Cyber Risk GmbH Handelsregister des Kantons Zürich ... · malware, as developers instead focus on rebooted variants such as the Zeus variant Panda, or Dyre variant Trickbot, or hybrid

P a g e | 1

_____________________________________________________ Cyber Risk GmbH, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341,

Rebackerstrasse 7, 8810 Horgen, Web: www.cyber-risk-gmbh.com

Cyber Risk GmbH Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341,

Rebackerstrasse 7, 8810 Horgen Phone: +41 43 810 43 61, Web: www.cyber-risk-gmbh.com

Top cyber risk and compliance related news stories and world events, that (for better or for worse) shaped the month's agenda, and what is next

October 2017, cyber risk and compliance in Switzerland Animals need water, this is a fact. Lions know that, and they wait near the water, motionless, hidden. They know that the need for water will force prey to come within ambush distance. Lions exploit predictable prey pathways. Ambush predators are often camouflaged in both, nature, and cyber space. Animals need water, and computer users need optimization tools. The dream for a faster and more efficient PC makes us predictable and vulnerable. Version 5.33 of the CCleaner application was modified to include the Floxif malware. Attackers knew that users will look for this software, and they acted exactly like ambush predators. Spies do that for centuries. Floxif gathers information about systems and users, and sends it back to the attackers. Of course, it can download and run other binaries too. It collects information (computer name, installed software, running processes, MAC addresses, unique IDs etc.) that becomes intelligence. According to UK’s National Cyber Security Centre, this tactic of targeting through supply chains, exploiting the trust between consumers and

http://www.cyber-risk-gmbh.com/


http://www.cyber-risk-gmbh.com/about-us.html

P a g e | 2



suppliers, provides wide scope for infection, as illustrated by the case of NotPetya malware which spread via Ukrainian accounting software. Avast, the parent company of CCleaner developers Piriform, initially reported that 2.27 million computers were affected from 15 August 2017 to 15 September 2017, although this was later reduced to 700,000 machines. On 15 September, the command and control server was taken down by US law enforcement. Based on analysis of the server, Avast suggests that several hundred machines may have received a second stage payload. The incident has been described as a highly targeted attack, with intellectual property being the probable target. A list of twenty specific targets included large technology and telecommunications companies based in the UK, Taiwan, Japan, Germany, and the United States. There is a second interesting development, where we find some interesting terms: “ransomworms”, “fileless malware” etc. The 2017 Internet Organised Crime Threat Assessment (IOCTA), by the European Cybercrime Centre (EC3) at Europol, is an excellent paper. It explains how cybercrime continues to grow and evolve. Even before the WannaCry outbreak, ransomware was already set to take centre stage in terms of malware threats in this year’s report. The scale and broad surface of the WannaCry attack was unprecedented, with few countries unaffected.

One unintended positive aspect of this is something of a global awakening, raising awareness of the threat worldwide and creating an opportunity for IT security issues to be taken more seriously by businesses and organisations, including the need for improved patch and vulnerability management.

Cyber insurance is a growing industry, and within Europe cyber insurance premiums are likely rise to EUR 8.9 billion by 2020 from about EUR 3 billion today. There is a danger of cyber insurance encouraging complacency, with those relying on it to cover potential losses instead of investing in preventative measures.

However, there is a real potential for a positive impact where such insurance creates financial incentives for the adoption of due diligence and cybersecurity measures, for instance by offering discounts on premiums.


P a g e | 3



Another key development seen in both the WannaCry and Petya/NotPetya attacks was the inclusion of the self-propagating or ‘worm’ functionality within the malware, creating what some are referring to as a ‘ransomworm’.

While this was not the first time this has been done, it is the most successful example of its implementation, and a tactic we are likely to see repeated in future threats.

Banking Trojans did not feature heavily in law enforcement reporting this year, however their development and innovation does not cease.

As reported in previous years, there is little in the way of completely novel malware, as developers instead focus on rebooted variants such as the Zeus variant Panda, or Dyre variant Trickbot, or hybrid malware which combines aspects of other successful variants, such as Goznym which borrows from both the Gozi banking Trojan and the Nymaim downloader.

While not new, ‘fileless’ malware is another malware threat that is likely to become more prominent in the near future.

Fileless infections are those that do not involve malicious files being downloaded or written to the system’s disk, thereby circumventing many traditional anti-virus programs.

Such infections instead reside either within the infected systems’ memory, within the Windows registry or operate as a rootkit, and use Windows operating system applications, such as Powershell or Windows Management Instrumentation, to run.

While fileless malware did not feature in law enforcement reporting for this year’s IOCTA, perhaps due to its nature, there are a growing number of known cases throughout Europe.

