Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report



Similar documents
Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Protecting Your Organisation from Targeted Cyber Intrusion

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

CYBERTRON NETWORK SOLUTIONS

Penetration Testing Report Client: Business Solutions June 15 th 2015

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Introduction: 1. Daily 360 Website Scanning for Malware

Advanced Endpoint Protection Overview

IBM Protocol Analysis Module

HoneyBOT User Guide A Windows based honeypot solution

Web Application Security

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Learn Ethical Hacking, Become a Pentester

What is Web Security? Motivation

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Streamlining Web and Security

Networking for Caribbean Development

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Common Cyber Threats. Common cyber threats include:

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Security A to Z the most important terms

Symantec enterprise security. Symantec Internet Security Threat Report April An important note about these statistics.

Thick Client Application Security

IBM Advanced Threat Protection Solution

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Advancements in Botnet Attacks and Malware Distribution

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

What Do You Mean My Cloud Data Isn t Secure?

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

INFORMATION SECURITY TRAINING CATALOG (2015)

Guidance Regarding Skype and Other P2P VoIP Solutions

Detecting peer-to-peer botnets

2015 TRUSTWAVE GLOBAL SECURITY REPORT

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

INFORMATION SECURITY REVIEW

Practical Threat Intelligence. with Bromium LAVA

WEB ATTACKS AND COUNTERMEASURES

CS5008: Internet Computing

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Penetration Test Report

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

The Top Web Application Attacks: Are you vulnerable?

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

April 11, (Revision 2)

Web Vulnerability Assessment Report

Firewall and UTM Solutions Guide

Beyond the Hype: Advanced Persistent Threats

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

2010 Carnegie Mellon University. Malware and Malicious Traffic

Malicious Network Traffic Analysis

Vulnerability Assessment and Penetration Testing

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Where every interaction matters.

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Top five strategies for combating modern threats Is anti-virus dead?

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Web-Application Security

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

INSTANT MESSAGING SECURITY

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Hacking Database for Owning your Data

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Symantec Endpoint Protection Analyzer Report

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Penetration Testing with Kali Linux

CRYPTUS DIPLOMA IN IT SECURITY

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

How To Prevent Hacker Attacks With Network Behavior Analysis

ICTN Enterprise Database Security Issues and Solutions

External Supplier Control Requirements

Course Content: Session 1. Ethics & Hacking

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Protecting Critical Infrastructure

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

Hack Your SQL Server Database Before the Hackers Do

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Transcription:

Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report

About this Report This report was compiled and published by the Tespok icsirt in partnership with the Serianu Cyber Threat Intelligence Team and USIU s Centre for Informatics Research and Innovation (CIRI), at the School of Science and Technology. Data Collection and Analysis The data used in the analysis was collected from various sensors deployed within Kenyan organisations. We have deployed sensors to enable us to gather statistics and precise information on the cyber threats that target local internet users. We are currently in the process of deploying more sensors across various educational institutions, local businesses and enterprises. We would like to invite local partners who are interested in information security to join our cyber security efforts and awareness initiative by installing a sensor on their network edge. Deployed Sensors Having a large number of sensors across various industry sectors will enable us to more accurately model the various attack processes targeting Kenyan internet users. This is an ongoing effort that offers local businesses and individual internet users a new way to quickly and easily identify local phenomena that are worth investigating. The sensor installation is facilitated by our security experts which involves furnishing new partners with the sensor image and configuration files. The sensor will not interfere in any way with the normal functioning and operation of your organization s network and its assets. In exchange, we give our partners access to regular attack reports enriched with information specific to their organization. We are also developing a dedicated research, investigation and response team to make response time faster and more efficient. The project is triggering interest from many academic, industrial, and governmental organizations. For more information on how to become a partner, please visit www.cyberusalama. co.ke or email sc3@serianu.com or icsirt@tespok.co.ke for enquiries. 2

