Security Incidents And Trends In Croatia. Domagoj Klasić dklasic@cert.hr

Similar documents

Using big data analytics to identify malicious content: a case study on spam s

Cyber Security and Critical Information Infrastructure

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Report on Cyber Security Alerts Processed by CERT-RO in 2014

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

About Botnet, and the influence that Botnet gives to broadband ISP

ReadySpace Limited Unit J, 16/F Reason Group Tower, Castle PeakRoad, Kwai Chung, N.T.

Information Security Threat Trends

Cyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in

Current counter-measures and responses by CERTs

REPORT on the cyber security alerts received by CERT-RO during 2013

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

The anatomy of an online banking fraud

Cross Site Scripting in Joomla Acajoom Component

D m i t r y S l i n k o v, C I S M SWISS C Y B E R S TO R M Black market of cybercrime in Russia

Protect Yourself in the Cloud Age

Acceptable Use Policy and Terms of Service

WEB ATTACKS AND COUNTERMEASURES

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

SAC 025 SSAC Advisory on Fast Flux Hosting and DNS

Web Vulnerability Scanner by Using HTTP Method

Who will win the battle - Spammers or Service Providers?

How to Secure TYPO3 Installations

Security A to Z the most important terms

Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS

Adventures in Cybercrime. Piotr Kijewski CERT Polska/NASK

Fast Flux Hosting and DNS ICANN SSAC

Current Threat Scenario and Recent Attack Trends

DNS Traffic Monitoring. Dave Piscitello VP Security and ICT Coordina;on, ICANN

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

An analysis of exploitation behaviors on the web and the role of web hosting providers in detecting them

CS 558 Internet Systems and Technologies

CERT-GOV-GE Activities & International Partnerships

Fraud and Phishing Scam Response Arrangements in Brazil

Detecting Algorithmically Generated Malicious Domain Names

CERT Polska operates within the framework of the Research and Academic Computer Network CERT POLSKA REPORT

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Security Business Review

Internet Security and Resiliency: A Collaborative Effort

6. ecommerce Security and Payment Systems. Alexander Nikov. Teaching Objectives. Video: Online Banking, Is It Secure?

Emerging Security Technological Threats

ACCEPTABLE USE AND TAKEDOWN POLICY

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Hong Kong Information Security Outlook 2015 香港資訊保安展望

Cybersecurity: Thailand s and ASEAN s priorities. Soranun Jiwasurat

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Policies and Practices on Network Security of MIIT

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

Promoting Network Security (A Service Provider Perspective)

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand

ACS-3921/ Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security

INFORMATION SECURITY REVIEW

Modular Network Security. Tyler Carter, McAfee Network Security

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

UNMASKCONTENT: THE CASE STUDY

Who s Doing the Hacking?

============================================================= =============================================================

Spyware. Summary. Overview of Spyware. Who Is Spying?

JOOMLA REFLECTION DDOS-FOR-HIRE

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION

Cablelynx Acceptable Use Policy

Denial of Service Attacks

Internet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology

Whose IP Is It Anyways: Tales of IP Reputation Failures

Innovations in Network Security

Operation Liberpy : Keyloggers and information theft in Latin America

An Efficient Methodology for Detecting Spam Using Spot System

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Countermeasures against Bots

Estonia 2007 Cyberattakcs

10 Things Every Web Application Firewall Should Provide Share this ebook

Exploring the Black Hole Exploit Kit

Spam and All Things Salty: Spambot v2013

Cybersecurity Awareness. Part 1

Transcription:

Security Incidents And Trends In Croatia Domagoj Klasić dklasic@cert.hr

Croatian National CERT About us Founded in 2008. in accordance with the Information Security Act We are a department of the Croatian Academic and Research Network (CARNet) Promotion and preservation of the information security of the public information systems in Croatia.

Few Words about CARNet Government institution, ISP (second largest in Croatia) It supports educational institutions in Croatia (elementary schools, high schools, universities, institutes ) Offers more than 100 e-learning services Has 2 national services:.hr TLD Authority National CERT (That s us)

NCERT About us Our activities Following computer-security news and dissemination of information Promoting the awareness of importance of computer security Educational training for specific groups Coordination in solving incidents that include at least one side in Croatia We don t do Troubleshooting and technical support Punishing of problematic users Criminal prosecution and investigations Arbitration in disputes

Security incidents in Croatia Starting with general statistics 343 Number of processed incidents in the last year 0,93 Incidents per day, in practice more than one per day (we don t work weekends) Keep in mind We can only count incidents reported to us Incidents are for servers with static IPs

Incident trend in Croatia Monthly trend: 01.10.2011 to 11.04.2012

What kind of incidents are we talking about? Distribution by incident type OKR = Other Compromised hosts NMA = Illicit network activities Ostali incidenti = Other incidents

What are these incidents? Malware URL URL that distribute malware Redirects to exploit kits Rarely: web shells, spam scripts, ddos scripts Phishing URL Classical phishing pages, mostly for foreign financial institutions (banks, paypal )

What are these incidents? Other compromised hosts Compromised hosts that don t belong in Malware or Phishing URL category Mostly web site defacements Sometimes drop zones or information theft Total number of compromised hosts = Malware URL + Phishing ULR + Other compromised hosts = 289

What kind of hosts are these? Most of these hosts are shared hosting servers hosted at Croatian hosting companies They are compromised using known bugs in popular CMS systems (Wordpress, Joomla ) Mass compromise Sometimes servers are rooted Sometimes server are from companies other than hosting providers

Other incidents Only a few DDoS attacks but some of them got a lot of media attention: Attack on the web site of the Office of the President

Other incidents There were a few C&C servers for different botnets in Croatia Interesting one was for a Zeus botnet. We analyzed it and it turns out it was just a proxy It was not a compromised host, but a purchased VPS server from one of our hosting providers

Botnets trend National CERT is keeping a track of discovered bots in Croatia Exact IP addresses of bots are forwarded to their ISP providers National CERT keeps a statistical data of all discovered bots

Bots trend Registrated bots (daily trend) November 2011 September 2012

Bots trend Registrated bots (monthly trend) November 2011 September 2012

Bots trends Most popular malware are: Conficker (downadup) Sality Grum There are even a few flashback trojans

Flashback Flashback trojan (daily trend) November 2011 September 2012

Spam National CERT is trying to analyze spam messages that are being distributed in Croatian Internet space We have built our own spamtrap We are catching and analysing spam We can get some statistical data about the spam

Spam stats by spamtrap (January 2012 Sptember 2012) 49622 Total number of spams received 195,4 Spams per day 209 Spams sent from Croatian servers 4374 Spams in Croatian language

Spam trend by spamtrap (January 2012 Sptember 2012) Daily trend in number of received spam messages

Spams Most of the spams are just commercials There are some more serious spams that contain malicious links All of these spams where not targeted towards Croatian users With the help of automatic analysis we can recognize some interesting trends, for example

Do spammers work on weekends? Weekday distribution of received spam messages

Malware campaigns Daily trend of spam with malicious links June 21 and Jun 25, unusual high number

June 21 and June 26

Spam We are always looking to expand our spamtrap If you own or administer a web site and would like to help us, contact me after presentation or send us a mail at ncert@cert.hr

The End Thank you for listening Questions?