The disastrous year for exploit kits has seen malware developers seek alternate infection vectors. Many of the leading malware threats highlighted this year, such as Dridex and Locky, previously relied on exploit kits for their distribution, but have now resorted to alternative malware delivery mechanisms such as spam botnets and social engineering.

The different infection vectors and malware distribution tactics observed during the WannaCry and Petya/NotPetya attacks are also indicative of this trend.


P a g e | 4



From a criminal perspective, the reliance on a third party product such as an exploit kit for distribution represents an additional point of failure for any malware campaign.

We previously predicted the inevitability of insecure IoT devices becoming tools for conducting DDoS attacks, a prediction which came to fruition this year with the DDoS attacks of unprecedented scale originating from the Mirai botnet.

The Mirai source code was publically released shortly after; as we have seen with previous source code releases, such as Zeus and Carberp, it is likely that it will be rapidly adopted and adapted by the cybercrime community.

There are therefore two likely outcomes to this event.

The first is that we will inevitably see new variants of Mirai appearing on criminal markets, or appearing in the wild under control of private developers, and further waves of DDoS attacks originating either from these variants or Mirai itself.

The variety of IoT devices affected by this type of malware will also undoubtedly increase.

The second, on a more hopeful note, is that it may, like the WannaCry attack, act as a catalyst for developers of IoT devices to include better security-by-design.

This will however do little to reduce the threat from the millions, if not billions, of devices already out there and vulnerable to this sort of exploitation.

It will also be interesting to see what impact this will have on the DDoS-as-a-service business model using booters and stressers.

In this context, Europe’s IoT policy and concrete initiatives such as the Alliance for Internet of Things Innovation (AIOTI) and strategies aiming at advancing the IoT in Europe, looking specifically also at security, liability, privacy and data protection as well as labelling and certification, will play a key role in addressing these challenges.

Sophisticated attacks against European critical infrastructure are a real threat. However, attacks, both direct and indirect, against critical


P a g e | 5



infrastructures using commonly available cyberattack tools such as booters/stressers appear to be much more likely, and easier to achieve.

While these attacks may not be as damaging as taking down a power-grid, they can still cause severe disruption to key utilities and services.

The Network Information Security (NIS) directive that calls for cybersecure solutions in critical sectors will require identified operators in these sectors to take appropriate and proportionate measures to manage the risks posed to the security of their networks and information systems, including the need to notify significant incidents.

As such, the NIS directive is expected to have a strong and positive impact on the cybersecurity of European critical infrastructure.

Probably one of the most significant future threats which will affect all areas of cyber-dependent crime relates to the likely disclosure of further hacking tools and exploits by the ShadowBrokers group.

In May 2017, the group announced its new monthly subscription model, ‘The Shadow Brokers Data Dump of the Month’, with the first data set of exploits reportedly sent out to subscribers in June.

The package allegedly includes web browser, router and handset exploits and tools, exploits for Windows 10, compromised network data from SWIFT providers and Central banks and compromised network data.

Previous attempts to auction off such tools were apparently unsuccessful, resulting in the group leaking the exploits instead.

However, the success of WannaCry may improve their future chances of finding successful buyers. Should the sale prove ineffective once again, it is likely that another leak will follow.

Given that it took less than one month from the leak of the EternalBlue exploit to its use in the WannaCry attack, it is likely that another cyber-attack of significant magnitude can be expected within a similar timeframe from the next release.

While the vendors of the vulnerable products can issue patches, as with the WannaCry attacks, it is likely they there will be huge numbers of unpatched machines, although WannaCry should have convinced many of both the benefits of patching and of the necessity to log and update old software that can make their entire systems vulnerable.


P a g e | 6



There is a third interesting development. We need new network security standards. Internet routing weaknesses are a real headache for many information security professionals. The new security standards created with the technical guidance of the National Institute of Standards and Technology (NIST), will reduce the risk of messages being intercepted or stolen. These standards address a security weakness that has been a part of the internet since its earliest days.

The set of standards, known as Secure Inter-Domain Routing (SIDR), have been published by the Internet Engineering Task Force (IETF) and represent the first comprehensive effort to defend the internet's routing system from attack.

The effort has been led by a collaboration between NIST and the Department of Homeland Security (DHS) Science and Technology Directorate, working closely with the internet industry. The new specifications provide the first standardized approach for global defense against sophisticated attacks on the internet’s routing system.

The overall strategy creates a defense mechanism for the Border Gateway Protocol (BGP), the system that routers—the devices that direct information toward its destination—use to determine the path data takes as it travels across the collection of networks that comprise the internet. BGP forms the technical glue holding the internet together, but historically, its lack of security mechanisms makes it an easy target for hacking.

