Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks

November 17, 2015

Disasters, man-made or natural, often come without warning. But crises can be averted if the signs are spotted beforehand. We dissected the most notable security incidents this past quarter and speculated how they may be heralding bigger, more devastating threats in the near future. We can treat these threats as if they were waves in a seismograph—notable blips that signify an impending quake. These movements could very well shake up the security industry over the next few months. Are we prepared for these scenarios before they happen?

Data breach dumps fueled extortion and further attacks

The third quarter of 2015 saw one of the worst-case security scenarios ever imagined coming true: that information leaked from a data breach would be used for further attacks, such as blackmail and extortion.

[Read: Unpatched Flash Player flaws: More POCs found in Hacking Team leak]

The attack against The Hacking Team, reported in early July, is an example of such a scenario. The 400 GB dump of stolen information led to the discovery of five major zero-day vulnerabilities, as well as spying tools for iOS and Android. Some of these vulnerabilities were then used in Angler Exploit Kit attacks in Japan and Korea, as well as the compromise of Taiwan and Hong Kong government websites.

[Read: Hack Team Flash Zero Day integrated into exploit kits]

We believe we will see more of these chain reaction-type attacks. Bigger and better-secured organizations may experience breaches of their own if ever attackers successfully manage to leech off data from their smaller, less-secure partners. Consumers may also find their personal information at risk if companies continue to get breached due to this lateral progression of attacks.

[Read: Hacking Team Flash Zero Day tied to attacks in Korea and Japan on July 1]

Organizations and businesses need to prioritize security even more now, and prepare for inevitable data breach attempts.


Cyberspace has become more punitive. These were not isolated cases. As a result, enterprises must adjust their incident response plans to manage the advent of secondary stages of attack—whether those be secondary infections or the use of stolen data to target or extort their user communities. Intrusion suppression will become the goal of incident response as it is imperative that the dwell time of an adversary be limited. We must disrupt the capacity of an adversary to maintain a footprint on hosts, and thus inhibit their ability to conduct secondary infections. Virtual shielding, integration of breach detections systems with SEIMs, and file integrity monitoring will be key instruments in mitigating the punitive attacks of 2016. - Tom Kellermann, Chief Cybersecurity Officer

New attacks reiterated existing iOS and Android issues

The third quarter of 2015 was not a good one for established mobile platforms. It was during this time that major vulnerabilities were seen not just on Android, but on Apple's iOS platform as well. Because of the newly-discovered flaws, it would be the first time that both platforms would be considered severely compromised.

[Read: Trend Micro discovers vulnerability that renders Android devices silent]

Location

Stagefright vulnerability (CVE-2015-3824)

Reported date:July
Platform: Android
Impact: Affected 94.1% of all Android devices
Description: Could lead to malware installation through MMS, a malicious app, or a special crafted URL.

ANDROID-21296336 Vulnerability

Reported date: July
Platform: Android
Impact: Affected 50% of all Android devices
Description: Rendered devices unresponsive/silent

July 2015
Location

CVE-2015-3823 Vulnerability

Reported date: August
Platform: Android
Impact: Affected 89% of all Android devices
Description: Could lead to arbitrary code execution and reboot loop

CVE-2015-3842 (Audioeffect Vulnerability)

Reported date: August
Platform: Android
Impact: Affected versions 2.3 to 5.1.1
Description: Could lead to arbitrary code execution

August 2015
Location

Quicksand Vulnerability

Reported date: August
Platform: iOS
Description: Could lead to Data Leakage

August 2015
Location

Malicious Developer Tools Discovery (Xcode and Unity)

Reported date:September
Platform: iOS
Description: Lead to malicious apps being published in Apple Official Appstore

AirDrop Vulnerability

Reported date: September
Platform: iOS
Description: Lead to malware installation through proximity

September 2015

[Read: MMS not the only attack vector for StageFright]

All of the listed Android vulnerabilities above involve mediaserver, the Android service responsible for opening and viewing digital media (images, audio, and video files) on the platform. Trend Micro researchers have identified mediaserver as a hotbed for vulnerabilities of this severity, and warn of more vulnerabilities to be found in the future. Google has since announced a future shift to a more regular patch update process to fix vulnerabilities more efficiently.

[Read: Android Mediaserver bug traps phones in endless reboots]

While we can predict that Android vulnerabilities will continue to persist and exist, the revelations about iOS this quarter opens the platform to bolder, more damaging attacks in the future.


Apple's increasing phone market share is tempting attackers to exert more effort to exploit iOS apps. Apple's strict security policies on posting iOS apps are, however, pushing them to come up with cleverer tricks like infection via development tools and libraries to get the job done. We're bound to see more "Ghost-like" threats in the future. Attackers may also opt to abuse certificates and application programming interfaces (APIs) to distribute iOS malware. In response, Apple needs to constantly tighten its app-posting policies. - Ju Zhu, Mobile Threat Researcher

Shotgun approach to PoS malware attacks affected more and more SMBs

Small and medium-sized businesses were heavily affected in the third quarter of 2015, as PoS (point-of-sale) malware attacks were launched using methods that affect a large number of potential targets wholesale in the hopes of hitting one or two truly-desired targets.

