Threat Intelligence Report. April, 2015

Transcription

1 Threat Intelligence Report April, 2015

2 2 Table of Contents I Executive Summary 3 II Global Data Analysis 4 Malicious Activities Source Countries 4 Attack Distribution Top 03 Foreign Attackers 4 III Malware Attacks 6 Most Probing Countries 6 Most Probing Countries Unique IP Addresses 7 Most Probing IP Addresses 7 Most Attacking IP Addresses 8 Attacking IP Addresses 10 Attacks 9 Top Vulnerabilities 11 Most Malwares Detected 12 Detected Malware Hashes 13 Cnc IP Addresses & Domains 13 Attacked Protocols 14 IV SIP Attacks 15 What is SIP? 15 V Web Attacks 16 IP Addresses Conducting Web Based Attacks 16 Web Attack Payloads 16 VI Brute-Force Attacks 18 Most Usernames Used 18 Most Passwords Used 18 Top IP Addresses Conducting SSH Attacks 19 Tools Used For SSH Based Attacks 19 VII References 20 VIII About TRIAM 21 IX About Contributors 22

3 3 Executive Summary To be able to respond to any threat effectively, one must first identify the threat agents, understand their motives and study their means of attack comprehensively, i.e. one must achieve situational awareness to be able to defend against, respond to, or counter a threat. In an effort to provide situational awareness to the industry stakeholders, about the cyber threat landscape of Pakistan, the TRIAM Threat Intelligence Team is extremely proud to present you this monthly Threat Intelligence report for the month of April In this edition of our monthly Threat Intelligence report we have observed interesting set of activities being performed in Pakistan cyberspace. One of the interesting observations has been the increased number of attacks coming IP Addresses of China coinciding with the Chinese Prime Minister s visit to Pakistan in April. The details of these attacks, and all other attacks are documented in this report. The major set of attacks that have been discovered recently in Pakistan by global and TISS research and IR teams are summarized as follows: Equation Group Equation Group is the most advanced APT group found so far and is called the Crown Creator of Cyber Espionage. According to Kaspersky Lab s researchers the group is unique in almost every aspect of their activities: they use tools, that are very advanced and expensive to develop, in order to infect victims, retrieve data and hide activity in a professional way, and also utilize classic spying techniques to deliver malicious payloads to the victims. More details for this advanced APT group can be found on: Ransomware Ransomware malware is constantly affecting Pakistan based organizations with key motive of financial gains. Ransomware works by encrypting data of infected machines belonging to organizations and individuals thus completely blocking the access to the data. The decryption key is sent only if a ransom is paid. There has been exponential increase in number of Ransomware attacks in the year 2015 and taking preventive measures from this threat is highly recommended at all layers. If you require more details on these threats or are exposed to these or different malwares, please reach out to us for focused and quick response. This report has been compiled using our advanced threat intelligence gathering platform consisting of sensors like honeypots, web crawlers and aggregators deployed through-out Pakistan. The information obtained using these sensors are then enriched by correlating information from different sources. Our aim for releasing these monthly reports is to enable all stakeholders in Pakistan to keep abreast with on-going threats and remain vigilant in protecting their networks from potential attacks. Trillium will soon make these threat feeds available to Pakistan based organizations so that their Security Information and Event Management (SIEM) systems, Firewalls and Intrusion Detection / Prevention Systems can be fed to provide protection against Pakistan specific attacks. In month of April information gathered from our sensors indicates that: Multiple IP addresses particularly from China have been probing Pakistan cyberspace actively and looking for vulnerabilities to exploit. Attacks of different nature that materialized and had a major impact have been observed coming from Romania, China and Brazil. Among the detected malwares that are most active in Pakistan cyberspace, 96% activity has been observed for Net-Worm.Win32.Kido.ih an infamous worm that hogs network resources and is spread by exploiting Microsoft OS specific vulnerabilities. The details of information gathered by our sensors are described further in this report. We hope that you find this month s report useful and feel free to contact us with any feedback. DFIR Research team, Threat Intelligence

4 4 Global Data Analysis This section presents analysis of attack data from sensors deployed at different places in Pakistan. We process millions of log entries and security alerts that are being captured by our custom and purpose built sensors during the threat analysis. In order to provide real time threat intelligence and security alerts to our customers we perform advanced analytics on the collected alerts by correlating security events from multiple sensors Malicious Activities - Source/Host Countries The countries hosting IP addresses that are carrying out malicious activities in Pakistan cyberspace are shown in Figure 1. Figure 1 - Percentage of events by source/host countries Attack Distribution - Top 03 Foreign Attackers The following figures present the distribution of attack types originating from top three countries hosting the attacking IP addresses. It is quite evident from the following figures that attack type distributions of each originating/hosting country is very different from the other. These figures reflect the fact that attack types, motivation of attackers, and sophistication of attacks are different in different regions of the World. Figure 2 - Attacks Originating from IP Addresses Hosted in China