BGP was created in the late 1980s to allow routers to exchange information and calculate the best path among millions of possibilities for data to travel across the internet. BGP enables the modern commercial internet, but it evolved at a time when security was not a significant concern, and internet operators have been coping with security problems as a result.

The overall defensive effort will use cryptographic methods to ensure routing data travels along an authorized path between networks. There are three essential components of the IETF SIDR effort:

The first, Resource Public Key Infrastructure (RPKI), provides a way for a holder of a block of internet addresses—typically a company or cloud service provider—to stipulate which networks can announce a direct connection to their address block


P a g e | 7



The second, BGP Origin Validation, allows routers to use RPKI information to filter out unauthorized BGP route announcements, eliminating the ability of malicious parties to easily hijack routes to specific destinations.

The third component, BGP Path Validation (also known as “BGPsec”), is what is described in the suite of draft standards (RFCs 8205 (link is external) through 8210) the IETF has just published.

Its innovation is to use digital signatures by each router to ensure that the entire path across the internet crosses only authorized networks.

Employing this idea of “path validation” together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it.

Do you remember what happened in April 2017? Large chunks of network traffic belonging to MasterCard, Visa, and other financial services companies were routed through Rostelecom, a Russian government - controlled telecom.

The way some of the affected networks were redirected indicated their underlying prefixes had been manually inserted into BGP tables, most likely by someone at Rostelecom, that improperly announced ownership of the blocks.

NIST's technical expertise was crucial to the development of the standards, a process that has taken several years. Throughout the effort, NIST collaborated closely with a DHS-sponsored research team and key members of the internet industry in the design, testing and evaluation of these new standards.

There is a fourth interesting development, about identity theft.

Francis Bacon believed that friends are thieves of time. Thieves of identities are worse. According to the FBI, a stolen identity is a powerful cloak of anonymity for criminals and terrorists and a danger to national security and private citizens alike.

Identity theft is nothing new, we've been dealing with criminals faking IDs for decades, from check forgers to fugitives on the run. But today the threat is more pervasive and the scams more sophisticated than ever.

In the States, the 1998 Identity Theft and Assumption Deterrence Act, which amended Title 18, U.S. Code, Section 1028 to make it a federal crime


P a g e | 8



to “knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.”

The 2004 Identity Theft Penalty Enhancement Act, which established penalties for “aggravated” identity theft, which is using the identity of another person to commit felony crimes, including immigration violations, theft of another’s Social Security benefits, and acts of domestic terrorism.

The act required the court to sentence two additional years for a general offense and five years for a terrorism offense.

Along with names, Social Security numbers, and dates of birth, fraudsters also use Medicare numbers, addresses, birth certificates, death certificates, passport numbers, financial account numbers (i.e., bank account, credit card), passwords (e.g., mother’s maiden name, father’s middle name), telephone numbers, and biometric data (e.g., fingerprints, iris scans) to commit identity theft.

According to the Federal Trade Commission, identity theft complaints nearly doubled between 2010 and 2015. However, the number of identity theft victims and total losses are likely much higher than publicly-reported statistics. It is difficult to provide a precise assessment because different law enforcement agencies may classify identity theft crimes differently, and because identity theft can also involve credit card fraud, Internet fraud, or mail theft, among other crimes.

Welcome to our monthly newsletter. Best regards,

George Lekatis General Manager, Cyber Risk GmbH Rebackerstrasse 7, 8810 Horgen Phone: +41 43 810 43 61 Mobile: +41 79 505 89 60 Email: [email protected] Web: www.cyber-risk-gmbh.com Cyber Risk GmbH, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341


mailto:[email protected]


P a g e | 9



Our catalog, instructor-led training in Switzerland, Liechtenstein, and Germany: www.cyber-risk-gmbh.com/Cyber_Risk_GmbH_Catalog_2018.pdf Our events: www.cyber-risk-gmbh.com/Events.html


http://www.cyber-risk-gmbh.com/Cyber_Risk_GmbH_Catalog_2018.pdf

http://www.cyber-risk-gmbh.com/Events.html

http://www.cyber-risk-gmbh.com/Cyber_Risk_GmbH_Catalog_2018.pdf

P a g e | 10



Number 1 (Page 14)

The 2017 Internet Organised Crime Threat Assessment (IOCTA)

The 2017 Internet Organised Crime Threat Assessment (IOCTA) reports how cybercrime continues to grow and evolve. While many aspects of cybercrime are firmly established, other areas of cybercrime have witnessed a striking upsurge in activity, including attacks on an unprecedented scale, as cybercrime continues to take new forms and new directions.

Number 2 (Page 17)

Presentation of the Swiss National Bank's Financial Stability Report Introductory remarks by Mr Fritz Zurbrügg, Member of the Governing Board of the Swiss National Bank, at the media news conference of the Swiss National Bank, Berne.

