Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
1) InPartOneofthisDeepDivereport,weprovidedasummaryofthecurrentcybersecurityenvironmentanddiscusseditscomponents.
2) HereinPartTwo,wediscussthecomponentsandcharacteristicsofanadvancedattack,thedifferenttypesofattacksandvulnerabilities,andthedifferenttypesofhackers.
3) Anadvancedattackcomprisesfourstages:infection,persistence,communication,andcommandandcontrol.
4) Advancedpersistentthreatsaredesignedtoremainundetectedandtooperateoveralongperiod,slowlyaccumulatingdatafromserversanddatabases,aggregatingit,andthensendingitinabursttoaremoteserver.
5) Typesofattacksincludemalware,spam,botnetsandransomware,andhackerscantakeadvantageofvulnerabilitiesinsystems,suchastheuseofweakorcommonpasswords,inordertowageattacks.
6) Thetypicalhackerisnotsome15-year-oldworkingathisbedroomdesk,aswemightimagine.Rather,thereareavarietyofhackers,whoarecategorizedbythecolorof“hat”theywear,whichcorrespondswiththeirpresumedmotivation.Therearealsoorganizedcrimeandstate-sponsoredhackers.Thedarkwebhasemergedasamarketplaceforstolenpersonalinformation.
7) Fortunately,apowerfulcybersecurityindustryhasemerged,andmanyprivateandpubliccompaniesnowspecializeinprovidingtargetedhardwareandsoftwaresolutionstothwartandminimizetheimpactofcyberattacks.Venturecapitalinvestmentinthespaceisalsohealthy,keepingthelevelofinnovationhigh.
Deep Dive: An Introduction to
Cybersecurity—Part Two
Deborah Weinswig
Managing Director
Fung Global Retail & Technology
US: 917.655.6790
HK: 852.6119.1779
CN: 86.186.1420.3016
2
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
TableofContents
ExecutiveSummary.............................................................................................................3
AboutThisDeepDive..........................................................................................................4
ComponentsofanAdvancedAttack....................................................................................5Infection.......................................................................................................................................5Persistence...................................................................................................................................5Communication............................................................................................................................5CommandandControl..................................................................................................................5
CharacteristicsofanAdvancedPersistentThreat(APT).......................................................5
TypesofAttacks/Vulnerabilities..........................................................................................7Malware.......................................................................................................................................7Spam............................................................................................................................................9Botnets.......................................................................................................................................10DistributedDenialofService(DDoS)...........................................................................................11Ransomware...............................................................................................................................11PrivilegeEscalation.....................................................................................................................13Exploits.......................................................................................................................................13Backdoors...................................................................................................................................13BadPasswords............................................................................................................................14Hacktivism/Vigilantism/Cyberdissidents/Shaming......................................................................15Internet-PoweredBankHeists....................................................................................................15
TypesofHackers...............................................................................................................16OrganizedCrime.........................................................................................................................16TheDarkWebasMarketplace....................................................................................................17State-SponsoredHackers............................................................................................................17CurrentandFormerEmployees..................................................................................................18
NotableCasesofHacking..................................................................................................19
3
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
ExecutiveSummaryEversincehumansbegantreasuringobjectsofvalue,therehavebeenindividualswhohavewantedtostealordamagethoseobjects.Inourcurrentera,theInformationAge,datarepresentmanyofourobjectsofvalue.PCviruseshaveexistedessentiallysincetheadventofthePC.AndasthePC’scapabilitieshaveincreasedovertime,followingMoore’slaw,so,too,hasthevalueofthedataresidingonthem,makingthemanattractivetargetforcriminals.
TheinventionoftheInternethasmadetheworldflat,enablingustoshopandmakepurchasesfromfarawaycountries.Atthesametime,ithasenabledinvisiblecriminalsathomeandabroadtosometimesbreakintoourPCsandtakeourdata,lockupourdevicesinexchangeforransom,orcauseothertypesofhavoc.
