Hybrid Cloud Security
Data Center & Virtualization
Security Fit for DevOps
Solutions for Security Teams
Advanced Threat Protection
Endpoint & Gateway Suites
SaaS Application Security
Endpoint Detection & Response
Point of Sale
All Products and Trials
Centralized Visibility & Investigation
Global Threat Intelligence
Connected Threat Defense
Breaking News & Intelligence
Simply Security Blog
Security Intelligence Blog
UK Security Blog
Education & Certification
Glossary of Terms
Research & Reports
The Deep Web
Internet of Things (IoT)
Zero Day Initiative (ZDI)
Login to Support
Virus & Threat Help
Renewals & Registration
Free Cleanup Tools
Find a Support Partner
Pre-Sales Technical Advice
For popular products:
Find a Partner (Reseller, CSP, MSP)
Become a Partner (Reseller, Integrator)
All Alliance Partners
Customer Success Stories
Corporate Social Responsibility
Diversity & Inclusion
Internet Safety and Cybersecurity Education
Find a Partner
1-877-218-7353(M-F 8-5 CST)
Learn of upcoming events
Social Media Networks
+44 (0) 203 549 3300
Disasters, man-made or natural, often come without warning. But crises can be averted if the signs are spotted beforehand. We dissected the most notable security incidents this past quarter and speculated how they may be heralding bigger, more devastating threats in the near future. We can treat these threats as if they were waves in a seismograph—notable blips that signify an impending quake. These movements could very well shake up the security industry over the next few months. Are we prepared for these scenarios before they happen?
The third quarter of 2015 saw one of the worst-case security scenarios ever imagined coming true: that information leaked from a data breach would be used for further attacks, such as blackmail and extortion.
[Read: Unpatched Flash Player flaws: More POCs found in Hacking Team leak]
The attack against The Hacking Team, reported in early July, is an example of such a scenario. The 400 GB dump of stolen information led to the discovery of five major zero-day vulnerabilities, as well as spying tools for iOS and Android. Some of these vulnerabilities were then used in Angler Exploit Kit attacks in Japan and Korea, as well as the compromise of Taiwan and Hong Kong government websites.
[Read: Hack Team Flash Zero Day integrated into exploit kits]
We believe we will see more of these chain reaction-type attacks. Bigger and better-secured organizations may experience breaches of their own if ever attackers successfully manage to leech off data from their smaller, less-secure partners. Consumers may also find their personal information at risk if companies continue to get breached due to this lateral progression of attacks.
[Read: Hacking Team Flash Zero Day tied to attacks in Korea and Japan on July 1]
Organizations and businesses need to prioritize security even more now, and prepare for inevitable data breach attempts.
The third quarter of 2015 was not a good one for established mobile platforms. It was during this time that major vulnerabilities were seen not just on Android, but on Apple's iOS platform as well. Because of the newly-discovered flaws, it would be the first time that both platforms would be considered severely compromised.
[Read: Trend Micro discovers vulnerability that renders Android devices silent]
Reported date:July Platform: Android Impact: Affected 94.1% of all Android devices Description: Could lead to malware installation through MMS, a malicious app, or a special crafted URL.
Reported date: July Platform: Android Impact: Affected 50% of all Android devices Description: Rendered devices unresponsive/silent
Reported date: August Platform: Android Impact: Affected 89% of all Android devices Description: Could lead to arbitrary code execution and reboot loop
Reported date: August Platform: Android Impact: Affected versions 2.3 to 5.1.1 Description: Could lead to arbitrary code execution
Reported date: August Platform: iOS Description: Could lead to Data Leakage
Reported date:September Platform: iOS Description: Lead to malicious apps being published in Apple Official Appstore
Reported date: September Platform: iOS Description: Lead to malware installation through proximity
[Read: MMS not the only attack vector for StageFright]
All of the listed Android vulnerabilities above involve mediaserver, the Android service responsible for opening and viewing digital media (images, audio, and video files) on the platform. Trend Micro researchers have identified mediaserver as a hotbed for vulnerabilities of this severity, and warn of more vulnerabilities to be found in the future. Google has since announced a future shift to a more regular patch update process to fix vulnerabilities more efficiently.