Data Analysis and Reporting As previously explained, we collect and analyze attack files from each sensor and these data is aggregated to provide as these reports. The attack data collected includes a large variety of information, such as: Raw data packets (entire frames including the payloads are captured); TCP level statistics; Passive Operating System fingerprinting obtained; IP geographical localization obtained; DNS reverse lookups, whois queries, etc In theory, no traffic should be observed from the sensors we have set up. As a matter of fact, many packets hit the different sensors, coming from different IP addresses. Typically, if an attacker decides to choose one of our sensors as their next victim, they try to establish direct TCP connections or to send UDP, or ICMP, packets against it. Attackers will use diverse tactics when attacking each sensor and this enables us to identify the payloads used and attack methods deployed on each sensor. 3

Executive Summary This Report provides statistics on enterprise assets (applications, systems, devices and other information assets) that are being targeted by cyber criminals. Majority of these assets are targeted as a result of known vulnerabilities that are easily exploitable. The Tespok icsirt Enterprise Attack Targets is a compiled list of vulnerabilities that require immediate remediation. Cyber criminals are constantly looking for vulnerable systems that they can exploit for malicious purposes. Systems that display known commercial vulnerabilities are soft targets. International trends have shown that enterprises are increasingly under what is termed as Advanced Persistent Threat (APT). This means that organizations are specifically targeted by hackers in ways that are very sophisticated and that exploit vulnerabilities that have not yet been patched and mitigated. The attackers are now taking time to study enterprise systems to know them intimately and to craft exploits that are specific to them and that buy pass their detection mechanisms. They are then covering up their tracks in ways that are getting harder to detect. In many cases multiple malware instances are launched at the enterprise to guarantee the hackers persistent presence and access to the systems. We at icsirt are devoting resources to work with our partner organizations to warn them of threats that are targeted against them and their systems and how they can avoid them. 4

Report Highlights Attacked Enterprise Resources/Assets a. VOIP Servers VoIP technology has seen rapid adoption during the past couple years. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. What is being exploited? Various VOIP products from various vendors have been found to contain vulnerabilities that can either lead to a crash or complete loss of control over the vulnerable server/device. How is it being exploited? By gaining a control over the VoIP server and phones, attackers are able to carry out VoIP phishing scams, eavesdropping, toll fraud or denialof-service attacks. Remedy - Scan the VoIP servers and phones to detect open ports. Firewall all the ports from the Internet that are not required for keeping up the VoIP infrastructure. b. Email Webmail: Almost every organization uses emails to communicate. It is a quick and efficient method to pass information. This said it should be noted that if your email is not encrypted, one can easily read the contents of these emails in plain text when your traffic is sniffed. Webmail can be exploited through DNS cache poisoning, injection attacks, chunkedencoding transfer attempts and redirect access. What is being exploited? The lack of encryption on the webmail service. How is it being exploited? Poorly configured web servers and lack of email encryption. Remedy To better secure your emails, make sure you utilize encryption and secure the web servers. A quick and cost-effective method is by implementing PGP as an opensource solution for encrypting your emails. 5

c. Web Applications Cacti Cacti is a network graphing solution that is sometimes used by web hosting providers to display bandwidth statistics for their customers. It can be used to configure the data collection itself, allowing certain setups to be monitored without any manual configuration. What is being exploited? Cacti is prone to a remote command-execution vulnerability as the application fails to properly check the user-supplied input to the computer. Through this vulnerability attackers are able to execute malicious commands on the server. Other vulnerabilities include path disclosure, http response splitting and xss. These vulnerabilities affect version Version0.8.7h and lower. How is it being exploited? By dumping malware on vulnerable servers and waiting for internet users to inadvertently activate these malwares. These then create a communication link with the hacker. The hacker is then able to execute commands remotely. Remedy - The remediation of this vulnerability is through updating cacti to the most recent version and patching the current software version. cpanel This is a web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cpanel enables administrators and end-user website owners to control the various aspects of their website and server administration via a web browser. What is being exploited? cpanel is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. How is it being exploited? An attacker takes advantage of this vulnerability to execute malicious code in the browser of the affected site. This allows the attacker to steal authentication credentials, control how the site is rendered to the user and launch other attacks. Remedy - The remediation of this vulnerability is through updating cpanel to the most recent version and patching the most recent software version. 6