“In my remarks today, I will present the key findings from this year's Financial Stability Report, published by the Swiss National Bank this morning. In the first part of my speech, I will look at the situation of the big banks, focusing on the progress made in implementing the revised 'too big to fail' regulations (TBTF2) that came into effect almost a year ago.”


P a g e | 11



Number 3 (Page 19)

Cryptocurrency Market Capitalizations A very interesting web site.

Number 4 (Page 20)

ENISA Opinion Paper on Cryptocurrencies in the EU

As cryptocurrencies are increasingly employed for both legitimate and illicit purposes, there is a need for a debate on the cybersecurity concerns that may arise surrounding their use.

Number 5 (Page 23)

Ransom attacks against unprotected Internet exposed databases

In late August to early September 2017 ransom attacks against MongoDB databases re-emerged. Three new threat actors hijacked over 26,000 MongoDB databases.


P a g e | 12



The re-surfaced attacks came several months after similar attacks peaked during late 2016 to early 2017, affecting 45,000 MongoDB databases. This note provides an overview of past and new incidents, identifies the cyber-threats related to these attacks, provides security recommendations, and highlights the importance of properly securing any Internet accessible service.

Number 6 (Page 27)

NIST - Updating the Keys for DNS Security

The Internet’s Domain Name System (DNS) uses the DNS Security Extensions (DNSSEC) to help maintain the authenticity and integrity of its services. DNSSEC adds digital signatures and supporting keying material to the DNS, enabling users to authenticate domains and detect attempts to spoof or modify DNS responses transmitted over the Internet.

Number 7 (Page 28)

Going Dark

Law enforcement at all levels has the legal authority to intercept and access communications and information pursuant to court orders, but it often lacks the technical ability to carry out those orders because of a fundamental shift in communications services and technologies. This scenario is often called the “Going Dark” problem. Law enforcement faces two distinct Going Dark challenges.


P a g e | 13



The first concerns real-time court-ordered interception of data in motion, such as phone calls, e-mail, text messages, and chat sessions. The second challenge concerns “data at rest”—court-ordered access to data stored on devices, like e-mail, text messages, photos, and videos.

Number 8 (Page 31)

Border Gateway Protocol Security Slideshow

Number 9 (Page 35)

NCSC statement on research into potential weaknesses in global Wi-Fi systems

“Research has been published today (October 16th) into potential global weaknesses to Wi-Fi systems. The attacker would have to be physically close to the target and the potential weaknesses would not compromise connections to secure websites, such as banking services or online shopping.”


P a g e | 14



Number 1

The 2017 Internet Organised Crime Threat Assessment (IOCTA)

The 2017 Internet Organised Crime Threat Assessment (IOCTA) reports how cybercrime continues to grow and evolve. While many aspects of cybercrime are firmly established, other areas of cybercrime have witnessed a striking upsurge in activity, including attacks on an unprecedented scale, as cybercrime continues to take new forms and new directions. A handful of cyber-attacks have caused widespread public concern but only represented a small sample of the wide array of cyber threats now faced. Because of the similar tools and techniques used, it is sometimes difficult to attribute cyber-attacks to particular groups, for example, financially motivated cybercriminals and Advanced Persistent Threat (APT) groups. Some of the reported cyber-attacks from mid-2017 illustrate this trend. For genuine financially motivated attacks, extortion remains a common tactic, with ransomware and Distributed Denial of Service (DDoS) attacks remaining priorities for EU law enforcement. Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen following the emergence of self-propagating ‘ransomworms’, as observed in the WannaCry and Petya/NotPetya cases. Moreover, while information-stealing malware such as banking Trojans remain a key threat, they often have a limited target profile. Ransomware has widened the range of potential malware victims, impacting victims indiscriminately across multiple industries in both the private and public sectors, and highlighting how connectivity and poor digital hygiene and security practices can allow such a threat to quickly spread and expand the attack vector.


P a g e | 15



The extent of this threat becomes more apparent when considering attacks on critical infrastructure. Previous reports have focused on worst-case scenarios, such as attacks on systems in power plants and heavy industry. However, it is clear that a greater variety of critical infrastructures are more vulnerable to ‘every-day’ cyber-attacks, highlighting the need for a coordinated EU law enforcement and cross-sector response to major cyber-attacks on critical infrastructure. Law enforcement and industry action has led to a decline in the use of exploit kits. This has resulted in a shift towards alternative malware delivery methods, including spam botnets and social engineering. Along with technical attacks, social engineering techniques have become an essential tactic for the commission of many, often complex, cyber-dependent and cyber-facilitated crimes, including payment fraud and online child sexual exploitation. The success of such attacks is demonstrated by the trend of large-scale data breaches. In a 12-month period, breaches relating to the disclosure of over 2 billion records were reported, all impacting EU citizens to some degree. Previous reports have highlighted the potential for the abuse of insecure Internet of Things (IoT) devices. By the end of 2016 we had witnessed the first massive attack originating from such devices, as the Mirai malware transformed around 150 000 routers and CCTV cameras into a DDoS botnet. This botnet was responsible for a number of high profile attacks, including one severely disrupting internet infrastructure on the west coast of the United States (US). The vast majority of child sexual exploitation material (CSEM) is still produced by hands-on offenders. Adding to this, however, is an increasing volume of self-generated explicit material (SGEM), which is either produced innocently, or as a result of the