[Read: New GamaPOS threat spreads in the US via Andromeda Botnet; Spreads in 13 States]

This was seen in July, in an Andromeda botnet-powered spam campaign that delivered a GamaPOS variant. The spammed messages were also sent to unintended targets, in the hopes of infecting PoS devices. Attackers then used the Angler Exploit Kit to search for and infect PoS systems. Using malvertisements and compromised sites, it managed to increase its detection count to 40% from the past quarter.

In September, attackers spammed messages with Kasidet/Neutrino variants that have PoS RAM scraping capabilities. Kasidet detections took up 12% of the total number of PoS malware detections in the third quarter.

The fact that SMBs are being hit can be explained by the adoption of better security technologies by bigger businesses. This makes SMBs with weaker security an easier and more tempting target. Combined with the slow adoption of EMV/chip-and-pin payment systems, it's a clear sign that more SMBs will fall prey to PoS malware.


PoS malware targeting SMBs is nothing new, and in fact we have been talking about this for a while now. What is new is that cybercriminals have gone from targeted attacks to traditional mass infection techniques such as spam, botnets, and exploit kits.

What remains unchanged is this malware poses to the ordinary individual making credit card payments. A wider net is a risky strategy because the malware will be quickly detected and neutralized, but almost certain to find new victims. Perhaps when a new victim is found and data successfully extracted, the cybercriminals will do a more targeted campaign against that victim. - Numaan Huq, Senior Threat Researcher

Political figures: Favored cyber-espionage targets

Pawn Storm ramped up its operations this quarter by going after the armed forces of a NATO country and a US Defense organization. It also expanded its targets to include political entities in Russia, such as activists, media celebrities, and diplomats. A CEO of a local encryption company was also targeted, including a mail developer from mail.ru.

[Read: Pawn Storm Targets MH17 Investigation Team]

Rocket Kitten, a threat actor group, was also discovered targeting an expert lecturer on linguistics and pre-Islamic Iranian culture who assisted cybersecurity researchers with the Thamar Reservoir research. They also targeted an infosec personnel, specifically, a ClearSky researcher.

Pawn Storm campaign targets

Politicians in the US and Russia constantly figured as Pawn Storm targets since 2011.


Rocket Kitten's March and September 2015 targets

Most of Rocket Kitten's victims were diplomatic and international affairs personnel as well as policy researchers from the Middle East.

Angler: Still the most widely used exploit kit

The Angler Exploit Kit was updated in early July to include the zero-day vulnerability discovered in the Hacking Team data dump, continuing its reputation as the most aggressive exploit kit in terms of vulnerability adoption.

[Read: Angler and Nuclear Exploit Kits integrate Pawn Storm Flash exploit]


Angler exploit kit access by quarter

Several exploit kits (HanJuan, SweetOrange, and Fiesta) did not show any type of activity this quarter.


Besides being used for PoS malware infection purposes, it was also used in a malvertising attack in Japan that compromised 3,000 high-profile sites in late September.

September also saw attackers using the exploit kit abuse the Diffie-Helman encryption protocol to hide network traffic.

Internet-ready devices: Plagued by security issues

Research using our gas tank monitoring system, Gaspot, yielded insight on how attackers can compromise public safety by hijacking target gas tanks and modifying their attributes. Further consultation with SHODAN also revealed that similar public-facing utilities such as heating systems, surveillance systems, and power plants are similarly insecure.

Infosecurity researchers Charlie Miller and Chris Valasek were able to prove that remote car hacking was indeed possible. They did this with a Jeep Cherokee, and were able to take control of the car's engine, brakes, and other systems—all by just knowing the car's public IP address.

Threat Landscape

The Trend Micro Smart Protection Network™ blocked over 12 billion threats this past quarter, continuing the trend of a 20% overall decrease since 2012. This may be due to attackers still preferring to only go after well-chosen victims (mostly SMBs and large enterprises) for better results.

Total number of threats blocked

3Q 2015

Detection rate (Number of threats blocked per second)

3Q 2015

1588

Of these threats, the top three malware families counted last quarter were SALITY (81K), DOWNAD/ CONFICKER (71K), and BARTALEX (48K). SALITY variants are known for its damaging routines that include the spread of infected .EXE and .SCR files. DOWNAD/ CONFICKER variants are notorious for their persistence in exploiting vulnerabilities and high propagation rate. DOWNAD still figured in the list of top malware, seven years after it first emerged. This could be due to the fact that users (likely enterprises) still use old and unsupported Windows versions like XP that are vulnerable to the threat.

BARTALEX joined this quarter's list of top malware due to related macro-based malware attacks this July. BARTALEX typically use Microsoft Word® document attachments that function as UPATRE downloaders.


Top Malware Families

*based on PC detections

DOWNLOAD FULL REPORT


Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Roundup, Threat Reports, Mobile, PoS Malware, Data Breach, Targeted Attacks, Internet of Things

We Recommend