Atonetime,cybersecuritysimplyconsistedofprotectingcomputersfromvirusesandmalwarethatcouldbehiddenonafloppydisk.Now,computerusersarevulnerabletopickingupsuchmaladieswhilebrowsingtheweb,usingamobilephone,loggingintoafreeWi-FiserviceorevenplugginginaUSBsticktheymighthavefound.
Unfortunately,theInternethasbecomeadarkerplace.Inthepast,teenagehackersmighthavebrokenintocomputersystemsinordertodemonstratetheirabilitiesandcauseminorchaos,butnow,organizedcriminalgangsarecolludingwithstate-sponsoredhackinggroupstoengageinlarceny,extortion,andcorporateandprivateespionage.Moreover,somemiscreantsarenowinvadingcomputersandencryptingtheharddrive,threateningtoreleaseitonlyinexchangeforaheftyransompaymentmadeinuntraceablebitcoin.
Forbothindividualsandenterprises,itisastruggletokeepthebadactorsatbay.Theyarerelentlessandtireless,andallittakesisonepersonclickingonthewrongemaillinktoletthemin.Cyberattacksarelargelyenabledbythehumanelement—byourownapathy,inattentiontodetailorlackofvigilance.HackersoftengetinwhenITmanagersdonotapplysoftwareupdatesorpatchesordonotheedtheyellowandredflagsgeneratedbysecuritymonitors.AndmanyITteamsdonothaveaplaninplacetodealwithbreak-ins,whicharealmostinevitable.Theburdenofcybersecurityfallsonallofus:tokeepcybercriminalsout,wemuststayontopofourgameandnotdozeoff.
Enterthegoodguys,offeringcybersecuritysolutions.Justaswehavetobuylockstoprotectourhomes,ITmanagershavetoarmthemselveswithasuiteoftoolstofendoffnetworkinvasions,oratleastminimizetheireffects.ThenegativePRandbusinessconsequencesthatcanresultfromanetworkincursionarejusttoogreatarisktonotdealwiththecybersecuritythreatproactively,asmanyretailersandgovernmentagencieshavepainfullylearned.
Inthisreport,weprovideageneraloverviewofcybersecurity,thedifferenttypesandmethodsofcyberattacks,andmanydetailsabouttheindustryandthecompaniesthatareworkingtokeepourdevicesandnetworkssafefromcybercriminals.
Unfortunately,theInternethasbecomeadarkerplace.Organizedcriminalgangsarecolludingwithstate-sponsoredhackinggroupstoengageinlarceny,extortion,andcorporateandprivateespionageandmiscreantsareencryptingharddrivesanddemandingthepaymentofransomware.
4
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
AboutThisDeepDiveFungGlobalRetail&TechnologyispublishingitsDeepDive:AnIntroductiontoCybersecurityinthreeinstallments.
TheExecutiveSummaryoutlinesthegrowthoftheInformationAgeandtheadventoftheInternet,thebenefitsofwhichhavebeentestedoftenbycorrespondingdevelopmentsincomputervirusesandmalware.Recently,though,theInternethasbecomeasignificantlydarkerplace.Thebadactorsonlineusedtobemostlyteenagehackers,buttheyarebeingreplacedbyorganizedcrimesyndicatesandstate-sponsoredhackerswithmuchbiggercriminalambitions.Thegoodguyshavelaboredtokeeppacewiththecybercriminals,andarichcybersecurityindustryhasemerged,withalargenumberofcompaniesspecializinginthevariousaspectsofonlinesecurity.
PartOne:IntroductionandComponentsofCybersecurityThegrowinginterconnectednessofcomputersandincreasinguseoftheInternetmakecomputersanirresistibletargetforcybercriminals.AsInternetusagehasincreasedandhackingtoolshavebecomemoreaccessible,thenumberofreportedcyberattackshasrisen.Thecat-and-mousegamebetweenvirusdevelopersandantivirussoftwaremakerscontinuedrelativelypeacefullyuntilabout2010,whenthebalancebetweenhackersanddefenderswasseverelyaltered.