[Read: Android Mediaserver bug traps phones in endless reboots]
While we can predict that Android vulnerabilities will continue to persist and exist, the revelations about iOS this quarter opens the platform to bolder, more damaging attacks in the future.
Small and medium-sized businesses were heavily affected in the third quarter of 2015, as PoS (point-of-sale) malware attacks were launched using methods that affect a large number of potential targets wholesale in the hopes of hitting one or two truly-desired targets.
[Read: New GamaPOS threat spreads in the US via Andromeda Botnet; Spreads in 13 States]
This was seen in July, in an Andromeda botnet-powered spam campaign that delivered a GamaPOS variant. The spammed messages were also sent to unintended targets, in the hopes of infecting PoS devices. Attackers then used the Angler Exploit Kit to search for and infect PoS systems. Using malvertisements and compromised sites, it managed to increase its detection count to 40% from the past quarter.
In September, attackers spammed messages with Kasidet/Neutrino variants that have PoS RAM scraping capabilities. Kasidet detections took up 12% of the total number of PoS malware detections in the third quarter.
The fact that SMBs are being hit can be explained by the adoption of better security technologies by bigger businesses. This makes SMBs with weaker security an easier and more tempting target. Combined with the slow adoption of EMV/chip-and-pin payment systems, it's a clear sign that more SMBs will fall prey to PoS malware.
Pawn Storm ramped up its operations this quarter by going after the armed forces of a NATO country and a US Defense organization. It also expanded its targets to include political entities in Russia, such as activists, media celebrities, and diplomats. A CEO of a local encryption company was also targeted, including a mail developer from mail.ru.
[Read: Pawn Storm Targets MH17 Investigation Team]
Rocket Kitten, a threat actor group, was also discovered targeting an expert lecturer on linguistics and pre-Islamic Iranian culture who assisted cybersecurity researchers with the Thamar Reservoir research. They also targeted an infosec personnel, specifically, a ClearSky researcher.
The Angler Exploit Kit was updated in early July to include the zero-day vulnerability discovered in the Hacking Team data dump, continuing its reputation as the most aggressive exploit kit in terms of vulnerability adoption.
[Read: Angler and Nuclear Exploit Kits integrate Pawn Storm Flash exploit]
Besides being used for PoS malware infection purposes, it was also used in a malvertising attack in Japan that compromised 3,000 high-profile sites in late September.
September also saw attackers using the exploit kit abuse the Diffie-Helman encryption protocol to hide network traffic.
Research using our gas tank monitoring system, Gaspot, yielded insight on how attackers can compromise public safety by hijacking target gas tanks and modifying their attributes. Further consultation with SHODAN also revealed that similar public-facing utilities such as heating systems, surveillance systems, and power plants are similarly insecure.
Infosecurity researchers Charlie Miller and Chris Valasek were able to prove that remote car hacking was indeed possible. They did this with a Jeep Cherokee, and were able to take control of the car's engine, brakes, and other systems—all by just knowing the car's public IP address.
The Trend Micro Smart Protection Network™ blocked over 12 billion threats this past quarter, continuing the trend of a 20% overall decrease since 2012. This may be due to attackers still preferring to only go after well-chosen victims (mostly SMBs and large enterprises) for better results.
Of these threats, the top three malware families counted last quarter were SALITY (81K), DOWNAD/ CONFICKER (71K), and BARTALEX (48K). SALITY variants are known for its damaging routines that include the spread of infected .EXE and .SCR files. DOWNAD/ CONFICKER variants are notorious for their persistence in exploiting vulnerabilities and high propagation rate. DOWNAD still figured in the list of top malware, seven years after it first emerged. This could be due to the fact that users (likely enterprises) still use old and unsupported Windows versions like XP that are vulnerable to the threat.
BARTALEX joined this quarter's list of top malware due to related macro-based malware attacks this July. BARTALEX typically use Microsoft Word® document attachments that function as UPATRE downloaders.
Like it? Add this infographic to your site:1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.