Tespok Kenya icsirt: Enterprise Cyber Threat Attack Report. Quarter 3 July - September 2013

Transcription

1 Tespok Kenya icsirt: Enterprise Cyber Threat Attack Report

2 About this Report This report was compiled and published by the Tespok icsirt in partnership with the Serianu Cyber Threat Intelligence Team and USIU s Centre for Informatics Research and Innovation (CIRI), at the School of Science and Technology. Data Collection and Analysis The data used to develop this report was obtained from sensors deployed in various industries across the country. The sensors are non-intrusive network monitoring devices that perform the function of monitoring an organization s network for malware and cyber threat activities such as brute force attacks against the organization s servers. In an effort to enrich the data we are collecting, we have partnered with The Honeynet Project and the Polish CERT to receive regular feeds on malicious activity within the country. Through such collaborative efforts we are able to anticipate, detect and identify new and emerging threats using our intelligent analysis engine. The analysis engine assists in identifying new patterns and trends in cyber threat sphere that is unique to Kenya. Partnerships through the Cyber Usalama initiative are warmly welcomed in an effort to improve the state of cyber security in Kenya and across Africa. This initiative is geared towards collaborative cyber security projects in academia, industry, commercial and government organizations. For details on how to become a partner and how your organisation or institution can benefit from this initiative, please visit or us on icsirt@tespok.co.ke or sc3@serianu.com for enquiries. 2

3 Executive Summary The key observations for this quarter are that Botnets are still a major issue in the country with Pushdo dominating the Botnet cyber space. Adobe reader attacks are also quite prevalent closely followed by SQL attacks. This quarter has also seen the rise of a new attack targeting SSL communications making it a game changer in the cyber sphere. The integration of this attack into exploits is just a matter of time. This report provides deeper insight into this quarter s attacks highlighting what is targeted, how it is compromised and the expected consequences. It is our hope that this report will give some insight on attacks prevalent in Kenya as well as an appreciation of this initiative in playing a leading role in safeguarding computer assets and resources through our services. 3

4 Report Highlights This Quarter s report focuses on top Key events in the Kenyan cyber space. It focuses on the top attacks and malicious activity detected. More prominent attacks are also highlighted so as to shed some light on the attacks to watch out for in the upcoming quarter. Part 1: Enterprise Attacks SSL Attack (Breach) Breach is a SSL attack that can recover plain-text information from encrypted HTTPS traffic in 30 seconds or less, making this a very serious threat. The BREACH abbreviation stands for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext. What is vulnerable? - It has been reported that all versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable to the attack. What is exploited? - This attack requires the attacker to have actually identified a vulnerability on the target server. What is targeted? - Therefore if you have a site that is serving sensitive data such as addresses and security credentials, be wary as your site would be very attractive to the attacker. SSH Attacks One popular usage of SSH is to allow users to access a command shell on a remote computer for administrative purposes. It s often used for the administration of Linuxbased systems, routers or firewalls. Normally TCP port 22 is used. How the attack happens? Attackers scan for SSH services exposed to the internet. This is usually with the use of bots that run automated scans targeting port 22 which is known for providing SSH services. When the attacker finds the TCP port 22 open, they attempt to identify the service running on that port, the version of SSH that is running and the operating system. Based on the uncovered information, attackers attempt to discover the username and password through SSH Brute force attacks. What is targeted? - A prime target will be the root account which has unrestricted access to all resources in the server. 4