In2013,theNationalInstituteofStandardsandTechnologydefinedfivecategoriesinaframeworkforreducingcyber-riskstoinfrastructure:identification,protection,detection,responseandrecovery.
PartTwo:ComponentsofanAdvancedAttack,CharacteristicsofanAdvancedPersistentThreat,andTypesofAttacksandHackersTheterm“APT”referstoanadvancedpersistentthreat,acyberattackinwhichanunauthorizedpersongainsandmaintainsaccesstoanetworkforanextendedperiodoftime.RecentAPTshavetargetedenterprises.
APTscantakeanumberofforms,includingmalware,spam,botnetandransomwareattacks,andhackerscantakeadvantageofvulnerabilitiesinsystems,suchastheuseofweakorcommonpasswords.
Typesofhackersincludescriptkiddiesandwhite,black,gray,green,redandbluehats.
PartThree:NewThreats/ThreatVectors,MarketsandCybersecurityCompaniesThenumberandkindsofcyberthreatscontinuetogrowandevolveduetoadvancesintechnologythatbenefitbothattackersanddefenders.
MarketintelligencefirmIDCforecaststhatglobalspendingoncybersecuritywillincreaseatan8.3%CAGRbetween2016and2020,growingfrom$73.6billionto$101.6billion.Thisgrowthrateismorethandoublethe3.3%CAGRthatIDCforecastsforworldwideITproductrevenuefrom2015through2020.
TheFungGlobalRetail&TechnologyteamhopesthatyouwillfindthisDeepDiveinterestingandinformativeandthatitwillhelpyouprotectyourenterpriseagainstcybersecuritythreats!
5
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
ComponentsofanAdvancedAttackAnadvancedattackcomprisesfourstages,accordingtoCybersecurityForDummies,PaloAltoNetworksEdition:infection,persistence,communication,andcommandandcontrol.
InfectionCyberattackexploitsgenerallyseektocauseabufferoverflowinthetarget’ssoftware,whichmakestheprogramquitandtransferstheattackertotheshell(orcommandline),therebyenablingtheattackertoentercommandsandgainaccess.Themalwareentersthetargetsystemviaoneofthefollowingmeans:
• Phishing/socialengineering
• Hidinginatransmissioninthesecuresocketslayer,instantmessagingorpeer-to-peertraffic
• Viaremoteshellaccess
• Drive-bydownload(theunintentionaldownloadingofavirusormalwareontoadevice)
PersistencePersistencereferstomalwareremainingwithinanetworkuntilactivated.Itcanmakeuseofarootkit(usingprivileged,root-levelaccess)orabootkit(modifyingthekernelorbootcode),oritcaninstallabackdoor.
CommunicationInthisstageofanattack,themalwareestablishesacommunicationchannelwiththeattacker.Suchchannelscanuseencryptionorunusualroutes,beembeddedinotherprotocols,useseveralornonstandardports,orroutecommunicationsviaseveralinfectedhosts.
CommandandControlThecommandandcontrolcomponentensuresthattheattackcanbecontrolled,managedandupdatedovertime.
CharacteristicsofanAdvancedPersistentThreat(APT)Theterm“APT”wascoinedbyUSmilitaryanddefenseagencies.Itreferstoanattackinwhichanunauthorizedpersongainsandmaintainsaccesstoanetworkforanextendedperiodoftime.WhileearlyAPTswereprimarilyaimedatpoliticaltargetsandgovernmentagencies,recentAPTshavetargetedenterprises.SonyPictures,HomeDepotandTargetarethreehigh-profileexamplesofcompaniesthathavesufferedAPTattacksinrecentyears.
APTsaredesignedtoremainundetected,allowingattackerstostealasmuchdataaspossible.Themalwareisdesignedtooperateoveralongperiod,slowlyaccumulatingdatafromserversanddatabases,aggregatingit,andthensendingitinabursttoaremoteserver.
