Trend #1:  Government Malware Goes Commercial

Trend #5:  Hacktivism Gets  Process Driven
In 2012, we witnessed changes in the way that Hacktivism operated. In early 2011, Hacktivist groups were focusing their efforts at specific organizations by methodically analyzing and attacking a targets front end—applications and web pages—and breaking them.   In 2012, Hacktivism was down, but not out.

For example, some “hacking incidents” proved to be hoaxes, or, more precisely, PR stunts.  Case in point:  Anonymous claiming to have hacked an FBI laptop hack.

To be effective, Hacktivists need to focus on divulging content or data that can damage their targets.  In our February report on Hacktivism, we detailed the process for stealing data from web applications.  We think this process will continue, but a new variation will emerge.  Specifically, Hacktivists will focus efforts on discovering CMS that are used in public websites via well-established techniques, such as error grabbing and Google dork searches, mapping them to vulnerabilities. Then use automated hacking tools to pull out the database contents as well as sensitive files for public disclosure. This approach, though simple and methodical, will focus on quantity over quality.

For example, the focus of Hacktivist group GhostShellTeam, in the course of 2012, have focused on CMS hacks with automated tools to expose files and data. When looking at the disclosed data, it was very clear that most of the data was captured from a CMS system, and that the extraction method was SQL Injection. How do such attacks work?

1. Identify and collect vulnerabilities in CMS systems via different sources such as exploit-db.com and other exploit databases, some on hacker forums and pastebin.com publications.
2. Using different techniques to map sites that use these CMS systems and versions via error message grabbing, Google dork searches and other techniques.
3. Once identified, the targets may or may not be branched into different Hacktivism campaigns depending on the current agenda of the hacktivist group.
4. An automated tool, such as SQLmap or Havij, is then used to grab the data out of the vulnerable website.
5. Data is disclosed via social networks, usually alongside a long public letter from the group naming and blaming whoever the campaign targets.

Trend #1:  Government Malware Goes Commercial

Trend #4:  APT Targets the Little Guy
We expect that, in 2013, attackers will also extend the practice commonly dubbed as APT to smaller businesses.

In 2012, we saw the continuing trend of smaller businesses being hit by cyber criminals. This is a direct outcome of the industrialization of hacking that successfully automated web application attacks. Attackers have learned to exploit and profit from compromised web applications—especially since automation can help uncover poorly protected, smaller companies.  Automation and poor protection will assist APT hackers target smaller organizations containing valuable information.

There are two key drivers that put smaller business at the risk of cyber attacks. First is the ability to automate web application attacks from start to end, compiling a list of potential targets, identifying vulnerability and completing the exploit. Second is the ability to profit from such exploits in some way – either directly monetizing data that was captured from the applications (especially PII and payment information) or indirectly by using them as platforms for attacks against consumers.

In the APT arena, attackers are already capable of launching massive, automated infection campaigns and one can assume their infection success rate is higher among users and devices in smaller organizations (that usually demonstrate lower security standards and awareness). Thus they already have a large foothold within small enterprise networks. In order to take advantage of this foothold, they need to evolve in two directions: automate the exploit process within the compromised network and find a way to monetize on the information.

As Mandiant indicated in a recent report, today internal network exploration and exploitation is mostly manual and thus attackers focus on a few larger targets. In order to scale these operations, botnet agents are going to become more sophisticated, allowing them to operate autonomously within compromised networks. Moreover, botnet agents will need to have autonomous mechanisms for filtering the data they send out; otherwise, storage and bandwidth are going to become an issue on the drop server side. We are already seeing botnet agents downloading and executing large software modules that perform local processing, in particular, file and data collection.  Therefore, we can safely assume that local document and data filtering capabilities are a natural evolution for such attack software.

The big question? How will attackers monetize their activities abusing smaller enterprises?  There are two potential directions:

• Financial fraud—In this case, the attackers will require technology for automatic extraction of information from unstructured sources.
• Information trading—Requires attackers to obtain technology for the automatic extraction of information from unstructured sources.

Given that both technologies are already being put to use in valid commercial applications and that most hacking is driven by well-funded criminal organizations, we believe that this is a natural evolution of attacks.

Trend #1:  Government Malware Goes Commercial

Trend #3:  Strength in Numbers
Cloud computing, and in particular, Internet as a service, or IAAS, has become an important piece of modern commercial IT. Amazon EC2, for example, allows versatility and elasticity for organizations (big and small), allowing them to sustain a direct correlation between their business activity volume and IT costs.  The same holds true for the hacking community.