5 What is the consequence? - If root login over SSH is allowed with a weak password, attackers may end up in complete control of the exposed system. Shell code Attacks (x86) Shellcode is assembly language code that is injected covertly into a target computer in order to give an attacker remote access on the compromised machine. It is commonly used to activate a command shell for the hacker to execute commands on the target computer. Attackers can input any command in the shell and execute them with system privileges. What is exploited? - Shellcode attacks attempt to successfully exploit buffer overflow vulnerabilities. A buffer overflow happens when a program attempts to read or write data outside of the memory allocated for that program. It usually affects buffers with fixed sizes. This may result in memory access errors, incorrect results, a crash, or a breach of system security. This is essence provides the basis of additional software vulnerabilities and can be maliciously exploited. How the attack occurs? Shellcode attacks are very popular with exploit frameworks such as Metasploit. Hackers using Metasploit are able to own remote machines which have vulnerabilities that can be exploited by running shellcode. In other attacks, the hacker is able to enter data into a Web form, the Web form is sent to a targeted server and the server writes data to buffer, without checking length of input data. The data overflows from buffer and the shellcode is executed using libraries of shellcode that are OS and patch specific. What is the consequence? - If the attack is successful it opens a shell at the end of the exploit. With a command-line shell, the hacker can then perform any task he or she desires through an internet connection. MySQL and MsSQL Attacks SQL injection is an attack directed at an SQL database with the use of malicious code in the form of SQL queries. The queries are designed to pass through the front-end web application and interact directly with the back-end database in order to get the database system to execute specified commands. When this attack is successful, the attacker is able to obtain unauthorized information from the database. The end goal of this attack is to gain access to confidential data, change it, delete it or even extract data from the database for future analysis. How the attack occurs? - This attack is carried out in three phases which entails scans against the web application in an attempt to identify any weaknesses. This usually involves intentionally sending malformed user data and analyzing the error response given as feedback. The error messages either reveal important information which is used to fine tune the scans or even provide insight to specific vulnerabilities that can be exploited. An attack is carried out when the attacker has sufficient information on the target server. 5

6 It should be noted that the method used to perform the injection will be dependent on the SQL server used and how well the web application is designed to filter input data. SQL databases are an integral part of many platforms and drive many popular platforms such as Joomla and Wordpress. It is used in applications driving financial and government institutions therefore SQL database security is an integral component in safeguarding critical and confidential data stores in the databases. Content Management Systems (CMS) a. Tim thumb (Word Press) Timthumb vulnerability was one of the major events detected last quarter and was highlighted in the Q2 report. This quarter the same vulnerability is still prevalent in the country and is more rampant. This is an indication that users and web hosting providers have not updated the TimThumb utility in their websites. This may be attributed to lack of the know-how in scanning and updating the utility or finding the process to be too complex. What is exploited? - TimThumb is a script in wordpress that is used to resize images and is integrated into hundreds of Wordpress themes. This script however was discovered to have a security gap making wordpress websites vulnerable attackers. This vulnerability was fixed by an update to the utility. This therefore means that websites that have not been updated are still susceptible to attacks. How it is exploited? - TimThumb allows visitors to your site to load images from a defined list of remote websites and uses a caching mechanism so that it performs this activity fast upon request. The cache directory is located at the wordpress root directory and is accessible to all visitors to your word press site. The cause of the TimThumb vulnerability lies in the ability of the utility to allow any visitor to the site to load content form a remote website and allows the site to write data to the web accessible directory of the wordpress website. It should be noted that it does not execute any malicious code. The other security concern is that the utility did not properly verify the remote website that is gaining access to the respective directory. This is due to the fact that TimThumb would accept content from a website such as hacker123blogspot.com or blogspot.com.hacker123.com However if your website has already been compromised vulnerability scanners are not able to fix the website. If you suspect your server has been compromise contact us via our icsirt@tespok.co.ke or sc3@serianu.com for remediation assistance. b. Joomla Thousands of sites have been compromised in Joomla attack campaigns. Attackers use zero-day exploits to take over servers and ultimately launch phishing and malware attacks against anyone who visits the compromised sites. 6