APTsalsoseektomovefromoneservertothenextwithoutbeingdetectedbygeneratingrecognizablenetworktraffic.Oncethemalwareresidesonthetargetserverandothercriteriaaremet,theattackeithertakesdown
Theterm“APT”wascoinedbyUSmilitaryanddefenseagencies.Itreferstoanattackinwhichanunauthorizedpersongainsandmaintainsaccesstoanetworkforanextendedperiodoftime.WhileearlyAPTswereprimarilyaimedatpoliticaltargetsandgovernmentagencies,recentAPTshavetargetedenterprises.
6
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
thesystemorbeginstocontroloperations.ThediagrambelowillustratesthesevenstepsofanAPTattack,accordingtocybersecurityfirmNetswitch.
Figure1.TheSevenStepsofanAPTAttack
Source:Netswitch.net
Inthesesevensteps:
1. Socialengineeringisusedtoidentifythoseindividualspossessingtheneededaccessprivileges.
2. Spearphishingisusedtosendspoofedemailsormaliciouslinkstothoseindividualsinordertogainaccess.
3. Malwareinfectionoccursonthenetworkandthemalwarebeginsspreadingtoothersystems.
1.SocialEngineeringTargetsareidentifiedwhohavethenecessaryaccessprivileges.
2.Spear-PhishingAspoofede-mailsentwithmaliciouslinksorcontainingmalwareisdownloadedandinfectshigh-valueemployees.
3.MalwareInfectionThemalwareisdownloadedonasystemwithinthenetworkandstartsspreadingtoothersystems.
4.MappingAccesstothenetworkyieldsmappingcapabilitiesenablingidentificationofstrategicassets.
5.PrivilegeEscalationAttackersgainhigheraccessprivilegesenablingaccesstoadditionalresources.
6.NetworkSpreadThemalwarespreadsacrosstheentirenetwork,establishingfunctionalitytocommunicatewithacommand&control(C&C)Center.
7.ExecutionC&Cinfrastructureisactivatedandbeginstransmissiontoandfromthetargetedsystems.
7
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
4. Mappinglocatesthekeyassetswithinthenetwork.
5. Privilegeescalationgrantshigherprivilegesandaccesstohigher-levelresources.
6. Networkspreadoccurswithintheentirenetwork,enablingcommunicationwithacommand-and-controlcenter.
7. Executionofthetransmissionofthedesireddataisactivatedbythecommand-and-controlcenter.
TypesofAttacks/VulnerabilitiesAPTscantakeanumberofforms,includingmalware,spam,botnetandransomwareattacks,andhackerscantakeadvantageofvulnerabilitiesinsystems,suchastheuseofweakorcommonpasswords.
MalwareMalware,derivedfromthephrase“malicioussoftware,”issoftwaredesignedtoinvadeothers’computersandinflictharm.Examplesincludevirusesandworms(thetwomostcommontypesofmalware),inadditiontobotsandTrojans,asdescribedbelow.
Figure2.TypesofMalware
Type Characteristics
Bot Derivedfrom“robot,”abotrepresentsanautomatedprocessthatinteractswithnetworkservices.Botscancollectinformation(as“webcrawlers”)orinteractwithinstant-messagingorwebinterfacesand/orwebsites.
Trojan LiketheTrojanhorseinancientGreekliterature,aTrojanlookslegitimatebutcontainssomethingharmful,intheformofsoftware.Trojanscanalsocreatebackdoors,but,unlikevirusesandworms,theydonotreplicate.
Virus Likeahumanvirus,acomputervirusreplicatesbyinsertingacopyofitselfintoanotherprogram.Virusescancausedatadamagethroughdistributed-denial-of-service(DDoS)attacks.Theyaretypicallyattachedtoanexecutable(.exe)fileandtheyspreadfromonecomputertothenextvianetworks,externaldisks,filesharingore-mailattachments.