d. Database Slammer worm Slammer worm attacks vulnerable web servers by forcing the cache servers or web browsers into disclosing confidential information. What is being exploited? This worm targets hosts that are running an unpatched copy of Microsoft SQL Server Resolution Service; the host immediately becomes infected and begins spamming the Internet with more copies of the worm program. How is it being exploited? Once it infects a system, it provides the hacker with remote access to the compromised server. Remedy T o prevent infection, patch the server with updates from Microsoft. In the case of suspected infection however, use trusted malware removal tools provided by reputable vendors. SQL slammer SQL Slammer is a computer worm that causes a denial of service on some Internet hosts and dramatically slows down general Internet traffic. What is being exploited? The worm exploits buffer overflow vulnerabilities in the SQL Server Monitor that overwrites the execution stack and executes the rest of the exploit. How is it being exploited? The slammer worm on the infecting computer sends a UDP datagram to port 1434 on the target. When it is in the target s memory it begins sending datagrams of its exploit and worm code to random IP addresses to infect new targets. MS SQL These are Microsoft based servers that run SQL oriented services. It is a relational web hosting database that is used to store web site information like blog posts or user information. MS SQL is the most popular type of database on Windows servers. What is being exploited? The vulnerability is a cross-site-scripting (XSS) vulnerability that allows elevation of privileges, enabling an attacker to execute commands on the SQL Server Reporting Services (SSRS) site in the context of the targeted user. How is it being exploited? The attacker could exploit this vulnerability by sending a specially crafted link to the user and convincing the user to click the link. The attacker could also host a website that contains a webpage designed to exploit the vulnerability. In addition, compromised websites or those that accept or host user-provided content 7

or advertisements could contain specially crafted content that could exploit this vulnerability. Remedy - Patch the server with updates from the Microsoft website. e. File sharing Applications These applications are used to download and distribute data such as music, video, graphics, text, source code etc. P2P applications are also used legitimately for distribution of certain applications. However, often times the data is either of a questionable nature or is copyrighted. What is being exploited? The peer-to-peer (P2P) file-sharing network is used as a propagation vector for malware propagation. While file sharing malicious programs open a backdoor through which an attacker can remotely control the compromised machine, send spam, or steal a user s confidential information How is it being exploited? Malware is disguised as files that are frequently exchanged over P2P networks, these malicious programs infect the user s host if downloaded and opened, leaving their copies in the user s sharing folder for further propagation. Remedy -.The best way to minimize infections through file sharing is to use an up to date antivirus or malware removal tool in your computer or host as well as properly configured firewalls which can readily block malicious traffic before they reach your computer. User Applications Adobe Adobe reader is software that is commonly used to read pdf documents. What is being exploited? The sandbox technology in Adobe Reader X is designed in such a way that even if attackers exploited a bug in the software, the malicious code would not be able to access other parts of the computer. This attack successfully bypasses that defense by breaking out of the sandbox. How is it being exploited? The victims receive an email with an attached PDF, which in turn contains highly obfuscated JavaScript. Upon opening the attachment, the embedded malware downloads two DLL files, one which displays a fake error message and opens a PDF document, and the other which drops callback software onto the victim s computer. Once installed, the malware calls back to a remote server. Remedy - Patching the Adobe reader software with updates from the adobe website as well as always enabling the protected view option. 8