5 5 Figure 3 - Attacks Originating from IP Addresses Hosted in Romania Figure 4 - Attacks Originating from IP Addresses Hosted in Brazil

6 6 Malware Attacks Malware attacks are the major threats being faced by Pakistani organizations. Using the Internet, attackers employ unique malware based techniques to infect their target systems for different reasons varying from creating mere nuisance to stealing credentials to eavesdropping on communication to capturing proprietary and highly confidential information. Attackers scan the Internet to look-out for vulnerable services and try to exploit them to gain access to the system and ultimately the network. Often root-kits (type of malware) are used to take over and maintain control of a compromised system. The following section of the report will present the latest trends of malware based attacks which were identified based on the information gathered from our sensors during the month of April. The correlated information from different sensors reveals that there were more than 2,54,000 number of connection attempts to Pakistan cyberspace from different countires of the world. Furthermore, we detected more than 57,000 materialized attacks that were launched in this period. Over 9,000 unique IP addresses tried to establish a connection with our deployed sensors through-out Pakistan at-least once. After thorough automated analysis and correlation, most of these connection attempts were classified as malicious and were doing intense scanning for figuring out running services (particularly the vulnerable ones) over Pakistan cyberspace. One of the top IP address that established most number of connections was found to be with more than 38,400 connections. The origin of this IP address was found to be Romania. There were about 1900 unique IP addresses that succeeded in exploiting a particular vulnerability and uploaded some malware. Total number of attacks launched during this time period was more than 57,000. One of the top IP addresses that initiated most number of attacks was found to be with about 12,300 successful attacks. The origin of this IP address was found to be Romania. The most number of attacks were launched by exploiting MS08-067, MS08-068, MS vulnerabilities, which could allow remote code execution. Furthermore, as per our correlated information, port 445 received the highest number of attack traffic with 87.48% of total attacks received. The service hosted on port 445 was SMBD (Server Message Block Daemon). Further information related to IP addresses trying to make connections and doing attacks, top malware found, top vulnerabilities exploited and top protocol / services exploited is given below. Most Probing Countries The IP Addresses from countries doing the most probing and connection attempts are shown in Figure 5. Probing is done to find services running on targeted systems and their corresponding vulnerabilities in the target machines which can be exploited. Figure 5 - Country Based Conection Distribution

7 7 Most Probing Countries Unique IP Addresses The Figure 6 shows the countries hosting the highest number of unique IP addresses that are found to be making connections and doing probing. Figure 6 - Country Based Unique IP Distribution Most Probing IP Addresses The Figure 7 shows the list of individual IP addresses that are found to be making connections and doing probing. Figure 7 - IP Based Conection Distribution IP Addresses Connection Attempts Country ,444 Romania ,135 India ,326 Pakistan ,661 Ghana ,788 Hungary ,181 Armenia ,639 Russian Federation ,271 Russian Federation ,830 Russian Federation ,781 Russian Federation Table 1, shows a list of Top 10 unique IP addresses that established highest number of connection attempts. Table 1 - IP Address Based Connection Distribution

8 8 Most Attacking IP Addresses Figure 8 gives the list of individual IP addresses that initiated most number of malware attacks by successfully exploiting vulnerabilities. Figure 8 - IP Address Based Distribution IP Addresses Successful Attacks Country Romania India Ghana Armenia Hungary Russian Federation Russian Federation Russian Federation Russian Federation Russian Federation Table 2 below shows the list of Top 10 IP Addresses that launched highest number of attacks. Table 2 - IP Address Based Distribution

9 9 Attacking IP Addresses - 10 Attacks Table 3, provides the list of IP addresses that initiated minimum of 10 malware based attacks on Pakistan cyberspace. It is advised to block these IP addresses on your gateways. Please contact us if you would like to have full list of suspicious IP addresses. IP Addresses Successful Attacks Country Romania India Ghana Armenia Hungary Russian Federation Russian Federation Russian Federation Russian Federation Russian Federation Russian Federation Russian Federation Russian Federation Russian Federation Russian Federation Russian Federation Pakistan Russian Federation Russian Federation Russian Federation Russian Federation Brazil Russian Federation Russian Federation Russian Federation Brazil Russian Federation Brazil Brazil Armenia

