Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report

Transcription

1 Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report

2 About this Report This report was compiled and published by the Tespok icsirt in partnership with the Serianu Cyber Threat Intelligence Team and USIU s Centre for Informatics Research and Innovation (CIRI), at the School of Science and Technology. Data Collection and Analysis The data used in the analysis was collected from various sensors deployed within Kenyan organisations. We have deployed sensors to enable us to gather statistics and precise information on the cyber threats that target local internet users. We are currently in the process of deploying more sensors across various educational institutions, local businesses and enterprises. We would like to invite local partners who are interested in information security to join our cyber security efforts and awareness initiative by installing a sensor on their network edge. Deployed Sensors Having a large number of sensors across various industry sectors will enable us to more accurately model the various attack processes targeting Kenyan internet users. This is an ongoing effort that offers local businesses and individual internet users a new way to quickly and easily identify local phenomena that are worth investigating. The sensor installation is facilitated by our security experts which involves furnishing new partners with the sensor image and configuration files. The sensor will not interfere in any way with the normal functioning and operation of your organization s network and its assets. In exchange, we give our partners access to regular attack reports enriched with information specific to their organization. We are also developing a dedicated research, investigation and response team to make response time faster and more efficient. The project is triggering interest from many academic, industrial, and governmental organizations. For more information on how to become a partner, please visit co.ke or sc3@serianu.com or icsirt@tespok.co.ke for enquiries. 2

3 Data Analysis and Reporting As previously explained, we collect and analyze attack files from each sensor and these data is aggregated to provide as these reports. The attack data collected includes a large variety of information, such as: Raw data packets (entire frames including the payloads are captured); TCP level statistics; Passive Operating System fingerprinting obtained; IP geographical localization obtained; DNS reverse lookups, whois queries, etc In theory, no traffic should be observed from the sensors we have set up. As a matter of fact, many packets hit the different sensors, coming from different IP addresses. Typically, if an attacker decides to choose one of our sensors as their next victim, they try to establish direct TCP connections or to send UDP, or ICMP, packets against it. Attackers will use diverse tactics when attacking each sensor and this enables us to identify the payloads used and attack methods deployed on each sensor. 3

4 Executive Summary This Report provides statistics on enterprise assets (applications, systems, devices and other information assets) that are being targeted by cyber criminals. Majority of these assets are targeted as a result of known vulnerabilities that are easily exploitable. The Tespok icsirt Enterprise Attack Targets is a compiled list of vulnerabilities that require immediate remediation. Cyber criminals are constantly looking for vulnerable systems that they can exploit for malicious purposes. Systems that display known commercial vulnerabilities are soft targets. International trends have shown that enterprises are increasingly under what is termed as Advanced Persistent Threat (APT). This means that organizations are specifically targeted by hackers in ways that are very sophisticated and that exploit vulnerabilities that have not yet been patched and mitigated. The attackers are now taking time to study enterprise systems to know them intimately and to craft exploits that are specific to them and that buy pass their detection mechanisms. They are then covering up their tracks in ways that are getting harder to detect. In many cases multiple malware instances are launched at the enterprise to guarantee the hackers persistent presence and access to the systems. We at icsirt are devoting resources to work with our partner organizations to warn them of threats that are targeted against them and their systems and how they can avoid them. 4

5 Report Highlights Attacked Enterprise Resources/Assets a. VOIP Servers VoIP technology has seen rapid adoption during the past couple years. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. What is being exploited? Various VOIP products from various vendors have been found to contain vulnerabilities that can either lead to a crash or complete loss of control over the vulnerable server/device. How is it being exploited? By gaining a control over the VoIP server and phones, attackers are able to carry out VoIP phishing scams, eavesdropping, toll fraud or denialof-service attacks. Remedy - Scan the VoIP servers and phones to detect open ports. Firewall all the ports from the Internet that are not required for keeping up the VoIP infrastructure. b. Webmail: Almost every organization uses s to communicate. It is a quick and efficient method to pass information. This said it should be noted that if your is not encrypted, one can easily read the contents of these s in plain text when your traffic is sniffed. Webmail can be exploited through DNS cache poisoning, injection attacks, chunkedencoding transfer attempts and redirect access. What is being exploited? The lack of encryption on the webmail service. How is it being exploited? Poorly configured web servers and lack of encryption. Remedy To better secure your s, make sure you utilize encryption and secure the web servers. A quick and cost-effective method is by implementing PGP as an opensource solution for encrypting your s. 5