P a g e | 16



sexual coercion and extortion of minors. Offenders are increasingly using the Darknet to store and share material, and to form closed communities. To read more: https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2017


https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2017

https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2017

P a g e | 17



Number 2

Presentation of the Swiss National Bank's Financial Stability Report Introductory remarks by Mr Fritz Zurbrügg, Member of the Governing Board of the Swiss National Bank, at the media news conference of the Swiss National Bank, Berne.

In my remarks today, I will present the key findings from this year's Financial Stability Report, published by the Swiss National Bank this morning. In the first part of my speech, I will look at the situation of the big banks, focusing on the progress made in implementing the revised 'too big to fail' regulations (TBTF2) that came into effect almost a year ago. In the second part of my remarks, I will outline our current assessment of the situation at domestically focused banks.

Big banks Let me start then with the big banks and the TBTF2 regulations. The revised regulations are designed to resolve the 'too big to fail' issue in Switzerland, so that systemically important banks no longer have to be bailed out with taxpayers' money in the event of a crisis. The TBTF2 regulations rest on two complementary pillars. First, they are aimed at strengthening the resilience of systemically important banks in a going-concern perspective. They therefore specify higher requirements for going-concern capital in particular, thereby reducing the likelihood of a systemically important bank getting into financial distress.


P a g e | 18



Second, if a systemically important bank nevertheless gets into financial distress - this is called the gone-concern perspective - the regulations provide a framework for orderly resolution, ensuring the continuation of systemically important functions without the use of public funds. To this end, the regulations stipulate requirements both for loss-absorbing capacity in a gone-concern perspective and for resolution planning. To read more: https://www.bis.org/review/r170926g.pdf


https://www.bis.org/review/r170926g.pdf

P a g e | 19



Number 3

Cryptocurrency Market Capitalizations A very interesting web site.

You may visit: https://coinmarketcap.com/coins/views/all/


https://coinmarketcap.com/coins/views/all/

P a g e | 20



Number 4

ENISA Opinion Paper on Cryptocurrencies in the EU

As cryptocurrencies are increasingly employed for both legitimate and illicit purposes, there is a need for a debate on the cybersecurity concerns that may arise surrounding their use. A number of administrations are well advanced in their plans to authorise the use of cryptocurrencies. For example, Japan has legalized the use of one cryptocurrency and the Philippines has granted cryptocurrency exchange licenses. The main drivers for the adoption of cryptocurrencies, according to ENISA, include cost reductions, improved risk management, and automated regulatory compliance. The increasing use of cryptocurrencies may yield a number of benefits for citizens and industry. For instance, the decreased transaction and operational costs associated with cross-border transfer of funds could (optimistically) reduce the total global costs for remittances by up to EUR 20 billion. However, with the growing use of cryptocurrencies, greater attention needs to be given to the cybersecurity associated with their use, as well as the regulatory aspects, in order to protect the users and society from illegal activities, including money laundering and terrorism financing. At present, ENISA understands that there is no EU law addressing cryptocurrencies specifically. In this paper, ENISA presents its views on cryptocurrencies, summarising the technical aspects thereof, highlighting the key risks they may involve and discussing various potential regulatory approaches. An effective dialogue on cryptocurrencies requires as a first step developing a common taxonomy at EU level.


