A Rising Tide: New Hacks Threaten Public Technologies

If this past quarter's stories are any indication, we could very well be seeing the rise of a new wave of threats that will affect people in a more pronounced and physical level. Attackers are finding more security gaps to abuse, whether they're in existing public-facing technologies or in new developments in the Internet of Things. With this incoming swell of attacks also come new cybercriminal players, independent operators who use simple malware for full-scale regional operations. Although law enforcement agencies are making strides in the fight for cybersecurity, these challenges continue.

Newly hacked technologies cause disruptions to public utilities

We've previously seen how certain automated transportation systems could be susceptible to cyber-attacks, and now we're seeing possible threats in aviation. The first incident took place when security researcher Chris Roberts tweeted messages that suggested that he was tampering with the in-flight systems of the 737/800 plane that he was on. This was followed by a DDoS attack on Warsaw's Okecie airport, causing delays that grounded more than 1,400 people flying with LOT Polish Airlines.

[Read: Mile High Hacking: Should You Worry?]

Routers were next. Our researchers observed an increase in attacks that used DNS changer malware that targeted home routers. Much of the detected infections were in Brazil, US, and Japan. Brazil took the lion's share of the infections, with 81%. These attacks aimed to steal personal information from the devices connected to home routers using malware.

[Read: DNS Changer Malware Sets Sights on Home Routers]

These attacks aimed to steal personal information from the devices connected to home routers using DNS changer malware. Like its name suggests, DNS changer malware changes the DNS of a router so that any device connected to it would load a malicious version of any website it tries to log into, including online banking websites. While DNS changer malware is nothing new, its significance continues to increase as homes and businesses become more connected to the Internet of Things.

[Read: DNS Changer Malware Sets Sights on Home Routers ]

Finally, in early April, an attack on French TV Network TV5 Monde crippled the company's network, disrupting all broadcasts for four hours. The attackers also took control of TV5 Monde's social networking accounts, using them to not only post propaganda but also reveal personal information of the relatives of French soldiers involved in military operations.

[Read: The TV5Monde Attack: Four Hours that Changed the World]

These incidents show that cybercriminals are looking past our desktops and mobile devices. They are expanding their targets to include public-facing infrastructure and gadgets we normally take for granted in terms of security.

Like any other system, there are bugs somewhere in this [airplane] system; no human-built system is 100% error-free. It will be up to governments and regulators to force vendors (both of airplanes and IFE systems) to move beyond simple security-through-obscurity and demonstrate that existing systems are secure, and to fix any vulnerabilities that do come to light. Who knows, perhaps the systems that are in place have been designed in a robust and secure manner and do a good job of keeping attackers out. - Martin Rösler, Senior Director, Threat Research

Solo cybercrime operators exposed in several regions; ransomware and PoS malware persist

We saw more instances of solo cybercriminal operations during the second quarter. Frapstar, a lone operator from Canada, made a profit out of selling stolen personal information. In Brazil, LordFenix made a killing with his own home-grown horde of banking Trojans, each valued at over US$300. Similarly, AlejandroV managed to steal 22,000 unique credit card numbers with his point-of-sale (PoS) malware named FighterPoS.

[Read: FighterPoS: Fighting A New PoS Malware Family]

MalumPoS was another PoS malware that broke into the scene around this time. The malware was detected stealing information from systems running on Oracle MICROS, which meant that 330,000 establishments worldwide were vulnerable to it, primarily in the US.

Number of PoS malware detections (1Q 2014-2Q 2015)

The slight decline in PoS malware detections could be due to the threat reaching its saturation point.
The latest iterations of the threat throughout the first half of the year could just be last-ditch efforts to capitalize on the gains they bring.

[Read: Trend Micro Discovers MalumPoS]

Two Nigerian solo cybercriminals used a simple US$35 keylogger called Hawkeye to target small businesses worldwide, specifically those in India, Egypt, Iran, Pakistan, Taiwan, Hong Kong, Russia, France, Germany, and the US.

[Read: How Two Cybercriminals Earned Millions Using a $35 Malware]

Ransomware activity was rife during the quarter. In June alone, we saw outbreaks of TorrentLocker and CryptoWall occurring nearly every day in countries that include the US, the UK, South Korea, and China. We also spotted several teenagers in China making money off mobile ransomware.

