6

The importance of orchestrated “cloud” security

Created on Feb 20 2015, 9:56 AM by Dion Alken

The importance of orchestrated “cloud” security

In today’s digital world, the area of security and safety has become paramount. Cybercrimes are on the rise and are becoming more sophisticated. We could be experiencing “a new era in cybercrime”.

In 2015 we already had some interesting cases:

This week it was revealed that the Carbanak malware used by the cyber-criminals proved to be very successful in helping the attackers steal around $1 billion. Researchers are worried about the increasing sophistication of attacks.

Despite increased awareness of cybercrime within the financial services sector, it appears that spear phishing attacks (http://ie.norton.com/spear-phishing-scam-not-sport/article) and the old exploits (for which patches have been disseminated) remain effective against larger companies. Attackers always use this minimal effort approach in order to bypass a victim ́s defences

Researchers said: “the most highly sophisticated criminal attack we have ever seen.”  “It’s like an arms race. Security companies develop better protection and criminals develop better malware to bypass it,”

While early versions of Carbanak (https://www-secure.symantec.com/connect/app#!/blogs/carbanak-multi-million-dollar-cybercrime-gang-focuses-banks-rather-their-customers)  were based partially on code from Carberp (https://www-secure.symantec.com/connect/app#!/blogs/new-carberp-variant-heads-down-under),  the latest versions do not appear to use any Carberp source code. In 2013 Russian authorities claimed to have captured the mastermind behind the Carberp banking Trojan and other members of this criminal gang.

The cybercrime ring, led by a 28-year old Russian national, allegedly had been in operation since 2009 and has stolen approximately $250 million from Ukrainian and Russian banks, according to an April 2013 report from Kommersant Ukraine, a national publication.

In March 2012, authorities arrested and broke up a gang that used Carberp to steal $2 million from over 90 individual bank accounts. That cybercrime gang used the malware and was not responsible for developing the Trojan. The black-market price for the malware was between $5,000 and $50,000.

Then there are new developments in enterprise level threats with a “cyber-warfare” character.

The designers of Stuxnet (http://virus.wikidot.com/stuxnet) have further developed new malware that can enter into the firmware of hardware and is able to effect the heart of the computer – The Bios-code (http://en.wikipedia.org/wiki/BIOS). The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” (https://www-secure.symantec.com/connect/app#!/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance)  threat in complexity and sophistication. The Equation group (http://en.wikipedia.org/wiki/Equation_Group) is probably one of the most sophisticated cyber-attack groups in the world; and they are the most advanced threat actor we have seen.

So far, we’ve identified several malware platforms used exclusively by the Equation group. They are: • EQUATIONDRUG – A very complex attack platform used by the group on its victims. It supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers.

• DOUBLEFANTASY – A validator-style Trojan, designed to confirm the target is the intended one. If the target is confirmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.

• EQUESTRE – Same as EQUATIONDRUG.

• TRIPLEFANTASY – Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, and is possibly a more recent validator-style plugin.

• GRAYFISH – The most sophisticated attack platform from the EQUATION group. It resides completely in the registry, relying on a boot kit to gain execution at OS start-up.

• FANNY – A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DoubleFantasy, and then to the EQUATIONDRUG system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.

• EQUATIONLASER – An early implant from the EQUATION group, used around 2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG.

So are there more threats? Yes.

Are VPNs and VoIP sessions also targeted at an industrial scale? Yes.

In 2014 it was revealed that malware on systems is spreading automatically via social networks like for example fake Facebook servers, as to infect millions of computers. Electronic infiltration methods for industrial-scale exploitation have therefore aggressively scaled.

Large arsenals of imaginatively named malware, to remotely control computers and to capture data from them, as well as to interrupt their operation are now revealed.

For example:

UNITEDRAKE is modular malware that can take complete control of infected computers.

CAPTIVATEDAUDIENCE hijacks computer microphones and records conversations.

FOGGYBOTTOM snatches web browser history files, and login details for sites and email accounts.

GUMFISH controls webcams and takes photographs.

SALVAGERABBIT can capture data from external drives.

GROK is a key logger.

QUANTUMSKY blocks access to specific websites.

QUANTUMCOPPER corrupts targets' file downloads.

By using malware deployed in network routers. Access can be gained to data passing through virtual private networks. The HAMMERSTEIN man in the middle malware appears to attack the Internet Key Exchange (IKE) phase used to set up secure VPN sessions, and attempts decryption of content.

In a similar manner, the HAMMERCHANT router implant can compromise Voice over Internet Protocol communications, capturing Session Initiation Protocol (SIP/H.323) signalling used to set up calls as well the Real Time Protocol (RTP) data streams for the content.
Vulnerabilities in web browsers, the Oracle Java and Adobe Flash frameworks, and router software are used to infect devices. The "man in the middle" (MITM) technique, whereby software is secretly placed on networks between computers communicating with each other is a favourite technique of hackers. MITM allows multiple devices to be targeted and also makes it easier to capture the data they transmit.

 

What can we do as consumers, businesses and governments?

Firstly we need to understand that communication between sender and receiver has always been vulnerable.

We cannot rely on an encryption or antivirus alone. As an IT manager, it is interesting to know that more than half a billion (552 million) identities were exposed in 2013 as a result of data breaches. As malware designers are developing technologies on more vulnerability then we ever had. Users, Companies and Governments need to expect that their information is treasure booty for targeted and automated attacks.

Symantec can help with the complete security and information management orchestration incorporating up to date cloud security solutions http://www.symantec.com/products-solutions/solutions/detail.jsp?parent=cloud&child=build_cloud.

Depending on your needs our team will be able to orchestrate the optimal solution for you.

Progress in malware can be countered by the latest security research and advances in security and compliance for devices and websites.

Let our Symantec help you build your castle!

  • Security Risks
  • Endpoint Encryption
  • Malicious Code
  • DigiCert Code Signing
  • Emerging Threats
  • Evolution of Security
  • Vulnerabilities & Exploits
  • Protection Engine for Cloud Services
  • Products
  • Control Compliance Suite
  • DeepSight™ Technical Intelligence
  • Enterprise Security Manager
  • Malware Scan
  • Online Fraud
  • Internet Security Threat Report
  • Vulnerability Assessment
  • LiveUpdate
  • Symantec Website Security
  • Data Center Security
  • encryption
  • DigiCert SSL TLS Certificates
  • Endpoint Protection
  • Web Security.cloud