Global Threat Security update version 1.0 · Hire Espionage (Corporate/ Government) Bot-Net Management: For Rent, for Lease, for Sale Viruses Trojans ... posting, CAPTCHA*, IP rotation

Emerging Threatsจตุพร พึ่งเสือ, system engineer

Emerging Threats

[email protected]

AgendaAgenda

Wh t d Wh Th tWhat and Where are Threats

Threat Trends

Year in Review

ConclusionConclusion

Who we are/ How Cisco can help

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 2

Wh t d Wh Th tWhat and Where are Threats

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3

What? Where? Why?What? Where? Why?

Wh t i Th t?What is a Threat?An indication or warning of probable trouble

Where are Threats?Everywhere you can, and more importantly, cannot think of

Why are there Threats?• The almighty dollar (or euro), the underground cyber

i i d t i th i d tcrime industry is a growth industry• Political and nationalistic motivations


Examples of ThreatsExamples of Threats

T t d H kiTargeted Hacking

Vulnerability Exploitation

Malware Outbreaks

Economic EspionageEconomic Espionage

Intellectual Property Theft or Loss

Network Access Abuse

Theft of IT Resources

Denial of Service


Areas of OpportunityAreas of Opportunity

Users ck

Applications e st

ac

Applications

p th

e

Network Services

ng u

p

Operating Systems Mov

in


M

Operational Evolution of ThreatsOperational Evolution of Threats

Threat Evolution Emerging Threat Nuisance Threat

Policy and on

Threat Evolution Unresolved Threat Nuisance Threat

Policy and Process

DefinitionFormalized ProcessSocialized ProcessReactive Process

Rea

ctio

Automated Response

Human “In the Loop”

Manual ProcessMitigation

Technology Evolution

Ope

ratio

nal

Bur

den

No End-User “Help-Desk” Aware— End-User Increasingly SelfEnd-User po

rt enO

No End User Knowledge

pKnow Enough to Call Increasingly Self-

ReliantEnd User

Awareness

Sup

pB

urd


Operational Evolution of ThreatsOperational Evolution of Threats

Threat Evolution Emerging Threat Nuisance Threat

on

Threat Evolution Unresolved Threat Nuisance Threat

Policy andFormalized ProcessSocialized ProcessReactive Process

Rea

ctioPolicy and

Process Definition

Automated Response

Human “In the Loop”

Manual Process

Ope

ratio

nal

Bur

denMitigation

Technology Evolution

No End-UserEnd-User

Increasingly Selfport en

O

End-User “Help-Desk” Aware—No End User Knowledge

Increasingly Self-ReliantS

upp

Bur

d

“New”, Unknown, orP bl W H ’t

End User Awareness

pKnow Enough to Call

Largest Volume of ProblemsF f M t f D t D


Problems We Haven’t Solved Yet

Focus of Most of Day to Day Security Operations

Th t T dThreat Trends


TrendsTrends

Evolution of intentEvolution of intent

The cybercrime industry

BotnetsBotnets

Blended attacks/Next Generation Spam

PhishingPhishing

Port 80

Web 2 0 abuseWeb 2.0 abuse


Evolution of Intent20062003 2004 2005 2007 2008

Evolution of Intent2009 2010

Notoriety

Fame

Netsky, Bagle, MyDoom

SQL Slammer

MoneyZotob

Conficker, ZeuS, Koobface

= Major Media Event


Cybercrime Industry: In the PastCybercrime Industry: In the Past

End ValueWriters Asset

Fame

Theft

Tool and Toolkit Writers

Malware Writers

Compromise Individual Host or

Application

Espionage(Corporate/

Government)

Worms

Viruses

Malware Writers

Compromise EnvironmentViruses

Trojans

Environment


Cybercrime Industry: TodayCybercrime Industry: Today

Writers Middle Men Second Stage Abusers

First Stage Abusers End ValueAbusers

Tool and Toolkit Writers

Abusers

Hacker / Direct Attack Compromised

Host and Application

Fame

Theft

Bot-Net CreationWorms

Malware Writers

Machine Harvesting

Extortionist/ DDoS-for-

Hire

ApplicationEspionage(Corporate/

Government)

