Transcription
Kaspersky Security Bulletin 2016REVIEW OF THE YEARDavid Emm, Roman Unuchek, Kirill Kruglov
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEARCONTENTSTargeted attacks 3BlackEnergy 3Operation Blockbuster 4Adwind 5Attacks using exploits to the CVE-2015-2545 vulnerability 6Operation Daybreak 7xDedic 8Dropping Elephant 9Operation Ghoul 9ProjectSauron 11Financial threats 13The Internet of things 20Mobile threats 26Rooting malware 26Cybercriminals still using Google Play Store 28Not only Google Play Store 31Bypassing security features 31Mobile ransomware 32Data breaches 34Industrial cyber security: threats and incidents 37Incidents 37Proof-of-Concept PLC based malware 39Zero-days in ICS software and hardware 402
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEARTARGETED ATTACKSTargeted attacks are now an established part of the threat landscape,so it's no surprise to see such attacks feature in our yearly review.Here are the major APT campaigns that we reported this year.BlackEnergyIn one massiveattack, BlackEnergydisabled powerdistribution, wipedsoftware andlaunched a DDoS3The year started with the developing picture of the BlackEnergycyber-attack on the Ukrainian energy sector. This attack was uniquebecause of the damage it caused: hackers managed to disablethe power distribution system in Western Ukraine, launch a wiperprogram on targeted systems and conduct a telephone DistributedDenial of Service (DDoS) attack on the technical support servicesof the affected companies. Kaspersky Lab experts revealed severalaspects of the activities of the group responsible for the attack:in particular, an analysis of the tool used to penetrate the targetsystems. For an overview of the attack, read the report preparedby the SANS Institute and ICS-CERT.
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEAROperation BlockbusterKaspersky Lab was among the participants in Operation Blockbuster,a joint investigation conducted by several major IT security companiesinto the activities of the Lazarus group (you can read our own reporthere). Lazarus is a cybercrime gang — supposedly of North Koreanorigin — responsible for the attack on Sony Pictures in 2014. Thegroup has been around since 2009, although its activities rampedup after 2011. Lazarus is responsible for such well-known attacksas Troy, Dark Seoul (Wiper) and WildPositron. The group targetedcompanies, financial institutions, radio and television.4
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEARAdwindAdwind'sIn February, at the Security Analyst Summit, we presented the resultsmalware-for-rentof our investigation into Adwind, a cross-platform, multi-functionalhad 1,800 customers RAT (Remote Access Tool) distributed through a single Malwareas-a-Platform service. This Trojan has been renamed several timessince its first release in 2012 — AlienSpy, Frutas, Unrecom, Sockrat,JSocket and jRat. We believe that between 2013 and 2016 thismalware was used in attacks against more than 443,000 individuals,commercial and non-commercial organisations around the world.One of the main features that distinguishes Adwind from othercommercial malware is that it is distributed openly as a paid service,where the customer pays a fee in return for use of the malicioussoftware. We estimate that there were around 1,800 customers inthe system by the end of 2015. This makes it one of the biggestmalware platforms in existence today.5
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEARAttacks using exploitsto the CVE-2015-2545 vulnerabilityIn May, we reported a wave of cyber-espionage attacks conductedby different APT groups across the Asia-Pacific and Far East regions.They all shared one common feature: they exploited the CVE-20152545 vulnerability. This flaw enables an attacker to execute arbitrarycode using a specially-crafted EPS image file. It uses PostScriptand can evade the Address Space Layout Randomization (ASLR)and Data Execution Prevention (DEP) protection methods built intoWindows. The Platinum, APT16, EvilPost and SPIVY groups werealready known to use this exploit. More recently, it was used by theDanti and SVCMONDR groups. You can find an overview of theAPTs that use this vulnerability here.Over six APTgroups usedthe samevulnerability —patched backin 2015One of the most striking aspects of these attacks is that theyare successfully making use of a vulnerability that had beenpatched by Microsoft in September 2015. In our 2016 predictions,we suggested that APT campaigns would invest less effort indeveloping sophisticated tools and make greater use of off-theshelf malware to achieve their goals. This is a case in point: usinga known vulnerability, rather than developing a zero-day exploit.This underlines the need for companies to pay more attentionto patch management to secure their IT infrastructure.6
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEAROperation DaybreakTheOperation Daybreakspying campaignby ScarCruft usedan unknownzero-day —CVE-2016-1010Of course, there will always be APT groups that seek to take advantageof zero-day exploits. In June, we reported on a cyber-espionagecampaign — code-named Operation Daybreak and launched bya group named ScarCruft — using a previously unknown AdobeFlash Player exploit (CVE-2016-1010). This group is relatively newand has so far managed to stay under the radar. But we think thegroup might have previously deployed another zero-day exploit(CVE-2016-0147) that was patched in April. The group's targetsinclude an Asian law enforcement agency, one of the world's largesttrading companies, a mobile advertising and app monetisationcompany in the United States, individuals linked to the InternationalAssociation of Athletics Federations and a restaurant located in oneof Dubai's top shopping centres.While there's no such thing as 100% security, the key is to increasesecurity defences to the point that it becomes so expensive for anattacker to breach them that they give up or choose an alternativetarget. The best defence against targeted attacks is a multi-layeredapproach that combines traditional anti-virus technologies withpatch management, host intrusion detection and a default-denywhitelisting strategy. According to a study by the Australian SignalsDirectorate, 85% of targeted attacks analysed could have beenstopped by employing four simple mitigation strategies: applicationwhitelisting, updating applications, updating operating systemsand restricting administrative privileges.7