Worm Wormsworklikeviruses,butarestand-alonesoftwarethatrequireshumanassistancetospread.Awormentersasystemviaavulnerabilityorsocialengineeringandtravelswithinthenetworkviathesystem’sfile-orinformation-transportfeatures.
Source:Cisco
Thereisawidevarietyofmalwarethathasbeenfoundincyberspace,asdepictedbelow.
Malware,derivedfromthephrase“malicioussoftware,”issoftwaredesignedtoinvadeothers’computersandinflictharm.Examplesincludevirusesandworms(thetwomostcommontypesofmalware),inadditiontobotsandTrojans.
8
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
BrowserRedirection(JS)
PUAandSuspiciousBinariesTrojanDroppers(VBS)
TrojanDownloaders(Scripts)
Browser-RedirectionDownloads
Phishing(Links)AndroidTrojans(Iop)
BrowserRedirection
FacebookHijackingHeuristicBlocks(Scripts)
Trojans,Heuristic(Win32)
BrowseriFrameAttacks
Android(Axent)
AndroidTrojans(Loki)
Malware(FakeAvCn)
Trojans(HideLink)Malware(HappJS)
SampleCount
87,329
50,081
24,737
27,627
18,505
15,933
14,020
12,848
11,600
11,506
5,510
5,467
4,970
4,584
4,398
3,6463,006
FacebookScamLinks
35,887
PackedBinaries
TrojanDownloaders(JS)
7,712
5,996
Figure3.MostCommonlyObservedMalware,2016
Source:Cisco,2017AnnualCybersecurityReport
9
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
Thefigurebelowillustratesthemostcommonlyobservedtypesofmalwareduringafour-quarterperiodspanning2015–2016.Itshowsthatpotentiallyunwantedapplications(PUAs)andsuspiciousbinariesremainedafairlyconstantthreatovertheperiod,whereasthenumberofTrojandroppersdeclinedsharply.
Figure4.MostCommonlyObservedMalware,4Q15–3Q16
Source:Cisco
SpamSpamisnamedafterafamousskitbyBritishcomedytroupeMontyPythoninwhichtheword,whichisthenameofaHormelprocessed-meatproduct,isrepeatedinasillyway.Itisunwantedandirrelevantemailthatissentinbulktoalargenumberofrecipients—thedigitalversionofjunkmail.Spammayormaynotcontainmalware.Althoughmanyofusmayfeelliketheamountofspammailwereceiveissteadilyontherise,thegraphbelowshowsthatspamvolumehasvariedoverthepast10years.
Figure5.SpamTrapFlowStatistics(EmailsperSecond)
Source:Abuseat.org
SpamisnamedafterafamousskitbyBritishcomedytroupeMontyPythoninwhichtheword,whichisthenameofaHormelprocessed-meatproduct,isrepeatedinasillyway.Itisunwantedandirrelevantemailthatissentinbulktoalargenumberofrecipients.
10
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
Insomecases,authoritieshavebeenabletostopspammers.ShaneAtkinsonofNewZealandwasexposedasaspammerin2003followingthepublicationofanewspaperarticleabouthim.Hethenclaimedhewouldceasehisoperation,whichsentout100millionemailsperday.However,hecontinuedhisoperationandwasfinedNZ$100,000(US$70,474)in2008.
Thefigurebelowillustratesarecentexplosionintheincidenceofspamthatcontainsmaliciousattachments.
Figure6.PercentageofTotalSpamContainingMaliciousAttachments
Source:Cisco
Duetothehighvolumeofspamsent,andthehighlevelofirritationitcauses,anentireindustryhasemergedtopreventanddetectit.Butplentyofcompaniesstillgeneratespamemailaswellasmassmailingsforlegitimatepurposes.