In 2013, we expect to see a growing use of IAAS by attackers for different activities. There are a number of aspects that make cloud computing an appealing offering for attackers, and, especially those that are profit driven:

• Elasticity – the ability to quickly get hold of a lot of computing resources without too many prerequisites.
• Cost – the ability to closely tie up spending with specific attack campaign and the potential gain.
• Resilience – the use of commercial cloud-computing platforms reduces the ability of defenders to black-list attackers and adds much valued latency to the process of server takedown.

Over the past year we have seen a number of attack campaigns in which attackers were deploying attack servers in Amazon’s EC2 cloud. In particular, this practice is used with respect to fraud and business logic attacks whose network footprint is relatively low per server (and thus hard to detect as a network traffic anomaly). In addition, for DDoS attacks, such cloud offerings become very compelling. Using a stolen credit card number to pay for the cloud service, an attacker can mount a large scale attack from the cloud.  The attack can then be carried out for a long enough time period before a preventative action against the attacking servers can be taken.

Finally, expect to see more usage of on demand computing power as attackers obtain larger quantities of unstructured data and find themselves in a need of computing power in order to process their bounty.

Trend #1:  Government Malware Goes Commercial

Trend #2:  Black Clouds on the Horizon
The famous criminologist, James Q. Wilson, pioneered the concept of community policing and transformed law enforcement.  In this case, police partnered with citizens and business to identify issues that led to crime in order to reduce crime rates.  Mr. Wilson’s approach, however, applied to the physical world. 

The digital equivalent would encourage organizations to share attack data, and coordinate what they see from an attack standpoint.  Today, an attack on one company may seem random.  But taken in a broader context, having broader visibility takes the randomness out.  Why don’t security professionals do this?  Psychologists often assert that “The first step toward change is awareness.” We predict that in 2013 we will see that both business and government parties will be taking the second step of reducing the security deficit, not just by extending their individual defenses, but, more importantly, creating collaborative defenses by sharing individual protection data.  In other words, cyber hippies will form security communities.

Benefits of Collaboration
From the attacker point of view, launching a successful attack against an organization requires investment in infrastructure. The infrastructure may be physical, such as internet servers to host command and control servers and exfiltrated data, or logical, such as software hacking tools need to be developed, vulnerabilities that need to be researched, and stealth communication protocols to conceal the attacker’s true identity.

In order to get the most out of their initial investment in hacking infrastructure, attackers strive to reuse their attack infrastructure against as many targets as possible. When there’s no collaboration between defending parties, each new target has to react to the attack as if it’s new, while chances are that other targets have already experienced the same attack in the past.

A good example for such reuse, and the potential of using it for defense side benefit, was the discovery of the HTran protocol used by many APT hackers to disguise the location of their command and control servers. The sharing of protocol details helped Dell to uncover 60 different families of custom-targeted malware used to mount complex APT attacks.

Government involvement in Collaboration on 2013

We predict that in 2013, the private sector will actively seek security solutions to enable it to share attack data rapidly and to automatically enjoy the strength of community defense without hindering the privacy of the data.

But private sector will not be alone in that effort. Governments have also become aware to the damage cyber attacks inflict on the state’s economy and national security and acknowledged the potential of sharing attack data to fight it. The data can be shared between the government and the private sector and also amongst the different private sector parties themselves.

A recent report of the Bipartisan Policy Center states:

Improvements in information sharing between the federal government and private sector about cyber threats and vulnerabilities show great promise for improving our cyber defenses and potential response measures. Public-private cyber information sharing can bolster and speed identification and detection of threats and will be critical to a coordinated response to a cyber incident. This type of information sharing can and must be done in a manner that protects privacy and civil liberties.

We believe that we will see more regulations and laws to encourage the sharing of attack data on one hand and on the other hand lifting legal barriers concerning the privacy of data that may interrupt such sharing. Such obstacles are the current demand of certain regulations never to share certain type of data articles. We predict that this strict demand will be replaced with a more balanced attitude that allows the sharing of such data in a privacy preserving way, in order to provide better data protection.

Trend #1:  Government Malware Goes Commercial

What will happen in 2013?  Will our cyber security get better or worse?

First, the good news.  We think security will improve for larger, well-funded organizations.  In the same way James Q. Wilson introduced community policing, transforming law enforcement, we think a community approach—a sort of security commune—will improve security in the digital realm.  Sharing attack information will help remove seeming randomness of attacks. 