Countries Affected by Malware Attacks in 2Q 2015

Area Amount
India 1.8
Egypt 1.8
Iran 1.8
Pakistan 1.8
Taiwan 1.8
United States 1.8
Hong Kong 1.8
Russia 1.8
France 1.8
Germany 1.8
Area Amount
Brazil 2.3
Argentina 0
Mexico 0
Area Amount
Canada 4
United States 4
Area Amount
Germany 2.3
Netherlands 0
Italy 0
Chinese mobile ransomware
Area Amount
China 4
Mongolia 0
Thailand 0
Area Amount
Australia 1.1
Turkey 1.1
France 1.1
Germany 1.1
Italy 1.1
New Zealand 1.1
Poland 1.1
Spain 1.1
Taiwan 1.1
United Kingdom 1.1
United States 1.1
Area Amount
Australia 1.1
Taiwan 1.1
South Korea 1.1
Japan 1.1
France 1.1
India 1.1
Canada 1.1
United Kingdom 1.1
United States 1.1

Moving forward, we're probably going to see an incorporation of old and new threats blended for the same objective. Defenders have to start considering new and upcoming threats while addressing old threats and keeping an eye out on potential targeted attacks. I would recommend using a clearly defined strategy to combat threats. Aside from looking into particular events within a host, make sure you can correlate them with network events, too. - Jay Yaneza, Threats Analyst

Law enforcement efforts bore fruit as governments prioritized security

Some of these quarter's security wins were made possible through public-private partnerships (PPP). Trend Micro aided both Interpol and Europol in taking down two notorious botnets: SIMDA and BEEBONE. Continuing this winning streak was the sentencing of Silk Road creator Ross Ulbricht in May. His trial shed more light on Deep Web marketplaces with offerings that range from forged passports to assassination contracts.

[Read: Below the Surface: Exploring the Deep Web]

Also of note were certain leaps and bounds in security and pro-privacy legislation. The most notable of which happened in the US: when The Freedom Act was signed and when the US government mandated that all federal websites use HTTPS.

One of the biggest problems that legislation has with cybercrime is that it evolves very quickly. Most laws would take maybe 3-5 years to pass. So the most relevant will be general laws that have been around for a long time. So, like in the US, they have been successful in arresting people charged with organized crime gangs or racketeering. These laws are not specifically 'cyber' in nature, but having them helped. What should generally be done is to standardize laws among countries.

At the end of the day, the Internet is global. Therefore, cybercrime is global so it would be a lot easier to prosecute people if the law on hacking a server is exactly the same in Germany as it is in Ireland or France. There'll be fewer complications as incidents like these happen. Then again, what's most important is to make communication within PPPs easier. If communication is easy, law enforcement agencies and security researchers can easily share information. - Robert McArdle, Senior Threat Research Manager

Its national and political impact made the OPM data breach the biggest incident thus far

In June, more than 21 million current and former federal employees—including their family members and rejected applicants—had their personal information exposed after the United States Office of Personal Management was hit by a series of data breaches. The data included employee Social Security numbers and even fingerprints.

[READ: Federal Data Breach: The Most Prolific in History]

The IRS was also subject to a breach that leaked 100,000 taxpayer records. The attackers behind it siphoned off data from a compromised IRS web application.

Reported major data breaches (2Q 2015)


Japan Pension Service

Reported date: June 1 2015
Industry: Annuity
Impact: 1M victims (personal data, including Social Security numbers)

OPM, Washington DC

Reported date: June 4 2015
Industry: Government
Impact: 21.5M victims (Social Security numbers)

June 2015

CareFirst BlueCross BlueShield, Baltimore, Maryland

Reported date: 5/20/2015
Industry: Healthcare
Impact: 1.1M victims

IRS, Washington DC

Reported date: 5/26/2015
Industry: Government
Impact: 100K victims

May 2015
Government entities were the primary attack targets this quarter. The OPM breach was the biggest incident to date, as it exposed more than 20 million records.

Source: https://www.privacyrights.org/data-breach

In some ways, your personal information getting leaked is more dangerous. I can easily get my credit card changed but unless I move, I can't change my address. Neither can I change my birthday. Personally identifiable information (PII) doesn't just identify users; it's also frequently difficult, if not impossible, to change. - Raimund Genes, Chief Technology Officer

Latest attacks on government entities emphasized political motives behind targeted campaigns

The White House and members of the North Atlantic Treaty Organization (NATO) became the latest targets of Operation Pawn Storm, an economic and political cyber-espionage campaign we discovered last year. Meanwhile, government institutions in the Philippines and Taiwan fell prey to two other targeted attack campaigns—Tropic Trooper and ESILE.

[Read: Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House]

Countries that sought to stop Iran's nuclear development capabilities faced Duqu 2.0 attacks that used several zero-day vulnerabilities. Other threat actors, meanwhile, had started using macro malware in targeted attack campaigns, such as GHOLE. This could explain the steady growth of macro malware volume seen last quarter.