Twoparticularlydifficulttypesofspamattackstodealwitharehailstormattacksandsnowshoeattacks,whichbothemployspeedandtargeting,andarehighlyeffective.Hailstormstargetantispamsystemsandtakeadvantageofthewindowoftimebetweenthelaunchofaspamcampaignandcoveragebyantispamscanners;typically,thewindowisonlyafewsecondsorminutes.Snowshoespamattacks,bycontrast,aimtoflyundertheradarofvolume-baseddetectiontoolsinasteadybutlow-volumeattack.
BotnetsAlargenumberofinfected,controlledcomputerscanbeaggregatedtoformabotnet,whichcaninflictlarge-scaleattacksonserversandcomputers.OneparticularlydestructivebotnetisMirai(Japanesefor“thefuture”),whichprimarilytargetsIoTdevicessuchasInternetcamerasandrouters.
Duetothehighvolumeofspamsent,andthehighlevelofirritationitcauses,anentireindustryhasemergedtopreventanddetectit.
11
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
DistributedDenialofService(DDoS)Adenial-of-service(DoS)attackattemptstodisruptanInternetserverbyfloodingitwithsuperfluousrequeststhatareintendedtooverloaditandcrowdoutthelegitimaterequests.ADDoSattackisaDoSattackimplementedfromalargenumberofcomputers,e.g.,fromabotnet.
RansomwareRansomwareisatypeofmalwarethatinfectsortakescontroloftheuser’smachineinanattemptbyahackertoextortapaymentfromtheuser.Themalwaretypicallylocksand/orencryptstheuser’scomputer,filesorapplicationsinordertopreventtheuserfromaccessingthem.
KasperskyLabcalled2016“theyearofransomware,”asmalwaredeveloperswerebusylastyeartransferringresourcesfromless-profitableschemestowardthedevelopmentofransomware.KasperskyLabnotedthefollowingwithregardtotheexplosionofransomwarein2016:
• Theappearanceof62newfamiliesofransomware
• Thenumberofransomwaremodificationsincreasedto32,091intheJuly–Septemberperiodfrom2,900intheJanuary–Marchperiod
• Thenumberofbusinessesattackedbyransomwareincreasedtooneevery40secondsinSeptemberfromoneeverytwominutesatthebeginningoftheyear
IBMX-ForceResearchfoundthatspamvolumequadrupledoveraperiodof23monthsfromJanuary2015throughNovember2016,includinganincreaseintheattachmentrateofransomwarefrom0.6%to40%.
Figure7.PercentageofSpamwithRansomwareAttachments
Source:IBMX-ForceResearch
Ransomwareisatypeofmalwarethatinfectsortakescontroloftheuser’smachineinanattemptbyahackertoextortapaymentfromtheuser.Themalwaretypicallylocksand/orencryptstheuser’scomputer,filesorapplicationsinordertopreventtheuserfromaccessingthem.
12
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
Therearethreemaintypesofransomware:
1. (B)lockers/lockscreenransomware,whichlockstheuser’sscreen,blocksallotherwindowsandpreventstheuserfromaccessingthedevice
2. (En)cryptors,whichencryptdataontheuser’sdeviceanddemandtheuserpaymoneytoreleasetheencryption
3. Masterbootrecordransomware,whichblockstherecordontheuser’sharddrivethatenablesstartup
Skiddieransomware(createdbya“scriptkiddie,”orunskilledindividual)isransomwarethatisbasedonprogramsdevelopedbyotherindividuals.Reaffirmingtheoldadageabouttherebeingnohonoramongthieves,KasperskyLabcommentedinitsKasperskySecurityBulletin2016,“Weexpect‘skiddie’ransomwaretolockawayfilesorsystemaccessorsimplydeletethefiles,trickthevictimintopayingtheransom,andprovidenothinginreturn.”
Cybercriminalstypicallydemandransomof$200–$10,000,accordingtotheFBI.IBMconductedaransomwarestudyandfoundthat54%ofconsumerssaidtheywouldpay$100forthereturnoftheirfinancialdata.Italsofoundthat55%ofparents,and39%ofnonparents,saidtheywouldpayforthereturnofpreciousphotos.