Second, the bad news:

1. As bigger firms get smarter, we think hackers will choose the path of least resistance—small companies.  To date, we’ve seen for-profit hackers pursue small organizations but rarely have we seen government-sponsored (APT) attackers go after the little guys.  We think that will change.  Small companies contain a lot of data and, in many cases, quality intellectual property.  They make for ripe targets.
2. Not surprisingly, we think hackers will continue to get more sophisticated.  In 2013, hackers will continue to refine cloud computing for attacks.
3. Traditional SQL injection attacks will continue—but we believe they will focus on content management systems (CMS).  Hackers go where the vulnerabilities are.  Today, CMS provides a rich target.
4. We think hackers will use a cloud-based model to become more efficient and effective. 

Overall, 2013 will also have many headlines reporting breaches.  We believe the path and methods, however, will look a bit different.

We expect two existing trends to take us through 2013:

• Technologies previously attributed to “state sponsored” attacks are going to become commercialized (or commoditized), further blurring the difference between Cyber Crime and Cyber War.
• Devices affected by modern malware (APT), representing a “compromised insider” threat, are going to become a more prominent risk factor than malicious insiders.  The 2012 Verizon Data Breach Investigations Report noted malware’s impact:  “69% of all data breaches incorporated Malware.” This represented a 20% increase over 2011.

Through 2011 and 2012, we have seen a variety of allegedly state sponsored malware operations described in the media among them “Gauss,” “Doqu” and “Flame.” Three notable aspects were discussed with respect to these operations:

1. The method of infection.
2. The complexity of the software and the robustness of the command and control network.

Throughout 2012, we have seen two of these three aspects appear in modern commercialized malware.

Infection Methods Gone Wild

In the second half of 2012 we closely tracked a number of botnets—which gives us a glimpse of future infection methods with next generation malware. Today, malware is usually delivered as a compressed archive about 50KB size and is the basis for a very robust and versatile compromise operation. We generally see that the initial infection package changes very frequently, even within the same distribution campaign to the point that antivirus (AV) products appear to have difficulty keeping up with detecting new strands of the same code. What will change?

1. A larger number of hosts containing more sophisticated malware.  Each campaign is also characterized by keeping a large number of compromised servers that host the infection package. The actual functional modules that are downloaded from time to time vary in size, are by no means the tiny, size-optimized, executable programs of previous generation malware. Some of the modules are larger than 1MB, and in some of the instances, we tracked the total code size that amounted to almost 10MB.  Modules keep evolving over time.  For some, we saw version numbers grow substantially over time.
2. The command and control structure (C&C) becomes larger and more robust. Today, basic malware comes equipped with a list of more than 10 IP addresses of available C&C servers. Recently, we have seen this number go up to 40.  Moreover, all C&C servers seem to share a common state with respect to the clients through some mechanism. The different modules downloaded from time to time provide functions such as sending spam, file pilfering, password grabbing, and attack against web servers. Each individual operation was able to last a few weeks before being shut down.

It seems that most operational capabilities that defined Flame and the like as “super malware” are in fact finding their way into these commercial malware operations. We expect the infection vector to remain the biggest differentiator between the commercial malware and the truly advanced persistent threat.

C&Cs Get a Major Upgrade

In a different incident, we tracked a botnet’s activity. This botnet is a classic banking malware typically seen in Latin America. The instance we tracked employed two versions of the malware agent using different methods to control the redirection of user traffic to the attacker-controlled server and two different types of C&C channels, thus giving the entire network an improved efficacy and redundancy.

This botnet operates by locally hijacking domain names of online banking applications and routing the traffic through an attacker-controlled server. It does that either by rewriting the “hosts” file or hooking into the domain name resolution service. It quickly became clear that the same technology can be used by the botnet operator to target enterprise systems rather than personal banking accounts. In particular, if the domains to be controlled (which are downloaded as a configuration file after first infection) are chosen to be cloud-based enterprise applications like SalesForce.com, NetSuite, SilkRoad, and the like, an attacker can gain access to corporate information stored at these systems and accessed by infected computers. Moreover, these cloud-based services may be accessed by mobile devices (in particular, laptops) from outside the enterprise perimeter, leaving no trace of the attack.

This is just one example that leads us to believe that next year we will see more enterprise data being affected by malware originally used for other malicious activities. This is going to be driven by the following:

• Existing commercial banking malware technologies can seamlessly be applied to the compromise of cloud enterprise data.
• Cloud enterprise data is mostly used by organizations with a large mobile work force, which, in time, is more susceptible to compromise.
• Attackers are always looking for new revenue streams based on existing technologies.