Bot-Net Management: For Rent, for Lease,

for Sale

Viruses

Trojans

Spammers/ Affiliates

Phishers

Commercial Sales

F d l t S l

Extorted Pay-Offs

Personal Information

Spyware Information Harvesting

Information Brokerage

Pharmer/DNS Poisoning

Fraudulent Sales

Click-Through Revenue

Electronic IP Leakage

Internal Theft: Abuse of Privilege

BrokerageIdentity Theft Financial Fraud


$$$ Flow of Money $$$

“Noise” LevelNoise Level

Large Scale Worms

Public AwarenessAwareness

Targeted Attacks

2000 2008


Time

Cyber Crime Profit LevelCyber Crime Profit Level

TargetedIllicit Dollars

Gained

Targeted Attacks

Large Scale Worms

Time2000 2008


Time

Source: ICR 2001, 2007

BotnetsBotnets

Botnet: A collection of compromised machines running programs underBotnet: A collection of compromised machines running programs under a common command and control infrastructure

Building the Botnet: Many, many malcode vectors

Controlling the Botnet:C t h l f f t i ll IRC t IRC lik h lCovert-channel of some form; typically IRC or custom IRC-like channel

Historically have used free DNS hosting services to point bots to the IRC server

Recent attempts to sever the command infrastructure of botnets has resulted in more sophisticated control systemssophisticated control systems

Control services increasingly placed on compromised high-speed machines

Redundant systems and blind connects are implemented for resilience (fast-flux)

D k if B t l t k?Do you know if Bots are loose on your network?

See Infiltrating a Botnet http://www.cisco.com/web/about/security/intelligence/bots.html


Source: www.wikipedia.com

Next Generation SpamNext Generation Spam

Growing in sophisticationGrowing in sophisticationTargeted Blending email and web

New vectors include:

SMS vishing

IM SPAM (SPIM)

Extensive use of social engineeringengineering

3rd Generation SPAM doesn’t embed malcode or links (please open service ports into(please open service ports into your network)

50% of users still open SPAM or click links


or click links

Phishing and Its VariantsPhishing and Its Variants

Traditional phishing stillTraditional phishing still in use

Spear-phishingp p gTargeted phishing attemptsIT AdminsIT AdminsSpecific job rolesSpecific companiesp p

WhalingPhishing attempts g pspecifically targeting a high value targetC level execs


Port 80 The New Internet50% of traffic is “easy to classify”

Port 80—The New Internet

Predictable traffic,Recognized domains

50% of traffic is “hard to classify”

me

50% of traffic is hard to classify110M sites, growing 40% annuallyMixture of legitimate sites, spyware and malware

Traf

fic V

olum

Big Head

T

Long Tail


# of Sites

Malware Threat DistributionMalware Threat Distribution

Malware Infections

E il V t Email Vector

Web Vector

Time


Malware infection vectors are shifting from email to web

Web 2 0 AbuseWeb 2.0 Abuse

Commercial tools forCommercial tools foraccount creation, posting,CAPTCHA*, IP rotation are readily available

Targets popular sites and blogs including Gmail, Yahoo!, Twitter, Facebook , ,and Craigslist

Enables abuse of manyservices including webmailservices including webmailaccount creation forspamming


*Completely Automated Public Turing test to tell Computers and Humans Apart.

What Does This Mean?What Does This Mean?

Threats and criminals areThreats and criminals are faster, smarter & more covert

Criminals have more vulnerabilities to exploit

Criminals are evolving their t h i t ttechniques, users must stay current


Y i R iYear in Review


Cisco Cybercrime ROI Matrix


Cybercrime Product of the Year!Cybercrime Product of the Year!