Ransomwareissurprisinglylucrativeforcybercriminalstargetingthecorporatesphere.TheCryptoWallransomwarehasgeneratedtotalransompaymentsof$325million,andthecriminalsbehindCryptoLockerclaima41%successrate,withtotalproceedsestimatedasmuchas$27million.AnIBMsurveyfoundthatsevenin10companiesthathavebeentargetedhavepaidextortioniststogetdataback.Ofthosecompanies:
• 11%paid$10,000–$20,000
• 25%paid$20,000–$40,000
• 20%paidmorethan$40,000
ThegraphicbelowdepictsanattackinwhichacriminalclaimingtobeactingonbehalfoftheUSDepartmentofJusticehasusedtheagency’slogoinordertoextortthevictimintopayinga$200ransom.
Ransomwareissurprisinglylucrativeforcybercriminalstargetingthecorporatesphere.TheCryptoWallransomwarehasgeneratedtotalransompaymentsof$325million,andthecriminalsbehindCryptoLockerclaima41%successrate.
13
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
Figure8.ExampleofRansomware
Source:Wired
Scarewareisalessharmfultypeofattackinwhichtheattackerattemptstoinducethevictimtopayinordertopreventorremedyanonexistentattack.
PrivilegeEscalationPrivilegeescalationreferstoexploitingabugorweaknessinanoperatingsysteminordertogainaccesstoresourcesthatwerenotassignedtotheuser.Examplesofprivilegesnormallyreservedforadeveloperorsystemadministratorincludeviewing,editingormodifyingsystemfiles.Verticalprivilegeescalation,orprivilegeelevation,referstoausergainingahigherprivilegelevel,suchasthatnormallyreservedforasystemadministrator.
ExploitsExploitsmakeuseofacommand,methodologyorroutineinsoftwarethatcanbeusedtotakeadvantageofsecurityvulnerabilities.Zero-dayexploitsmakeuseofundisclosedvulnerabilitiestoaffectcomputersystems.Exploitsoperatewithinthe“windowofvulnerability,”whichistheperiodbetweentheactivationoftheexploitandthepatchingofthevastmajorityofvulnerablesystems.GermancomputermagazineC’tdeterminedthatantivirussoftwarewasabletodetect20%–68%ofzero-dayviruses,andanInternetsecurityreportfromSymantecestimatedthattheaveragewindowofvulnerabilityis28days.
BackdoorsBackdoorsrefertosecret,undocumentedwaysofaccessingasystem,possiblyusinghigh-levelprivileges.Backdoorscanbeimplementedinahiddenpartofaprogram,anexternalprogramorthroughhardware,andtheycantaketheformofhardcodedpasswords.TheydifferfromEastereggs,whichareunauthorizedfunctionsinprogramsthatoftenpaytributetotheprogrammers.BackdoorsandEastereggscanofferopportunitiesfor
Zero-dayexploitsmakeuseofundisclosedvulnerabilitiestoaffectcomputersystems.Exploitsoperatewithinthe“windowofvulnerability,”whichistheperiodbetweentheactivationoftheexploitandthepatchingofthevastmajorityofvulnerablesystems.
14
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
hackersorcybercriminalstofindweaknessesandgainentryintoacomputerornetwork.
In2015,networkhardwaremakerJuniperNetworksdisclosedthatithadfoundunauthorizedcodeinanoperatingsystemrunningonsomeofitsfirewalls(existingsince2012).Thecodewouldhaveallowedattackerstotakecompletecontrolofitsenterprisefirewallsrunningtheaffectedsoftware.AttackerswouldalsohavebeenabletodecryptencryptedtrafficrunningthroughtheVPNonitsfirewalls.