P a g e | 21



The Commission currently provides a working definition of virtual currencies as: “a digital representation of value that is neither issued by a central bank or a public authority, nor necessarily attached to a fiat currency, but is accepted by natural or legal persons as a means of payment and can be transferred, stored or traded electronically”. This broad categorisation of virtual currencies can be further broken down into various subcategories. Virtual currencies can for instance be convertible, meaning they can be directly exchanged for “real” currency by virtual currency exchangers, or non-convertible, meaning they cannot be exchanged for real currency. Furthermore, virtual currencies can be centralised, meaning they have a single administrating authority, or decentralised. ENISA considers cryptocurrencies as a subset of virtual currencies that are used in a decentralised manner, using for example Blockchain technology. A proposed definition for cryptocurrency is: “Cryptocurrency refers to a math-based, decentralised convertible virtual currency that is protected by cryptography.—i.e., it incorporates principles of cryptography to implement a distributed, decentralised, secure information economy”. Though neither of these definitions are as of yet legally binding, they provide a framework for engaging with technical and policy-related issues surrounding cryptocurrencies from a cybersecurity perspective. As with other fiat currencies, the value of cryptocurrencies is driven by supply and demand. Where the supply of a cryptocurrency is capped, and demand exceeds supply, the value of the cryptocurrency will rise. Presently, Bitcoin is a good example of this situation. At the time of writing of this paper, 856 cryptocurrencies were in existence, with a total market capitalisation of close to 120 billion euros. Many of the new cryptocurrencies are attempting to address existing inefficiencies, such as the number of transactions being processed per second and the use of smart contracts.


P a g e | 22



At the time of writing, approximately 3 billion euros of capital was being invested in cryptocurrencies per day. To read more: https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/enisa-opinion-paper-on-cryptocurrencies-in-the-eu


https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/enisa-opinion-paper-on-cryptocurrencies-in-the-eu

https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/enisa-opinion-paper-on-cryptocurrencies-in-the-eu

P a g e | 23



Number 5

Ransom attacks against unprotected Internet exposed databases

Introduction In late August to early September 2017 ransom attacks against MongoDB databases re-emerged. Three new threat actors hijacked over 26,000 MongoDB databases. The re-surfaced attacks came several months after similar attacks peaked during late 2016 to early 2017, affecting 45,000 MongoDB databases. This note provides an overview of past and new incidents, identifies the cyber-threats related to these attacks, provides security recommendations, and highlights the importance of properly securing any Internet accessible service.

Attacks against Internet exposed services In late 2016, a security researcher, identified attacks against Internet exposed and unprotected MongoDB instances. Initially, about 2,000 databases were reported as being compromised. In early January 2017, such compromises skyrocketed from 12,000 to 27,000 within a single day. More recent reports mentioned that compromises escalated to 45,000 within a month. This is a significant number of databases exposed on the Internet without proper authentication mechanisms in place, left open to attacks. Attacker(s) massively scanned the Internet and hijacked unprotected Internet exposed MongoDB databases. They essentially kept a copy of the databases (although not in all cases), deleted the databases from the victim systems, and replaced them with a ransom note asking for 0.2 Bitcoins in exchange for restoring the databases.


P a g e | 24



Shortly after the first MongoDB ransom attacks, attackers turned their attention to other Internet exposed and unprotected services as well. Attacks against Amazon’s exposed ElasticSearch servers , Apache CouchDB, and Hadoop Distributed File System installations followed a similar ransom tactic. Although, in most of these cases data was deleted straight away without any ransom request.

New wave of attacks In late August 2017 to early September 2017, security researchers detected a new wave of ransom attacks against MongoDB databases. In this case the affected databases were also left exposed on the Internet allowing external un-authenticated access.


P a g e | 25



Three new threat actors hijacked over 26,000 databases and replaced their content with a ransom note. The ransom demanded from 0.05 Bitcoins (approximately €190 at the time of writing) to 0.2 Bitcoins (approximately €750 at the time of writing). It is under investigation why the attacks had such an impact, several months after the first incidents.

Cyber-threat context in ransom attacks & recommendations The following figure illustrates the steps involved in the MongoDB ransom attack, the cyber-threats related to it and the potential threat agents identified. The ransom attack involves cyber-threats that have been described in ENISA’s Threat Landscape (Web-based Attacks, Data Breaches, and Ransomware). Identifying the cyber-threats involved in this ransom attack, provides a reference point to ENISA’s Threat Landscape for more security recommendations. Some recommendations for the MongoDB database compromises, which can be applied to other Internet exposed services as well, are the following -arranged according to the identified threat types: - Any Internet-exposed service must be properly configured and secured

in advance. Default service configuration can potentially allow un-authentication access to the service. This is a crucial security measure that should not be overlooked. (related threat type: Web-based Attacks)

- Maintainers of services should re-assess their default configurations

and make sure they provide hardened default configurations for their services before they are widely deployed. After the latest attacks MongoDB is also working towards that direction as well. (related threat type: Web-based Attacks)

- Use strong and unique passwords (as well as two-factor authentication

when available) for all accounts of a service/database and prevent users from accessing the administrative interface from the Internet if not absolutely necessary. (related threat type: Web-based Attacks)

- MongoDB security is addressed in the official security manual.