f. Software Activation Sirefef Win32/Sirefef is malware that uses advanced stealth techniques in order to hinder its detection and removal. It downloads and executes arbitrary files and contacts remote hosts. Sirefef includes a self-defense mechanism to protect against security related software by disabling features in these softwares. What is being exploited? Exploits and programs that promote software-piracy such as keygens and cracks. These are programs designed to bypass software licensing. How is it being exploited? Sirefef drops two files to a chosen directory and then makes changes to the registry to ensure that Sirefef runs each time you start your computer. When executed, Sirefef attempt to replace a randomly-selected system driver with its own malicious copy. Remedy - As a consequence of being infected with this threat, you need to repair and reconfigure some Windows security features and also remove the malware completely using reputable malware removal tools. g. Content Management Systems Joomla This is a content management system (CMS), which enables you to build websites and online applications. What is being exploited? The Joomla s XSS vulnerability. How is it being exploited? A malicious hacker injects client-side script in a website which is executed by the victims when they access the website. Remedy Users should regularly patch Joomla with updates from the vendor website. Wordpress This is a web-based application that is used to create websites or blogs. Tim thumb is a script primarily used for resizing and cropping of images. It allows images from remote websites to be fetched and cropped as well the storing them on the server. The list of allowed remote websites is listed within the plugin, and checked against any fetched files. What is being exploited? The Timthumb vulnerability allows third parties to upload and execute arbitrary PHP code in the Timthumb cache directory on the server that hosts wordpress. 9

How is it being exploited? Using the Timthumb vulnerability to upload a malicious file, it allows the attacker to compromise the site and run malicious code on the server. We have identified a number of local ISPs hosting word press sites that have this vulnerability and are currently being compromised. Remedy - The remedy for this vulnerability is to update to the latest version of Timthumb or completely disable the plugin is not needed on the site. The Timthumb Vulnerability Scanner plugin is also another remedy. The vulnerability scanner will scan the entire wpcontent directory for instances of any outdated and insecure version of the Timthumb script, and then give you the option to automatically upgrade them with a single click. Performing this scan and update will protect you from hackers looking to exploit this particular vulnerability. Conclusion Over the past couple years; the number of vulnerabilities that are reported has increased with the discovery of new vulnerabilities every other day. At this rate of vulnerability detection and reporting, even small organizations with a single server can expect to spend considerable time reviewing and applying critical patches. Unpatched devices and software leave businesses vulnerable to attacks. Most cyber criminals have access to the same vulnerability information and testing systems that businesses have. Therefore, lack of patch management processes leave Kenyan businesses open to potential data breaches. A robust, pragmatic approach to vulnerability management is required to keep up with the vulnerabilities and keep organisation s information assets safe and secure. Patches are additional pieces of code that have been developed to address specific problems or flaws in existing software. About Cyber Usalama Cyber Usalama is an initiative of the Telecommunications Service Providers Association of Kenya (TESPOK). TESPOK is a professional, non-profit organization representing the interests of Telecommunication service providers in Kenya. Cyber Usalama s main objective is to educate and empower Kenyan internet and computer users to use the Internet safely and securely at home, work, and school, protecting the technology individuals use, the networks they connect to, and the Kenyan cyber space. Through the publication on regular critical cyber Threat incident reports and security awareness reports, Cyber Usalama engages public and private sector partners to raise awareness and educate Kenyans about Cyber security, and increase the resiliency of the Kenyan Cyber space. 10

Bibliography Adobe Acrobat Reader: cvedetails. (2013). Retrieved from cvedetails website: http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/ cvssscoremin-4/cvssscoremax-4.99/adobe-acrobat-reader.html Nikolaenko, D. P. (2013). Advisories:Secure list. Retrieved from A Kaspersky Lab Website: http://www.securelist.com/en/advisories/43293 Rubenking, N. (2013, Feb 21st). Software-patches: Security Watch. Retrieved 2013, from A PC Mag website: http://securitywatch.pcmag.com/software-patches/308303-adobepatches-exploit-in-acrobat-and-reader-update-now SecureWorks. (2013). SecureWorks Counter Threat Unit. Retrieved from http://www.secureworks.com/cyber-threat-intelligence Powered by Serianu CyberThreat Intelligence Service www.cyberusalama.co.ke 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information