6 c. Web Applications Cacti Cacti is a network graphing solution that is sometimes used by web hosting providers to display bandwidth statistics for their customers. It can be used to configure the data collection itself, allowing certain setups to be monitored without any manual configuration. What is being exploited? Cacti is prone to a remote command-execution vulnerability as the application fails to properly check the user-supplied input to the computer. Through this vulnerability attackers are able to execute malicious commands on the server. Other vulnerabilities include path disclosure, http response splitting and xss. These vulnerabilities affect version Version0.8.7h and lower. How is it being exploited? By dumping malware on vulnerable servers and waiting for internet users to inadvertently activate these malwares. These then create a communication link with the hacker. The hacker is then able to execute commands remotely. Remedy - The remediation of this vulnerability is through updating cacti to the most recent version and patching the current software version. cpanel This is a web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cpanel enables administrators and end-user website owners to control the various aspects of their website and server administration via a web browser. What is being exploited? cpanel is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. How is it being exploited? An attacker takes advantage of this vulnerability to execute malicious code in the browser of the affected site. This allows the attacker to steal authentication credentials, control how the site is rendered to the user and launch other attacks. Remedy - The remediation of this vulnerability is through updating cpanel to the most recent version and patching the most recent software version. 6

7 d. Database Slammer worm Slammer worm attacks vulnerable web servers by forcing the cache servers or web browsers into disclosing confidential information. What is being exploited? This worm targets hosts that are running an unpatched copy of Microsoft SQL Server Resolution Service; the host immediately becomes infected and begins spamming the Internet with more copies of the worm program. How is it being exploited? Once it infects a system, it provides the hacker with remote access to the compromised server. Remedy T o prevent infection, patch the server with updates from Microsoft. In the case of suspected infection however, use trusted malware removal tools provided by reputable vendors. SQL slammer SQL Slammer is a computer worm that causes a denial of service on some Internet hosts and dramatically slows down general Internet traffic. What is being exploited? The worm exploits buffer overflow vulnerabilities in the SQL Server Monitor that overwrites the execution stack and executes the rest of the exploit. How is it being exploited? The slammer worm on the infecting computer sends a UDP datagram to port 1434 on the target. When it is in the target s memory it begins sending datagrams of its exploit and worm code to random IP addresses to infect new targets. MS SQL These are Microsoft based servers that run SQL oriented services. It is a relational web hosting database that is used to store web site information like blog posts or user information. MS SQL is the most popular type of database on Windows servers. What is being exploited? The vulnerability is a cross-site-scripting (XSS) vulnerability that allows elevation of privileges, enabling an attacker to execute commands on the SQL Server Reporting Services (SSRS) site in the context of the targeted user. How is it being exploited? The attacker could exploit this vulnerability by sending a specially crafted link to the user and convincing the user to click the link. The attacker could also host a website that contains a webpage designed to exploit the vulnerability. In addition, compromised websites or those that accept or host user-provided content 7

8 or advertisements could contain specially crafted content that could exploit this vulnerability. Remedy - Patch the server with updates from the Microsoft website. e. File sharing Applications These applications are used to download and distribute data such as music, video, graphics, text, source code etc. P2P applications are also used legitimately for distribution of certain applications. However, often times the data is either of a questionable nature or is copyrighted. What is being exploited? The peer-to-peer (P2P) file-sharing network is used as a propagation vector for malware propagation. While file sharing malicious programs open a backdoor through which an attacker can remotely control the compromised machine, send spam, or steal a user s confidential information How is it being exploited? Malware is disguised as files that are frequently exchanged over P2P networks, these malicious programs infect the user s host if downloaded and opened, leaving their copies in the user s sharing folder for further propagation. Remedy -.The best way to minimize infections through file sharing is to use an up to date antivirus or malware removal tool in your computer or host as well as properly configured firewalls which can readily block malicious traffic before they reach your computer. User Applications Adobe Adobe reader is software that is commonly used to read pdf documents. What is being exploited? The sandbox technology in Adobe Reader X is designed in such a way that even if attackers exploited a bug in the software, the malicious code would not be able to access other parts of the computer. This attack successfully bypasses that defense by breaking out of the sandbox. How is it being exploited? The victims receive an with an attached PDF, which in turn contains highly obfuscated JavaScript. Upon opening the attachment, the embedded malware downloads two DLL files, one which displays a fake error message and opens a PDF document, and the other which drops callback software onto the victim s computer. Once installed, the malware calls back to a remote server. Remedy - Patching the Adobe reader software with updates from the adobe website as well as always enabling the protected view option. 8

