosting the GameOver Zeus Botnets. There has also been a major change in the DDoS attack vector utilising various UDP protocols such as DNS and NTP. In December, Network Time Protocol Daemon (NTPd) was found to have a major vulnerability allowing Remote Command Execution which led to Apple releasing its first ever automatic patch deployment. There have been countless issues in cryptography with vulnerabilities affecting OpenSSL, Schannel, SSLv3 and SHA-1, the latter significant enough to result in major browser vendors winding down official support for the encryption hash algorithm. The threat of malware also increased significantly in 2014. There was further state sponsored malware such as Regin, new variants of W97 Macro viruses and multiple variants such as BlackPOS targeting Retailers and Point of Sale systems. The increase in phishing campaigns in particular had an impact on the SOC with several each week to investigate, analyse and respond to across our customer and vendor base. Adobe, Oracle and Microsoft have all had significant vulnerabilities. Many have been Critical Zero Day exploits that would allow Remote command execution. Microsoft finally ended support of Windows XP in April and will follow through with End of Life for their Windows 2003 Server Operating System in 2015. We have also seen new threats against other Operating Systems such as iOS, OS X and malware variants specifically targeting Linux platforms. The trend of Mobile Malware is also growing significantly including the introduction of Botnets for the Android platform. 4 Secure Thinking 2.1 Significant threats during 2014 2.1.1 DDoS attacks In our February Threat Intelligence Report, the SOC highlighted there had been an increase in DDoS amplification attacks. New attacks using NTP had been spotted by Symantec over Christmas 2013 following on from previous attacks seen using DNS amplification. Attackers were able use Botnets to spoof IP addresses and send large UDP requests to targets supporting NTP. Cloudflare reported an attack in May that peaked at nearly 400Gbps. The SOC worked with various business units to identify public facing NTP servers and ensure any running the Monlist command were updated. The SOC have also seen attacks against some customers using port 80 over UDP. Further information can be read in the UK Government Advisory on DOS. During December, the SOC attended the latest Botnet Conference, a 3 day event attended by Google, Cloudflare and the NCA amongst others. The NCA presented on Operation Tovar, which was a collaboration with the FBI to take down the GameOver Zeus Botnet. This Botnet was responsible for the delivery of the Cryptolocker malware family and was successful as it automatically and dynamically generated new domains making it difficult for network defenders to protect against the new Domains. The Enforcement Agencies were able to crack the Domain Generation Algorithm and as such were able to purchase, in advance, the following two weeks of new domains to be generated achieving 100% sinkholing leaving the threat redundant. The two week window brought about a media campaign led by the NCA dubbed ‘Cybergeddon’ where they pleaded with businesses and end users on TV and through the National Media to ensure they had the latest patches and Antivirus definitions. The Botnet was reported to have stolen more than $100 million from businesses and consumers, however, we were told at the Conference this is conservative and is estimated to be more like $500m. Incapsula reported that 29% of traffic monitored over a 90 day period related to ‘Bad’ botnets with the intention of taking services down, website hijacking, data theft. Spamhaus also detail in their annual report that they “detected 7,182 distinct IP addresses that hosted a botnet controller (Command & Control server - C&C). That is an increase of 525 (or 7.88%) botnet controllers over the number we detected in 2013. Those C&Cs were hosted on 1,183 different networks”. 5 Secure Thinking 2.1.2 Crypto Ransomware infections Cryptolocker first appeared late 2013, infecting end user machines and encrypting local files and files stored on mounted network shares. The malware authors then retained the decryption key until payment was made via a pre-paid voucher or Bitcoin. Fox-IT estimated the total amount paid to be $3 million and approx. 50,000 endpoints a month were infected. In collaboration with FireEye, they released a site in August which allowed users to decrypt any infected files. Cryptowall and Torrentlocker have followed suit in 2014 using the same ransomware principle of infecting users and encrypting files before asking for the ‘decryption ransom’. Torrentlocker, a new variant of ransomware using the same components as Cryptolocker and Cryptowall seemed to target Turkish and Australian users via Spam. Phishing campaigns and Advertisement pages were used as a mechanism to spread the malware.