7 For 2.5.x and 3.x versions of Joomla, it is possible for anyone with access to the media manager to upload and execute arbitrary code simply by appending a period (. ) to the end of a php file (php.), sites powered by unsupported versions of Joomla (1.5.x) attackers don t even need to have an account on the Joomla server to gain access. Utility Software Adobe Flash player Adobe flash player is a software that is used to enable users to view and stream both video and audio content. The flash player can run as a plug-in on a browser for both PCs and mobile devices or as a software running directly on the operating system. This software is very widely used due to its critical functionality. Due to the widespread use of this software, any vulnerability present that attackers can take advantage of, presents them with a large number of potential victims they can target. This quarter we have seen heavy ongoing malware attacks against this software with windows systems being the most attacked. However these vulnerabilities affect Mac, Linux and Android based platforms. For windows systems the mechanism mostly used is tricking users into opening malicious word documents in attachments that contain the malicious flash content. In Macs malware is delivered via malicious flash content hosted in malicious websites targeting Safari and Firefox web browser users. The various exploits we have identified targets vulnerable versions of Flash player for the Safari and Firefox web browsers. The specific vulnerability exploited is buffer overflow which in turn allows the attackers to remotely execute random code via the malicious SWF content that was delivered. Mobile malware Man in the Mobile Attack (MitMO) The Zeus PC malware has a mobile malware version identified as zbot or zitmo. Zitmo refers to Zeus In The MObile. This attack is specifically designed to bypass banks SMS authentication and transaction verification processes. The Zeus mobile malware has several variants attacking Blackberry, Android, Symbian and Windows Mobile platforms. How it is distributed? The malware enters your phone through many devious ways such as clicking on a link or attachment that contains the virus or a mobile security app. When installed the malware then takes over your phone within seconds and waits on your text messages to send them all to the attacker s remote server or to their phone number. The link can be in the form of a tinyurl in twitter or a business card sent to your phone. The other distribution vector is through evil twin free Wi-Fi networks. The evil twin networks are simply malicious clones of legitimate free Wi-Fi hotspots. 7

8 How the attack happens? This malware targets mobile banking transactions. When a mobile phone is infected, whenever a user performs transactions, this transaction is intercepted by the malware under the pretense of upgrading the banking application. The user is then duped into giving additional information inclusive of their mobile number. Once the attackers obtain this information they can easily intercept and hijack a user s transaction. The high criticality of this malware is that it allows attacker to intercept the bank sms messages to the customer that consists of the transaction number, the account number and the password. This information enables the attackers to steal funds from the user s accounts. What is the consequence? As more and more payment and banking services are migrating to the smartphone, organizations and financial institutions offering such services should be aware of such threats and put steps in place to mitigate them. The image below illustrates one attack scenario of the Zeus mobile malware in action. (Courtesy of trusteer) Figure 1: Zeus malware in action 8

9 Part 2: DNS Attacks The function of a DNS server is to map hostname/domain (e.g. to IP address ( ). DNS servers store such information and are usually cached i.e. stored temporarily so that future requests are responded to faster. When you want to access cyberusalama.co.ke your computer first contacts a DNS server. Your ISPs DNS server usually does not readily have all the internet s domain records permanently stored. This is due to the inefficiencies that come along with it, such as longer times retrieve records, as well as storage concerns. Here is a simple illustration on how DNS servers work. When a computer user enters in to the browser, it does not actually know that domain so it communicates with the operating system to tell it where it can find the entered domain. The operating system then checks its own hosts file where it stores IP addresses of respective domains. If the IP address is available, the browser will be given the IP and it will load the Google website. If the IP address is not found, the operating system will check its resolver configuration and then request your ISP s DNS server to tell it where it can find The ISP s DNS server checks its list of authoritative domains for cyberusalama.co.ke and it is not cached, is sends a request to internet root servers asking for the DNS server responsible for cyberusalama.co.ke. The internet root servers go through their records and gives for example ns1.dnsvault.com, ns2.dnsvault.com, or ns3.dnsvault.com. The ISP s DNS server then asks ns1.dnsvault.com for the IP address of and it responds with The ISP s DNS server then sends the IP address to the operating system which then forwards it to the browser. The browser uses it to connect you to the Google website. This whole process happens if several milliseconds hence you can never really know the length of the chain of communication required between DNS servers just to visit your favorite website. Open Resolvers By definition, these are DNS servers that are improperly configured or their firewalls allow recursive queries from any location in the network. A recursive query means that one DNS server can as for DNS records from another DNS server on behalf of a client e.g. your PC. This setting allows such servers to be used in DDoS(Distributed Denial of Service) Attacks where the volume of traffic is increased resulting in DNS queries with fake source addresses hence DNS servers bombarding the target (PC that the fake address belongs to). The consequences of a DDoS attack are downtime of servers due to lack of capacity to respond to all incoming responses or the server simply crashing. This could disastrous effect to service providers running key services on such servers, and such an incident could easily cost a business thousands of shillings on the hour if not remediated. 9

