Security Incidents And Trends In Croatia. Domagoj Klasić

Transcription

1 Security Incidents And Trends In Croatia Domagoj Klasić

2 Croatian National CERT About us Founded in in accordance with the Information Security Act We are a department of the Croatian Academic and Research Network (CARNet) Promotion and preservation of the information security of the public information systems in Croatia.

3 Few Words about CARNet Government institution, ISP (second largest in Croatia) It supports educational institutions in Croatia (elementary schools, high schools, universities, institutes ) Offers more than 100 e-learning services Has 2 national services:.hr TLD Authority National CERT (That s us)

4 NCERT About us Our activities Following computer-security news and dissemination of information Promoting the awareness of importance of computer security Educational training for specific groups Coordination in solving incidents that include at least one side in Croatia We don t do Troubleshooting and technical support Punishing of problematic users Criminal prosecution and investigations Arbitration in disputes

5 Security incidents in Croatia Starting with general statistics 343 Number of processed incidents in the last year 0,93 Incidents per day, in practice more than one per day (we don t work weekends) Keep in mind We can only count incidents reported to us Incidents are for servers with static IPs

6 Incident trend in Croatia Monthly trend: to

7 What kind of incidents are we talking about? Distribution by incident type OKR = Other Compromised hosts NMA = Illicit network activities Ostali incidenti = Other incidents

8 What are these incidents? Malware URL URL that distribute malware Redirects to exploit kits Rarely: web shells, spam scripts, ddos scripts Phishing URL Classical phishing pages, mostly for foreign financial institutions (banks, paypal )

9 What are these incidents? Other compromised hosts Compromised hosts that don t belong in Malware or Phishing URL category Mostly web site defacements Sometimes drop zones or information theft Total number of compromised hosts = Malware URL + Phishing ULR + Other compromised hosts = 289

10 What kind of hosts are these? Most of these hosts are shared hosting servers hosted at Croatian hosting companies They are compromised using known bugs in popular CMS systems (Wordpress, Joomla ) Mass compromise Sometimes servers are rooted Sometimes server are from companies other than hosting providers

11 Other incidents Only a few DDoS attacks but some of them got a lot of media attention: Attack on the web site of the Office of the President

12 Other incidents There were a few C&C servers for different botnets in Croatia Interesting one was for a Zeus botnet. We analyzed it and it turns out it was just a proxy It was not a compromised host, but a purchased VPS server from one of our hosting providers

13 Botnets trend National CERT is keeping a track of discovered bots in Croatia Exact IP addresses of bots are forwarded to their ISP providers National CERT keeps a statistical data of all discovered bots

14 Bots trend Registrated bots (daily trend) November 2011 September 2012

15 Bots trend Registrated bots (monthly trend) November 2011 September 2012

16 Bots trends Most popular malware are: Conficker (downadup) Sality Grum There are even a few flashback trojans

17 Flashback Flashback trojan (daily trend) November 2011 September 2012

18 Spam National CERT is trying to analyze spam messages that are being distributed in Croatian Internet space We have built our own spamtrap We are catching and analysing spam We can get some statistical data about the spam

19 Spam stats by spamtrap (January 2012 Sptember 2012) Total number of spams received 195,4 Spams per day 209 Spams sent from Croatian servers 4374 Spams in Croatian language

20 Spam trend by spamtrap (January 2012 Sptember 2012) Daily trend in number of received spam messages

21 Spams Most of the spams are just commercials There are some more serious spams that contain malicious links All of these spams where not targeted towards Croatian users With the help of automatic analysis we can recognize some interesting trends, for example

22 Do spammers work on weekends? Weekday distribution of received spam messages

23 Malware campaigns Daily trend of spam with malicious links June 21 and Jun 25, unusual high number

24 June 21 and June 26

25 Spam We are always looking to expand our spamtrap If you own or administer a web site and would like to help us, contact me after presentation or send us a mail at ncert@cert.hr

26 The End Thank you for listening Questions?