10 10 IP Addresses Successful Attacks Country Romania Russian Federation Russian Federation Pakistan Armenia Russian Federation Romania Brazil Armenia Bulgaria Armenia Romania India Bulgaria Russian Federation Romania Ukraine Russian Federation Armenia Hungary India Hungary Russian Federation Georgia Pakistan India Romania Russian Federation Romania Armenia Italy Russian Federation Russian Federation Table 3 - IP Address Based Distribution - 10 Attacks

11 11 Top 10 Vulnerabilities Below is the list and details of vulnerabilities that were exploited the most for malware based injection. It is strongly recommended to fully patch all of the known vulnerabilities related to OS and third-party programs installed in your network. You can contact us to perform security assessment of your IT infrastructure for any potential loopholes and vulnerabilities. MS05-39 Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege. aspx MS Vulnerability in Message Queuing Could Allow Code Execution. aspx Vulnerability Unknown MS08-67 MS06-66 MS MS05-39 MS MS04-12 MS04-11 MS Name ClosePrinter Net Path Canonicalize Nw Change Password QM Create Object Internals PNP Query Res Conf List QM Delete Object Remote Create Instance DS Roler Upgrade DownLevel NDdeSetTrustedShareW MS04-12 Cumulative Update for Microsoft RPC/DCOM. aspx MS04-11 Security Update for Microsoft Windows. aspx MS03-39 Net Add Alternative Computer Table 4 - Top 10 Vulnerabilities MS08-67 Vulnerability in Server service that could allow remote code execution. MS06-66 Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution. aspx MS Vulnerability in Message Queuing Could Allow Remote Code Execution. aspx MS08-67 Vulnerability in Server service that could allow remote code execution. MS Vulnerability in NetDDE Could Allow Remote Code Execution. aspx MS03-39 Buffer Overrun In RPCSS Service Could Allow Code Execution. aspx

12 12 Top Few Detected Malwares Table 5 gives the list of most malwares that have been detected in Pakistan cyberspace. The naming convention used for these malwares is based on Kaspersky detection. You can find the same malware with different name which are given to them by other antivirus engines. Name Percent Net-Worm.Win32.Kido.ih 94.12% Backdoor.Win32.Rbot.bni 2.28% Net-Worm.Win32.Allaple.e 1.20% Net-Worm.Win32.Kido.kj 1.08% Trojan-Downloader.Win32.Kido.bu <1% Trojan-Spy.Win32.Small.pex <1% Trojan.Win32.Genome.tusc <1% Backdoor.Win32.Agent.aknp <1% Trojan.Win32.Genome.ahpxd <1% Table 5 - Top Malwares Detected Detected Malwares Hashes Table 6, provides the list of hashes for the most malwares detected in Pakistan cyberspace. These hashes may be helpful in quickly retrieving the detail of a particular malware from different online sources. To verify whether your antivirus engine detects the malwares given in Table 6, simply put the hash value in virustotal.com. Malware Presence MD5 Hash Net-Worm.Win32.Kido.ih 94.12% 029e d13fbf621a10ae11edfe dc46cca644e859cb7fb1d6de8b 0af49bbed7ec17b2e8b5ae7b ea2203e8c7a1700b e ea2203e8c7a1700b e Backdoor.Win32.Rbot.bni 2.28% c c32fa305e3de57f6f40f1 Net-Worm.Win32.Allaple.e 1.20% 247a51c8a6ea90209fad9bc9208dd48e Net-Worm.Win32.Kido.kj 1.08% B8099f59ec27f47e13ca c8 Trojan-Downloader.Win32.Kido.bu <1% 4bb05060ae675d1d7177df05e1ac15b4 Trojan-Spy.Win32.Small.pex <1% f4d56bac967e0217a0049fe717cc634b Trojan.Win32.Genome.tusc <1% b0426ed44d7819d1ab5ead9b12fd2879 Backdoor.Win32.Agent.aknp <1% 7867de13bf22a7f3e e33e7 Trojan.Win32.Genome.ahpxd <1% 4d56562a6019c05c592b9681e9ca2737 Net-Worm.Win32.Kido.dam.ak <1% af746400d629a00ab782f21 Table 6 - Detected Malware Hashes

13 13 CnC IP Addresses & Domains Following tables show the list of IP addresses and domain names that are found to be malicious and were communicating with infected machines IP Addresses Country China India Portugal Italy Germany United States United States United States China United States United States United States United States United States United Kingdom United States United States Domains xqpjtkqid.biz yeigidwnrda.ws zwvnfggq.ws smcxq.biz abyoqc.cn ztcabv.cn gwjewwqgig.cn pdcpbbkit.cn xiammogc.cn checkip.dyndns.com xdz.no-ip.org Table 8 - CnC Domains Table 7 - CnC IP Addresses