Database and system administrators need to carefully configure their databases before exposing them online. The same applies for other


P a g e | 26



Internet exposed databases/services as well, and their respective manual should be consulted in order to configure them properly. (related threat type: Web-based Attacks)

- Proactively back-up MongoDB databases and other critical system data

to quickly restore operation after a compromise, without paying the ransom. (related threat type: Ransomware)

- Be compliant to personal data protection regulations, i.e. EU data

protection legal framework and in particular the new GDPR entering into force in May 2018. (related threat type: Data Breaches)

Conclusion In 2016, ransomware was a dominant cyber threat and affected various sectors, e.g. academic institutions, hospitals, government bodies, industry etc. In 2017, ransomware further evolved by enhancing its malicious tactics, e.g. using worm-like capabilities. Ransomware’s success underscored, in the most prominent way, the monetization of cybercrime. Ransom attacks against Internet exposed services are a trend, which fits that pattern and deepens the abuse caused by threat actors. Again, such incidents prove that following best practices, e.g. properly securing Internet exposed services, is crucial, and should be followed at all times.


P a g e | 27



Number 6

NIST - Updating the Keys for DNS Security

The Internet’s Domain Name System (DNS) uses the DNS Security Extensions (DNSSEC) to help maintain the authenticity and integrity of its services. DNSSEC adds digital signatures and supporting keying material to the DNS, enabling users to authenticate domains and detect attempts to spoof or modify DNS responses transmitted over the Internet. In October 2017, the DNSSEC key for the root of the DNS will be updated (or “rolled”) for the first time. NIST’s Information Technology Laboratory has been working with DNS experts from around the world to help plan and test the procedures to be used in this important DNSSEC maintenance procedure. This article explains how DNSSEC works, describes the validation keys that are being used to improve DNS reliability, presents a timeline of the key change (or “rollover”), and explains what DNS administrators need to know if DNSSEC validation is used. To read more: http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=924334


http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=924334

P a g e | 28



Number 7

Going Dark

Law enforcement at all levels has the legal authority to intercept and access communications and information pursuant to court orders, but it often lacks the technical ability to carry out those orders because of a fundamental shift in communications services and technologies. This scenario is often called the “Going Dark” problem. Law enforcement faces two distinct Going Dark challenges. The first concerns real-time court-ordered interception of data in motion, such as phone calls, e-mail, text messages, and chat sessions. The second challenge concerns “data at rest”—court-ordered access to data stored on devices, like e-mail, text messages, photos, and videos. Both real-time communications and stored data are increasingly difficult for law enforcement to obtain with a court order or warrant. This is eroding law enforcement’s ability to quickly obtain valuable information that may be used to identity and save victims, reveal evidence to convict perpetrators, or exonerate the innocent. Make no mistake, the FBI supports strong encryption, and we know firsthand the damage that can be caused by vulnerable and insecure systems. As such, the Department of Justice, the FBI, and other law enforcement agencies are on the front lines of the fight against cyber crime. The government uses strong encryption to secure its own electronic information, and it encourages the private sector and members of the public to do the same. However, the challenges faced by law enforcement to lawfully and quickly obtain valuable information are getting worse.


P a g e | 29



The Communications Assistance for Law Enforcement Act (CALEA) was enacted in 1994 and applies only to traditional telecommunications carriers, providers of interconnected voice over internet protocol (VoIP) services, and providers of broadband access services. Currently thousands of companies provide some form of communication service, and most are not required by CALEA to develop lawful intercept capabilities for law enforcement. As a result, many of today’s communication services are developed and deployed without consideration of law enforcement’s lawful intercept and evidence collection needs. When changes in technology hinder law enforcement’s ability to exercise investigative tools and follow critical leads, we may not be able to root out the child predators hiding in the shadows of the Internet, or find and arrest violent criminals who are targeting our neighborhoods. We may not be able to identify and stop terrorists who are using social media to recruit, plan, and execute an attack in our country. We may not be able to recover critical information from a device that belongs to a victim who cannot provide us with the password, especially when time is of the essence. These are not just theoretical concerns. We continue to identify individuals who seek to join the ranks of foreign fighters traveling in support of the Islamic State of Iraq and the Levant, commonly known as ISIL, and also homegrown violent extremists who may aspire to attack the United States from within. These threats remain among the highest priorities for the FBI, and the United States government as a whole. Of course, encryption is not the only technology terrorists and criminals use to further their ends. Terrorist groups, such as ISIL, use the Internet to great effect. With the widespread horizontal distribution of social media, terrorists can spot, assess, recruit, and radicalize vulnerable individuals of all ages in the United States either to travel or to conduct a homeland attack. As a result, foreign terrorist organizations now have direct access into the United States like never before. Some of these conversations occur in publicly accessed social networking sites, but others take place via private messaging platforms. These encrypted direct messaging platforms are tremendously problematic when used by terrorist plotters.