10 This problem is exists and is quite prevalent mostly because a majority of the Network Administrators are not aware of the risks they are exposing their users to as this misconfiguration can lead to abuse and as a matter of fact it is already being taken advantage of. Open resolver attacks are quite high with an event count of up to 2069 for this quarter based on statistics from our threat analysis engine. a. DDoS attack DDoS (Distributed Denial of Service) attack is a malicious attempt to make a server or a network resource unavailable for users, usually by temporarily interrupting or suspending the services of the host connected to the internet For example flooding incoming messages to a web app server forcing it to be overwhelmed and shut down, making the online banking website inaccessible to its legitimate users. What is the consequence? - A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. What is targeted? - The resources attacked can be a specific computer/server, a port or service on the targeted system, an entire network or a component of any given network or system. They can also target tangible resources (bandwidth, disk space) or configuration information (routing information). What is exploited? - In a typical DDoS attack, the assailant begins by exploiting an identified vulnerability in one computer system and makes it the DDoS master. He then goes ahead to identify additional vulnerable systems and infects them with malware. The additional computers are then used to respond to commands given by assailant via the DDoS master. On 29th July 2013 between 7.10pm and 7.18pm there was a massive DDoS attack targeted towards one Kenyan ISP provider. This attack lasted for 8 minutes with a peak data rate of 1629 mbps. It targeted port 22 which is responsible for SSH services. This attack was first reported by Arbor s Security Engineering & Response Team (ASERT) who detected the attack. Upon the review of our logs we did note the abnormal amount of traffic targeting a number of IP addresses in Kenya. b. DNS cache poisoning This is where a malicious attacker corrupts the cache of a DNS server so that is responds with a fake IP as opposed to the legitimate one. Examples of DNS changer malware are TDSS, Alureon, TidServ and TDL4. 10

11 How the attack occurs? - This attack occurs when an attacker corrupts the DNS cache such that a fake malicious IP address record for a domain is cached. When a request is made to the DNS server, the fake information is retrieved from the cache and this would result in redirecting the user to a potentially malicious domain. What is vulnerable? - In essence DNS cache poisoning, is a type of attack that exploits vulnerabilities in the domain name system (DNS). What is the consequence? - Internet traffic is diverted away from legitimate servers and towards fake ones. This fake address could be a malicious site or a phishing site, or at times just to divert traffic from legitimate sites to facilitate a denial of service attack. Part 3: Botnets a. Zeus Zeus, also known as Zbot, is a malware toolkit that allows a cybercriminal to build his own Trojan Horse. On the Internet, a Trojan Horse is programming that appears to be legitimate but actually hides an attack. Zeus, which is sold on the black market, allows non-programmers to purchase the technology they need to carry out cybercrimes. How it is distributed - Zeus is the tool of choice for criminals stealing online banking credentials. The malware can be customized to gather credentials from banks in specific geographic areas and can be distributed in many different ways, including attachments and malicious Web links. How attack happens? - Once a Zeus Trojan infects a machine, the latest generation of the bot uses rootkit techniques to hide its presence on a customer machine. Because a Trojan built with a Zeus toolkit is so adaptable, variations of Zeus Trojans are often missed by anti-virus software applications. It remains dormant until the end user visits a Web page with a form to fill out. The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. One of the toolkit s most powerful features is that it allows criminals to add fields to forms at the browser level. The code is injected directly into browser before a page is displayed. This code injection is known as the Man in the browser (MitB) Attack. This means that instead of directing the end user to a counterfeit website, the user would see the legitimate website but might be asked to fill in an additional blank with specific information for security reasons. What is the consequence? - The collected details are then silently delivered to remote websites, and added into remote databases. The databases are then sold to other criminal elements down the chain that specialize in withdrawing the funds. The money 11

12 laundering groups anonymously hire physical people to withdraw money from their personal accounts. In the criminal world these people are called drops, and their accounts are called drop accounts. Once infected, a PC can also be recruited to become part of a botnet. The consequent images illustrate how the Zeus Trojan attempts to steal personal and credit card information. (Courtesy of ThreatMetrix Labs) Caption 1: Zeus attempting to steal credit card information on a website This caption illustrates the malicious page displayed on the browser after code injection into the browser of a Zeus infected machine. This malicious page requests for your credit card information, when attack is successful, the obtained information is then either used to access your bank account to perform fund transfers or sold to cyber criminals at a given fee. 12