14 14 Attacked Protocols Table 9, below, shows the list of protocols which were found being exploited for most number of attacks. Protocol SMB 87.48% SIP 4.94% MSSQL 3.85% MYSQL 1.55% Exploitations MYSQL: The MySQL protocol is used between MySQL Clients and a MySQL Server. It is implemented by: Connectors (Connector/C, Connector/J, and so forth) MySQL Proxy Communication between master and slave replica- The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web. Hypertext is structured text that uses logical links (hyperlinks) between nodes containing text. HTTP 1.24% EPMAP <1% MIRROR <1% RSH <1% Table 9 - Attacked Protocols Microsoft EPMAP (End Point Mapper), also known as DCE/RPC Locator service, used to remotely manage services including DHCP server, DNS server and WINS. Also used by DCOM. SMB: The Server Message Block, operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. Mirror: (Managing Isolation in Replicated Real time Object Repositories), a concurrency control protocol specifically designed for firm-deadline application operating on replicated real-time databases. SIP: The Session Initiation Protocol is a communications protocol for signaling and controlling multimedia communication sessions. The most common applications of SIP are in Internet telephony for voice and video calls. RSH: The remote shell (rsh) is a command line computer program that executes shell commands as another user, and on another computer across a computer network. MSSQL: Tabular Data Stream protocol which is used by Microsoft SQL Server. It listens to tcp/1433 and allows clients to login. It can decode queries run on the database.

15 15 SIP Attacks What is SIP The Session Initiation Protocol (SIP) is a communication protocol for signaling and controlling multimedia communication sessions. The most common applications of SIP are in Internet telephony for voice and video calls, as well as instant messaging using Internet Protocol (IP) networks. SIP Attacks division Most SIP attacks can be divided into two groups. First represents various types of a PBX scanning and probing. Attacker send OPTION message and wait for an answer or simply try to place a call with immediate cancellation (It means INVITE message followed by CANCEL message). The second group represents flood attacks using REGISTER message. REGISTER message is used by a user agent to register to the registrar (SIP Server). An attacker sends continuous REGISTER messages to the SIP Server in order to downgrade the Server performance and ultimately making it inaccessible for authorized users. Register flooding attack Application layer attack on the Session Initiation Protocol (SIP) is used in VoIP services, targeted at causing denial of service to SIP servers. A SIP register flood consists of sending a high volume of SIP register packets to SIP servers, therefore exhausting their bandwidth and resources. 96% messages type were REGISTER based in our sensors. SIP Message No. of Distinct Connections Total Messages Register Table 10 - SIP REGISTER Message Malicious IP Total Table 11 - SIP Malicious IP Addresses

16 16 Web Attacks As websites and web based applications are rapidly growing so are the threats. Complex business applications are now being delivered over the web (HTTP) and paving way for attackers to exploit any kind of vulnerability. The following section presents important data relevant to the web attacks faced by Pakistan cyberspace. Top Few Countries With Most Web Attacks The countries hosting IP Addresses performing the most attacks are shown in Figure 9: Figure 9 - Countries with Web Based Attacks Top Few IP Addresses - Most Web Attacks Following is the list of IP addresses which are found to be launching highest number of Web attacks. It is recommended to block these IP addresses to secure your system from such attacks. IP Addresses Attacks % Countries % United States % Ukraine % Switzerland % France % Germany % Switzerland % United States % Romania % United States % Romania Table 12 - IP Addresses Conducting Web Based Attacks

17 17 Top Few Web Attacks Among the type of attacks that we observed, SQL injection was seen the most in Pakistan cyberspace. Figure 10 - Web Based Attacks

18 18 Brute-Force Attacks A brute-force attack is the simplest method to gain access to an application or operating system by applying different credentials. In brute-force attack, an attacker tries different but exhaustive combinations of usernames and passwords, over and over again, until he is successfully logged-in. The following section presents the data relevant to brute-force activities performed on SSH protocol in Pakistan cyberspace. Most Commonly Used Usernames Below table lists the most user attempts seen in Pakistan for SSH. The root username was tried the most number of times. It is strongly recommended to avoid such user names or use complex user names or two factor authentications. Username Attempts root ubnt 251 admin 113 guest 28 test 26 support 23 tester 14 testing 14 user 12 Table 13 - Most Usernames Used Most Commonly Used Passwords Below table lists the most attempted passwords. The admin password was tried the most number of times. It is strongly recommended to avoid these types of passwords. Password Attempts admin 88 root ubnt 67 password 62 1qaz2wsx 57 passw0rd 29 1q2w3e4r 29!qaz@wsx 28 qwerty 25 abc Table 14 - Most Passwords Used