Macro malware detections (2014-1H 2015)

The number of macro malware detections slightly increased quarter over quarter, most likely due to a rise in the use of malvertisements that led to macro-malware-download sites in attacks.

Traditionally speaking, targeted attacks against political targets and enterprises are fairly similar. However, there are some minor differences in motivation and end result. Political attacks are sometimes more known for employing zero days in conjunction with 'traditional' attack vectors. Attacks against enterprises, meanwhile, traditionally utilize 'standard' methodologies since they almost always rely on the human element, which is the weakest link in the chain. - Kyle Wilhoit, Senior Threat Researcher

Secondary infections are flourishing due to three ominous phenomena. First, more hackers are targeting the information supply chain of organizations, leveraging island hopping to compromise internal hosts. Second, after a compromise, the use of steganography allows a second C&C channel to be established within compromised systems, allowing the adversary to effectively counter incident response. Finally, once the cybercriminal has stolen intellectual property or PII, they then use the organization's brand to attack its constituency via watering-hole attacks. These have exponentially grown in the first six months of 2015. - Tom Kellermann, Chief Cybersecurity Officer

Vulnerabilities threatened public-facing websites and mobile devices

In April, blog platform WordPress was hit with a vulnerability that let attackers insert malicious JavaScript code into the administrator browser window. Magento, an ecommerce platform used by eBay and more than 240,000 other online shopping websites worldwide, was then rattled by a vulnerability disclosed in late June. The large user bases of these web apps prove that vulnerabilities on these platforms are just as dangerous as those found in traditional software.

[Read: eBay’s Magento E-commerce Platform Hit by Payment Card Stealers]

Mobile platforms also saw a fair share of vulnerabilities like the SwiftKey Android vulnerability, which allows attackers to take over a user's mobile device. A patch has been released, but device fragmentation still stalls its deployment on affected devices. Huge security flaws were also found in the application sandboxes that protect OSX and iOS systems.

Attackers leverage vulnerabilities and weaknesses in all platforms. They just need a way to get in. Enterprises must be very watchful of vulnerabilities in the core software and plug-ins that they use. A focused and continuous vulnerability assessment program must be complemented by a configuration assessment program. Though vulnerabilities in standard software like Flash, Java, Firefox, and Internet Explorer® are used as a yardstick to draw the threat landscape, we shouldn't forget that vulnerabilities in custom applications (mainly Web apps) are also very high in number and a lot of them don't make it to the CVE list. Custom applications need customized checking. A good penetration test on custom applications always compensates for that. - Pawan Kinger, Director, Deep Security Labs

Angler Exploit Kit access numbers tripled, faster integration of exploits into kits seen

As more vulnerabilities came to light, exploit kits have also been quickly updated to include them. The Angler exploit kit is a prime example of such behavior. It was the first to integrate vulnerabilities almost at the same time they were disclosed. This may explain the increase of its infection count from Q1 to Q2 2015, along with the spike in the number of users accessing exploit kit-related URLs between May and June. Angler is especially notorious for its use of various Adobe Flash Player exploits, alongside other exploit kits such as Nuclear and Magnitude.

Timeline of Adobe Flash Vulnerabilities Integrated Into Exploit Kits, 2Q 2015

Exploits for Adobe Flash vulnerabilities have been integrated into more and more exploit kits (especially Angler) since the start of this year.

Angler Exploit Kit's developers have been very actively and aggressively adding Adobe Flash exploits to it. Magnitude and Nuclear exploit kit developers are doing the same thing. It's this agility that we should continue to study and monitor to better protect our customers. - Joseph C. Chen, Threats Analyst

Threat Landscape

The Trend Micro Smart Protection Network™ blocked over 12 billion threats this past quarter, a decrease from the 14 billion threat count at the start of the year. This may be because cybercriminals are now focusing their attacks rather than using an "infect-anyone" approach.

Total number of threats blocked

2Q 2015

Detection rate (Number of threats blocked per second)

2Q 2015


Of these threats, the top three malware families counted last quarter were SALITY (88K), DOWNAD/ CONFICKER (77K), and GAMARUE (58K). SALITY variants are known for its damaging routines that include the spread of infected .EXE and .SCR files. DOWNAD/ CONFICKER variants are notorious for their persistence in exploiting vulnerabilities and high propagation rate. GAMARUE variants are capable of stealing information and taking control of a system to launch attacks on other systems.

Top Malware Families

*based on PC detections

The total number of malicious and high-risk apps for Android has risen to roughly 7.1 million. That's a 31% increase compared to 1Q 2014 (5.4 million).


A Rising Tide: New Hacks Threaten Public Technologies


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.