P a g e | 30



Of the Going Dark problem, Director James Comey has said, “Armed with lawful authority, we increasingly find ourselves simply unable to do that which the courts have authorized us to do, and that is to collect information being transmitted by terrorists, by criminals, by pedophiles, by bad people of all sorts.” And as for a perceived conflict between keeping people safe and protecting their privacy, “it isn’t a question of conflict,” according to Comey. “We must care deeply about protecting liberty through due process of law, while also safeguarding the citizens we serve—in every investigation.” To help address the challenges posed by advancing communications services and technologies, the Department of Justice’s National Domestic Communications Assistance Center (NDCAC) leverages and shares the law enforcement community’s collective technical knowledge, solutions, and resources. NDCAC also works on behalf of federal, state, local, and tribal law enforcement agencies to strengthen law enforcement’s relationships with the communications industry. To learn more: https://www.fbi.gov/investigate/cyber


https://www.fbi.gov/investigate/cyber

P a g e | 31



Number 8

Border Gateway Protocol Security Slideshow


P a g e | 32




P a g e | 33




P a g e | 34



To read more: https://nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing https://www.nist.gov/programs-projects/robust-inter-domain-routing https://datatracker.ietf.org/wg/sidr/documents/


https://nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing

https://nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing

https://www.nist.gov/programs-projects/robust-inter-domain-routing

https://datatracker.ietf.org/wg/sidr/documents/

P a g e | 35



Number 9

NCSC statement on research into potential weaknesses in global Wi-Fi systems

An official statement from the National Cyber Security Centre (NCSC) on research into potential weaknesses in global Wi-Fi systems, including links to related advice and guidance. A spokesperson for the National Cyber Security Centre said: “It is absolutely vital that Wi-Fi networks are safe and secure, and the National Cyber Security Centre is committed to making the UK the safest place to live and work online. “Research has been published today (October 16th) into potential global weaknesses to Wi-Fi systems. The attacker would have to be physically close to the target and the potential weaknesses would not compromise connections to secure websites, such as banking services or online shopping. “We are examining the research and will be providing guidance if required. Internet security is a key NCSC priority and we continuously update our advice (https://www.ncsc.gov.uk/guidance/end-user-device-security) on issues such as Wi-Fi safety, device management and browser security.”

Further information - NCSC guidance on end user device security to home users and

businesses can be seen here: https://www.ncsc.gov.uk/guidance/end-user-device-security It states risks associated with using Wi-Fi which must be considered and accepted before its use is permitted.

- Our guidance is a crucial part of ensuring that the UK has the capacity

to manage the increasing cyber threat. We provide advice, not standards or policy. And because our guidance is advisory in nature, it provides a sound basis for users to make their own informed decisions.


https://www.ncsc.gov.uk/guidance/end-user-device-security



P a g e | 36



- The NCSC’s 10 Steps to Cyber Security outlines the basic cyber security procedures to protect your organisation from cyber attacks, while Cyber Essentials allows organisations to advertise that they meet a government endorsed standard of cyber hygiene.

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security

- The potential weaknesses in global Wi-Fi systems have been outlined by researchers (https://papers.mathyvanhoef.com/ccs2017.pdf) in computer security from the University of Leuven. They have given the weakness the codename Krack.

- As well as not compromising connections to secure websites, the potential weaknesses would not compromise connections to secure enterprise VPNs.


https://www.ncsc.gov.uk/guidance/10-steps-cyber-security

https://papers.mathyvanhoef.com/ccs2017.pdf

P a g e | 37



Disclaimer Cyber Risk GmbH enhances public access to information about cyber risk and compliance in Switzerland. Our goal is to keep this information timely and accurate. If errors are brought to our attention, we will try to correct them. This information: - is of a general nature only and is not intended to address the specific circumstances of any individual or entity; - should not be relied on in the particular context of enforcement or similar regulatory action; - is not necessarily comprehensive, complete, or up to date; - is sometimes linked to external sites over which Cyber Risk GmbH has no control and for which Cyber Risk GmbH assumes no responsibility; - is not professional or legal advice); - is in no way constitutive of an interpretative document; - does not prejudge the position that the relevant authorities might decide to take on the same matters if developments, including Court rulings, were to lead it to revise some of the views expressed here; - does not prejudge the interpretation that the Courts might place on the matters at issue. Please note that it cannot be guaranteed that these information and documents exactly reproduce officially adopted texts. It is our goal to minimize disruption caused by technical errors. However, some data or information may have been created or structured in files or formats that are not error-free and we cannot guarantee that our service will not be interrupted or otherwise affected by such problems.


Documents

Cyber Risk GmbH Handelsregister des Kantons Zürich ... · malware, as developers instead focus on rebooted variants such as the Zeus variant Panda, or Dyre variant Trickbot, or hybrid