19 19 Top few IP Addresses Conducting SSH Attacks Below table lists the IP addresses with origin that have carried out maximum SSH attacks in Pakistan cyberspace. It is strongly recommended to block these IP address on gateway level. IP Address Attempts Country China China China China China China China China China China Table 15 - IP Addresses Conducting SSH Attacks Mostly Used Tools For SSH Based Attacks Below is the list of tools that were used to gain access on SSH in Pakistan cyberspace. Tools Connections SSH-2.0-PUTTY SSH-2.0-libssh2_ SSH-2.0-libssh2_ SSH-2.0-JSCH SSH-2.0-libssh2_ SSH-2.0-PuTTY_Release_ SSH-2.0-Granados SSH-2.0-PuTTY_Local:_ 20 May_14_2009_21:12:18 SSH-2.0-libssh2_ Table 16 - Tools Used For SSH Attacks

20 20 List of Figures Figure 1 - Percentage of events by source countries 4 Figure 2 - Attacks Originating from IP Addresses Hosted in China 4 Figure 3 - Attacks Originating from IP Addresses Hosted in Romania 5 Figure 4 - Attacks Originating from IP Addresses Hosted in Brazil 5 Figure 5 - Country Based Connection Distribution 6 Figure 6 - Country Unique IP Distribution 7 Figure 7 - IP Based Connection Distribution 7 Figure 8 - IP Address Based Distribution 8 Figure 9 - Countries with Web Based Attacks 16 Figure 10 - Web Based Attacks 17 List of Tables Table 1 - IP Address Based Connection Distribution 6 Table 2 - IP Address Based Distribution 7 Table 3 - IP Based Distribution 10 Attacks 8 Table 4 - Top 10 Vulnerabilities 10 Table 5 - Top Malwares Detected 12 Table 6 - Detected Malware Hashes 12 Table 7 - CnC IP Addresses 13 Table 8 - CnC Domains 13 Table 9 - Attacked Protocols 14 Table 10 - SIP REGISTER Message 15 Table 11 - SIP Malicious IP Addresses 15 Table 12 - IP Addresses Conducting Web Based Attacks 16 Table 13 - Most Usernames Used 18 Table 14 - Most Passwords Used 18 Table 15 - IP Addresses Doing SSH Attacks 19 Table 16 - Tools Used For SSH Attacks 19

21 21 About TRIAM With almost a decade of experience, expertise and leadership in the information security market, Trillium Information Security Systems (Pvt) Ltd. has launched Pakistan s first and only focused Managed Security Service Provider brand TRIAM. TRIAM s portfolio of information security services is backed by the industry s leading minds. Our team has an accumulated experience of more than 150 years of delivering successful information security projects to leading enterprises from all industry verticals of Pakistan, and the region. In addition to our industry experience, TRIAM researchers have published over 45 research papers thereby enabling TRIAM to explore/study/understand niche areas of the information security domain. TRIAM is hence launched as the one of the regions most skilled and experienced information security service provider delivering services to customers that are backed by world leading threat intelligence. TRIAM Service Portfolio Security Monitoring Stored Data Security Analytics Real-Time Data Security Analytics Digital Forensics & Incident Response Services Malware Analysis Digital Forensics & Investigation Incident Handling & Reporting Security Assessment Services Application Security Assessment Infrastructure Security Assessment Threat Intelligence Services Threat Feeds Botnet Tracking Threat Notifications

22 22 About Contributers This research has been conducted by Trillium Information Security Systems (TISS) in collaboration with Applied Security Engineering Research Group at the COMSATS Institute of Information Technology. We would like to thank the team members of the TRIAM Threat Intelligence Team and the TISS OPSEC Team for their attention and contribution to the publication of this report. For more Information To learn more about Trillium Information Security Systems and its brand TRIAM, please visit: infosecurity.com.pk triam.com.pk

23 23 Copyright Trillium Information Security Systems (Pvt) Ltd Trillium Information Security Systems (Pvt) Ltd. Head Office 10th Floor, AWT Plaza, 5-The Mall, Rawalpindi, Pakistan Produced in the Islamic Republic of Pakistan. March 2015 This document is current as of the initial date of publication and may be changed by Trillium Information Security Systems at any time. The information contained in this guide is for educational and awareness purposes only. There is no way TISS may be responsible for any misuse of the information. All the information contained in this document is meant for developing information security defense skills among the recipients of this document in order to help in preventing malicious attacks. The information in this document is provided as is without any warranty, express or implied.

24 Threat Intelligence Team