“Antivirus XP has found 2794Fake AV is 15% of all malware - Antivirus XP has found 2794 threats. It is recommended to proceed with removal”

Google


Criminal SaaS Offerings ExpandCriminal SaaS Offerings Expand

Service dedicated to checking if a malwareService dedicated to checking if a malware executable is detectable by AV engines:


Cisco Cybercrime Showcase WinnerMost Audacious Criminal OperationMost Audacious Criminal Operation

ZeuS


ZeuS: Banking Trojan prime exampleZeuS: Banking Trojan prime example

“$10 million lost in one 24-hour period.”$ p

“…[C]riminals have used the Internet to steal more than $100 million from U.S. banks so far this year and they did it without ever having to draw a gun or pass a note to a teller…I've seen attacks where there's been $10 million lost in one 24-hour period.”


p-Sean Henry, an assistant director of the FBI in charge of the bureau's cyber division.

Automation of Targeted & Blended Attacksg


Why ZeuS?


What Happened in Kentucky?

County treasurer had ZeuS malware on his PCCriminals stole credentials and logged in to bankCriminals stole credentials and logged in to bank accounts from treasurer’s PC

Reconnaissance used to plan theftpMule recruitment via Careerbuilder.comCreated mules as fictitious employeesMules receive $9700 and sent $8700 to Ukraine via Western Union

Transactions were wire transfers <$10,000Total of $415k stolen


Screen Injection

Your browser NOT on ZeuS:

Your browser on ZeuS:Your browser on ZeuS:

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 32Courtesy Silver Tail Systems

ZeuS StatisticsZeuS Statistics

1329 C&C servers tracked by ZeuS Tracker1329 C&C servers tracked by ZeuS TrackerEstimate of 1.6M bots in ZeuS botnets960 estimated financial targets (85%)Top 5 US banks EACH targeted by over 500 p g yZeuS botnets - Cisco88% of Fortune 500 companies had data88% of Fortune 500 companies had data stolen by ZeuS - RSASmaller companies appear more impactedSmaller companies appear more impacted


Source: ZeuS Tracker - https://zeustracker.abuse.ch/

The Banking Trojans/BotnetsThe Banking Trojans/Botnets“FBI: Cyber Crooks Stole $40M From U.S. Small, Mid-Sized Firms”

"There may have been a handful of cases of this specific type of crime before 2009, but attacks like this and in this volume really only picked up toward the end of last year "of last year,

ZeuS, Ilomo (Clampi), URLzone:C i t d ti l ith t j- Compromise account credentials with trojans

- Transfer small <$10,000 increments- Use ‘money mules’ to transfer funds- Deposit in overseas accounts


Web Reputation Hijacking: Legitimate Websites, Invisible Threats

User has no visible indication of hidden codeHacked multiple times with exploit code


Hacked multiple times with exploit code

Employees Engage in Risky Behavior

U th i d A li ti U 70% f ITUnauthorized Application Use: 70% of IT say the use of unauthorized programs result in as many as half of data loss incidents.

Misuse of Corporate Computers: 44% of employees share work devices with others without supervision.

Unauthorized Access: 39% of IT said they have dealt with an employee accessing unauthorized parts of a company’s network or facility. p p y y

Remote Worker Security: 46% of employees to transfer files between work and personal

tcomputers.

Misuse of Passwords: 18% of employees share passwords with co-workers. That rate jumps to


p j p25 percent in China, India, and Italy.

S i l N kiSocial NetworkingOpportunity and Vulnerability

Business and network expansionPrivacy, Identity, IP protectionThe criminals are already there: Koobface spam invitesthere: Koobface spam invites, security warnings, tinyurls, transient trust, anonymized data reconstructiondata reconstructionSocial sites promote trust, Single Sign-on exploited toSingle Sign on exploited to send malware Policy and User Awareness


Social Networking ExploitsSocial Networking Exploits

Most important communications tool of the decade.Builds on email, IM.