9 f. Software Activation Sirefef Win32/Sirefef is malware that uses advanced stealth techniques in order to hinder its detection and removal. It downloads and executes arbitrary files and contacts remote hosts. Sirefef includes a self-defense mechanism to protect against security related software by disabling features in these softwares. What is being exploited? Exploits and programs that promote software-piracy such as keygens and cracks. These are programs designed to bypass software licensing. How is it being exploited? Sirefef drops two files to a chosen directory and then makes changes to the registry to ensure that Sirefef runs each time you start your computer. When executed, Sirefef attempt to replace a randomly-selected system driver with its own malicious copy. Remedy - As a consequence of being infected with this threat, you need to repair and reconfigure some Windows security features and also remove the malware completely using reputable malware removal tools. g. Content Management Systems Joomla This is a content management system (CMS), which enables you to build websites and online applications. What is being exploited? The Joomla s XSS vulnerability. How is it being exploited? A malicious hacker injects client-side script in a website which is executed by the victims when they access the website. Remedy Users should regularly patch Joomla with updates from the vendor website. Wordpress This is a web-based application that is used to create websites or blogs. Tim thumb is a script primarily used for resizing and cropping of images. It allows images from remote websites to be fetched and cropped as well the storing them on the server. The list of allowed remote websites is listed within the plugin, and checked against any fetched files. What is being exploited? The Timthumb vulnerability allows third parties to upload and execute arbitrary PHP code in the Timthumb cache directory on the server that hosts wordpress. 9

10 How is it being exploited? Using the Timthumb vulnerability to upload a malicious file, it allows the attacker to compromise the site and run malicious code on the server. We have identified a number of local ISPs hosting word press sites that have this vulnerability and are currently being compromised. Remedy - The remedy for this vulnerability is to update to the latest version of Timthumb or completely disable the plugin is not needed on the site. The Timthumb Vulnerability Scanner plugin is also another remedy. The vulnerability scanner will scan the entire wpcontent directory for instances of any outdated and insecure version of the Timthumb script, and then give you the option to automatically upgrade them with a single click. Performing this scan and update will protect you from hackers looking to exploit this particular vulnerability. Conclusion Over the past couple years; the number of vulnerabilities that are reported has increased with the discovery of new vulnerabilities every other day. At this rate of vulnerability detection and reporting, even small organizations with a single server can expect to spend considerable time reviewing and applying critical patches. Unpatched devices and software leave businesses vulnerable to attacks. Most cyber criminals have access to the same vulnerability information and testing systems that businesses have. Therefore, lack of patch management processes leave Kenyan businesses open to potential data breaches. A robust, pragmatic approach to vulnerability management is required to keep up with the vulnerabilities and keep organisation s information assets safe and secure. Patches are additional pieces of code that have been developed to address specific problems or flaws in existing software. About Cyber Usalama Cyber Usalama is an initiative of the Telecommunications Service Providers Association of Kenya (TESPOK). TESPOK is a professional, non-profit organization representing the interests of Telecommunication service providers in Kenya. Cyber Usalama s main objective is to educate and empower Kenyan internet and computer users to use the Internet safely and securely at home, work, and school, protecting the technology individuals use, the networks they connect to, and the Kenyan cyber space. Through the publication on regular critical cyber Threat incident reports and security awareness reports, Cyber Usalama engages public and private sector partners to raise awareness and educate Kenyans about Cyber security, and increase the resiliency of the Kenyan Cyber space. 10

11 Bibliography Adobe Acrobat Reader: cvedetails. (2013). Retrieved from cvedetails website: cvssscoremin-4/cvssscoremax-4.99/adobe-acrobat-reader.html Nikolaenko, D. P. (2013). Advisories:Secure list. Retrieved from A Kaspersky Lab Website: Rubenking, N. (2013, Feb 21st). Software-patches: Security Watch. Retrieved 2013, from A PC Mag website: SecureWorks. (2013). SecureWorks Counter Threat Unit. Retrieved from Powered by Serianu CyberThreat Intelligence Service 11