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEARxDedicThis year, Kaspersky Lab investigated an active cybercriminal tradingplatform, called xDedic, an online black market for hacked servercredentials around the world — all available through the RemoteDesktop Protocol (RDP). We initially thought that this market extendedto 70,000 servers, but new data suggests that the xDedic marketwas much wider — including credentials for 176,000 servers. xDedicincludes a search engine, enabling potential buyers to find almostanything — from government and corporate networks — for as littleas 8 per server. This low price provides ‘customers’ with accessto data on such servers and their use as a bridgehead for furthertargeted attacks.xDedic was themarketplace forat least 70,000hacked servers —most victimshad no idea8The existence of off-the-shelf underground markets is not new.But we are seeing a greater level of specialisation. And while themodel adopted by the xDedic owners isn't something that can bereplicated easily, we think it's likely that other specialised marketswill appear in the future.
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEARDropping ElephantDropping Elephantshowed thefearsome powerof high qualitysocial engineeringTargeted attack campaigns don’t need to be technically advancedin order to be successful. In July, we reported on a group calledDropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’).Using a combination of social engineering, old exploit code andsome PowerShell-based malware this group was able to steal sensitivedata from its victims — high-profile diplomatic and economicorganisations linked to China’s foreign relations. The attackers usea combination of spear-phishing e-mails and watering-hole attacks.The success of the Dropping Elephant group is striking given thatno zero-day exploits or advanced techniques were used to targethigh-profile victims. In fact, Dropping Elephant provides a clearexample of how low investment and use of ready-made toolsetscan be very effective when combined with high quality socialengineering.The success of such attacks cen be prevented by applyingsecurity updates and improving the security awareness of staff.Operation GhoulOperation Ghoulconfirmed thatpower — withprecision-targetedphishing followedby commercialmalware9The success of social engineering as a means for attackersto gain a foothold in a target organisation was also evident inOperation Ghoul — the group behind a series of attacks that wereported in June 2016. The attackers sent spear-phishing e-mails withmalicious attachments — mainly to top and middle level managersof numerous companies — that appeared to come from a bank inthe UAE. The messages claimed to offer payment advice from thebank and included an attached SWIFT document. But the archivereally contained malware. Based on information obtained from thesink-hole of some command and control (C2) servers, the majorityof the target organisations work in the industrial and engineeringsectors. Others include shipping, pharmaceutical, manufacturing,trading and educational organisations.
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEARThe malware used by the Operation Ghoul group is based on thecommercial spyware kit Hawkeye, sold openly on the Dark Web.Once installed, the malware collects interesting data from thevictim’s computer, including keystrokes, clipboard data, FTP servercredentials, account data from browsers, messaging clients, e-mailclients and information about installed applications.The continued success of social engineering as a way ofgaining a foothold in target organisations highlights the needfor businesses to make staff awareness and education a centralcomponent of their security strategy.10
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEARProjectSauronIn September, we uncovered ProjectSauron, a group that has beenstealing confidential data from organisations in Russia, Iran andRwanda — and probably other countries — since June 2011.ProjectSauronchanged thelandscape forever –an advancedmodular spyingplatform withunique tools foreach victim11The cost, complexity, persistence and the ultimate goal of theoperation (i.e. stealing secret data from state-related organisations)suggest that ProjectSauron is a nation-state sponsored campaign.Technical details indicate that the attackers learned from other highlyadvanced actors, including Duqu, Flame, Equation and Regin —adopting some of their most innovative techniques and improvingon their tactics in order to remain undiscovered. All maliciousartefacts are customized for each given target, reducing their valueas indicators of compromise for any other victim.
KASPERSKY SECURITY BULLETIN 2016:REVIEW OF THE YEARProjectSauron key features:1. P rojectSauron is a modular platform designed to enable longterm cyber-espionage campaigns.2
KASPERSKY SECURITY BULLETIN 2016: REVIEW OF THE YEAR ProjectSauron key features: 1 ProjectSauron is a modular platform designed to enable long-term cyber-espionage campaigns 2 All modules and network protocols use strong encryption algorithms such as