Big crowds = big targets.Facebook hit 400M+ users in 2010

…and criminals have automated how to best penetrate the networks we trust


Social Networking Single Sign on ExploitedSocial Networking Single Sign-on Exploited

4,000+ accounts compromised

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 39Source: eSoft and lastwatchdog.com

Advertising also sold via phishing pages

Web Browser VulnerabilitiesWeb Browser Vulnerabilities

B l 8% f 3 100 t t l b li ti lBrowser vulns 8% of 3,100 total web application vulnsSafari vulns mostly due to iPhone browser

Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2009, Cenzic Inc


Malicious PDF FilesMalicious PDF Files

M li i PDF fil i d 80% f liMalicious PDF files comprised 80% of online exploits in Q4 2009 - up from 56% in Q1 2009

PoC PDF file executes embedded executable without exploiting a security vulnerability

Ubiquity of Adobe Reader

PDF perceived as a trusted file format

Increase in vulnerabilities reported in Adobe products


Major Vulnerability Discovered in DNSMajor Vulnerability Discovered in DNS

J l 2008 D K i k dJuly 2008, Dan Kaminsky announced a fundamental flaw in how DNS operates.

Massive source port randomization multivendor patch released

The flaw allowed an attacker to poison DNS records of any domain in a matter of seconds.

This could lead to major DNS poisoning attacks –no need to “trick the user”.

DNSSEC solution – more later


Uptick in DDoS AttacksUptick in DDoS Attacks

Sourced from BotNets – think DDoS as a Service (DDaaS)( )

Diverse targets disrupting service to millions of customers– Cloud computing provider– Web hosting provider – Security provider – DNS registrar– Telecom provider

T ti DNS t lif tt kTargeting DNS to amplify attacks

40 Gbps seen

Not extortion attempts


Exploiting Cisco RoutersExploiting Cisco Routers

J 2009 it h “FX” t dJanuary 2009, security researcher “FX” presented a paper of efforts to exploit Cisco routers with minimal knowledge about the router itselfknowledge about the router itself

Previously, detailed knowledge about image version and configuration was neededand configuration was needed

Andy David’s IODIDE custom debugger for IOS

All require an enabling vulnerability


Cisco RoutersCisco Routers

In the past people didn’t worry about CiscoIn the past, people didn t worry about Cisco vulnerabilities as they hadn’t been shown to be exploitablep

FX’s work takes exploiting Cisco routers one step closerp

Now is the time to take updating IOS seriously (if you don’t already)( you do t a eady)

Cisco IOS Image Verificationhttp://cisco com/web/about/security/intelligence/iosimage htmlhttp://cisco.com/web/about/security/intelligence/iosimage.html


Intellectual Property LeakageIntellectual Property LeakageMarine One classified data found on computer in IIran

• Avionics info and radar and missile defense schematics• P2P blamedP2P blamed

UK Ministry of Defence reported 347 losses of protected information in 2009p

• Increased awareness of need to report losses• Better data management and auditing of data and media• Secret info leaked 16 times over 18 months via social

networking

3 000 Health Care related files including personally3,000 Health Care related files, including personally identifying info on 1,000’s of patients, shared on P2P networks


ConclusionsConclusions

Attackers are always modifying theirAttackers are always modifying their methods

Users are the main focus of attacksUsers are the main focus of attacks

Attackers follow the money

Major systems (DNS, Internet PKI) have flaws, nothing is perfect

Blended attacks are numerous and evolving


RecommendationsRecommendations

User education and securityUser education and security awareness training are critical

Keep an eye on “old problems”Keep an eye on old problems while being vigilant about new risks

Never underestimate the insiderNever underestimate the insider threat

Develop strong (and realistic)Develop strong (and realistic) policies for protecting sensitive data

Security must move at the speed ofSecurity must move at the speed of crime


Documents

Global Threat Security update version 1.0 · Hire Espionage (Corporate/ Government) Bot-Net Management: For Rent, for Lease, for Sale Viruses Trojans ... posting, CAPTCHA*, IP rotation