Attackers have always followed the path of least resistance.  Considering that antivirus has not been effective in preventing infections from modern malware, this trend should surprise no one.  Enterprises who fail to adopt a data or file-centric security approach will be caught with their pants down.  Investing in the right “ears and eyes” to monitor the access of servers, databases and files, to make the detection of such attacks easier.

Targeted APT and advanced malware attacks leverage social engineering techniques to compromise those individuals already on the inside. The objective of these attacks is clear: identify and compromise specific individuals within an organization to obtain high-value data.

Are your employees unknowing victims of advanced malware? How do advanced malware and targeted APT attacks bypass traditional security defenses like anti-virus software?

This November 14th webinar, presented by Imperva's Director of Security Strategy, Rob Rachwald, will:

• Discuss the rise in advanced malware and targeted APT attacks
• Highlight why anti-virus software is powerless against sophisticated attacks
• Provide mitigation strategies for the compromised organization

How great would the damage be to Apple’s current revenues and image if a competing company had manufactured a smartphone almost identical to the first iPhone and unveiled it before Apple did? By stealing the engineering drawings (blueprints) of a product one could have gained the knowledge needed to manufacture a similar product.

A recently discovered industrial espionage malware is designed to do just that--steal your company’s intellectual property by focusing specifically on computer-aided design (CAD) files.  These files store details like product dimensions, materials and product design and are used by engineers in many industries such as automotive, shipbuilding, aerospace and consumer electronics to name a few. Locating AutoCAD files and sending them via e-mail to designated accounts, the attacker stole over 100,000 CAD files from a company in Peru giving an idea of the extent of the attack. Every new design was sent automatically to the operator of this malware inflicting long term damages to the victim company. Written in an AutoCAD scripting language called AutoLISP, the malware comes to show that a compromised insider threat is a threat posed not only by military espionage malware like Duqu, Stuxnet or Flame but also by simple industrial espionage malware lacking any cryptography or software exploit expertise.

The infection method seemed to work as follows:

1. The attacker somehow replaced a clean AutoCAD template file on a web server with an infected file that everyone who participated in the project used. The target company and its partners which are involved in the project were all at risk.
2. Once the infected file was opened it would modify the startup file of AutoLISP by adding a Visual Basic script which is executed by an interpreter already integrated in Windows.
3. From that point on, each time AutoCAD is launched the malicious code will execute and data will be compromised. This means that drawings belonging to future projects are also compromised.
4. With the possible intentions to beat competition or to facilitate with selling the future copied product, the malware also sends its operators stolen business information by locating Outlook .pst files containing contacts, calendar and emails.

What are the lessons?  Once again, antivirus and network firewalls didn't work.  How can you protect yourself from this type of attack?  Secure the servers that store the information.  Keeping malware out is a losing game.

For more on file security, you can read our blog post here.

Research attributes nearly half of a typical website's traffic to automated bots. This puts the odds of falling victim to a cyber attack at 100%. With the press of one key, an unskilled, inexperienced hacker can attack hundreds of applications within minutes.

Automation tools, such as SQLMap and Havij, open new avenues for amateur and professional hackers to evade security defenses. How will your team prepare for, and stop, malicious, automated site traffic and defend against zero-day attacks?

This June 20th live webinar will:

• Highlight observed trends in the automation of SQLi and RFI attacks
• Reveal the warning signs of an automated attack
• Suggest identification methods and proven countermeasures to stop attacks

Register for Webinar

Download Report (below)

Did you know 70% of employees plan to take sensitive business data with them when they leave their job? Further, did you know over 50% feel they have rights to this data? If you think your organization has avoided the insider threat, you may need to look deeper.

Pinpointing the source and scope of data theft is often hard to quantify, especially since your largest internal threat may actually be one of your most loyal employees. This webinar presents findings from the first-ever global insider threat study that catalogs common practices used by leading organizations across numerous verticals.

This presentation will:

• Define the insider threat
• Quantify the prevalence of the problem
• Uncover controls that have proven most effective at minimizing the risk of insider threats

Tomorrow is a significant day in the history of the French language.  AFNIC, a French organization that manages domain names, will authorize .FR, .RE, .PM, .YT, .WF, and .TF domain owners to register the accented form of their domain that currently don't contain accents. The additional characters will include:

What will be the impact, if any, to hacking?  Script kiddies will need a French keyboard--they can’t touch touché.fr.