13 Caption 2: Zeus attempting to steal credit card information via online payment portals In this caption, zeus attempts to steal credit card information from an online payment processing website. This scheme is well engineered such that an average user will not be able to detect that it s a malicious page. It can affect any online payment portal as is required is a well-crafted phishing page. Users of online sites should therefore always be cautious when visiting such sites and the site owners should have proactive malware mitigation mechanisms in place. 13

14 Caption 3: Zeus attempting to steal personal information from social and sites In caption 3 the top screens represent the legitimate website while the bottom represents the malicious website. The fake site at the bottom is an exact replica with the exception of a few malicious links and forms. Unsuspecting users can easily be duped into revealing their credit card information. b. Pushdo The Pushdo malware is generally distributed through drive-by download attacks, Webbased attacks that exploit vulnerabilities in browser plug-ins or is installed by other botnets as part of pay-per-install schemes used by cybercriminals. Drive-by downloads are downloads that happen without a user s knowledge or without understanding the consequence of the download. This usually occurs when visiting a malicious website. The download usually includes malware and spyware. Pay per 14

15 install (PPI) is where cyber criminals pay commissions to a third party for any successful malware infections they accomplish. The third parties usually then rent out access to the infected PC s for use in DDoS and Spam attacks. The prevalence of Pushdo botnet event this quarter stands at 19,148 which is a very large number. These activities are spread out all the ISP s in Kenya peering through the exchange point. 921 is the total number of IPs with pushdo botnet activity. c. Kelihos Kelihos is a Trojan family that distributes spam messages. The spam messages could contain hyperlinks to installers of Win32/Kelihos malware. The malware may communicate with remote servers to exchange information that is used to execute various tasks, including sending spam , stealing bit coin wallets, capturing sensitive information or downloading and executing arbitrary files. Kelihos botnet has an event count of 1820 infected hosts which cuts across only 5 ISPs with only 34 IPs with this malicious activity. It can be assumed that there are enabling factors in the respective ISPs that are facilitating the Botnet activity. d. Virut Virut is a malware botnet that is used for cybercime activities such as DDoS attacks, spam (in collaboration with the Waledac botnet), fraud, data theft, and pay-per-install activities. It spreads through executable file infection (through infected USB sticks and other media), and more recently, through compromised HTML files (thus infecting vulnerable browsers visiting compromised websites). Virut botnet has an event count of 130 across only 5 ISPs with 73 IPs responsible for this activity. Chart 1: Top Botnets in Kenya cyber space The chart above illustrates the top botnets in Kenya for the the 3rd Quarter. The pushdo botnet is the most dominant followed by kelihos and virut. The zeus botnet will soon become a massive threat as more Kenyans embrace online payment portals for making purchases online, alongside mobile payment services. 15

16 Conclusion This quarter has a seen a number of prevalent attacks such as DNS server attacks. Botnet activity is still a main concern that requires immediate remediation. MySQL attacks and SSH attacks are also quite rampant this quarter. Utility software such as adobe reader has not been left behind as a target by malicious attackers. It is therefore important to secure PCs and servers using available best practices and tools. Implementing security controls for the attacks highlighted in this document will be a step in the right direction in the fight against cybercrime. Special considerations must be taken when securing these critical services as poorly though out methodologies, approaches without an understanding of your infrastructure could lead to serious damage of key resources. About Cyber Usalama Cyber Usalama is an initiative of the Telecommunications Service Providers Association of Kenya (TESPOK). TESPOK is a professional, non-profit organization representing the interests of Telecommunication service providers in Kenya. Cyber Usalama s main objective is to educate and empower Kenyan internet and computer users to use the Internet safely and securely at home, work, and school, protecting the technology individuals use, the networks they connect to, and the Kenyan cyber space. Through the publication on regular critical cyber Threat incident reports and security awareness reports, Cyber Usalama engages public and private sector partners to raise awareness and educate Kenyans about Cybersecurity, and increase the resiliency of the Kenyan Cyber space. For more information on cyber safety please visit html for best practices, tips and guides on how to stay safe online and manage malware. Cyber usalama is a Tespok initiative that caters for students, parents, home pc users, governments and corporates on how to stay safe online. Powered by Serianu CyberThreat Intelligence Service 16