Source:Juniper.net
Theadventofbackdoorshasmadetelecommunicationsequipmentpoliticallysensitive.FormerNationalSecurityAgency(NSA)contractorEdwardSnowdenrevealedthattheNSAroutinelyinterceptedroutersmanufacturedbyCisco—withoutCisco’sknowledge—andinstalledhiddensurveillancesoftwareonthempriortoexport.Topreventimportationofsuchhiddensurveillancesoftware,theUSgovernmentbannedcertainforeigntelecommunicationsequipmentprovidersfrombiddingongovernmentcontracts.
BadPasswordsInearlyversionsoftheUNIXoperatingsystem,allusers’passwordswerehashed(mathematicallytransformedintoanunintelligibleseriesofcharacters)andstoredinapubliclyaccessibledirectorycalled/etc/passwd.ItwassimpleforhackerstoruntheEnglishdictionarythroughthehashingalgorithmandfindpasswordsinthecommondirectorythatweresimpleEnglishwords.Sincethen,thepasswordfilehasbeenmovedto/etc/shadow,whichisaccessibleonlybyprivilegedusers,andmoresophisticatedhashingalgorithmshavebeendeveloped.
Manycomputerusers,overwhelmedbythenumberofpasswordstheyneedtomemorize,resorttosimplepasswordsthatcanbetypedeasilywithatraditionalQWERTYcomputerkeyboard.Thesepasswords,however,areeasilyguessedbyhackers.
15
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
Figure9.The25MostCommonPasswords,2016
123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321
qwertyuiop
mynoob
123321
666666
18atcskd2w*
7777777
1q2w3e4r
654321
555555
3rjs1la7qe*
1q2w3e4r5t
123qwe
zxcvbnm
1q2w3e
*Thesepasswordswerelikelycreatedbybots.Source:HuffingtonPost.com
Passwordscontainingamixtureofcapitalandlowercaseletters,numbersandpunctuation(andnotcorrespondingtodictionaryentries)takeamuchlongeramountoftimetobegeneratedbyhackers’programs.
Hacktivism/Vigilantism/Cyberdissidents/ShamingSomeindividualsturntohackinginorderto,intheirview,dogood.Hacktivism(derivedfrom“hacking”plus“activism”)istheactofbreakingintoacomputersystemtofurtherapoliticalorsocialgoal.InternetvigilantismistheuseoftheInternet,includingsocialmedia,toexposescams,crimesorunwantedbehavior.
Cyberdissidentsareprofessionaljournalistsoractivistsorcitizenswhopostnews,informationorcommentaryontheInternetthatcriticizesaparticulargovernmentorregime.
OnlineshamingistheuseoftheInternetorsocialmediatopubliclyhumiliatethoseperceivedaswrongdoersinordertocounterinjustice.Shamingcaninvolvedoxing—disclosingaperson’sprivateinformationsuchastheiraddressandphonenumberonline—whichcanmakethesubjectatargetofthreatsorharassment.
Internet-PoweredBankHeistsInanapocryphalstory,wheninfamousbankrobberWillieSuttonwasaskedwhyherobbedbanks,hereplied,“That’swherethemoneyis.”Bythatlogic,itiseasytoseewhycybercriminalshaveturnedtheirattentiontoattackingfinancialinstitutionsontheInternet.
InitsKasperskySecurityBulletin2016,KasperskyLabnotedanincreasein“bankheists”in2016,includingattacksonstockexchangesand,notably,asuccessfulmalwareattackontheSWIFTglobalfinancialmessagingnetwork.
InanarticlepublishedMarch25,2017,TheNewYorkTimesnotedthatNorthKoreanhackingteamshaveturnedtheireffortstowardbanks.Thearticleassertsthatthecountrymaintainsanarmyof1,700hackersand5,000trainers,supervisorsandsupportstafflocatedinChina,SoutheastAsiaandEurope.ThegroupisallegedlybehindathwartedattackonaPolish
InitsKasperskySecurityBulletin2016,KasperskyLabnotedanincreasein“bankheists”in2016,includingattacksonstockexchangesand,notably,asuccessfulmalwareattackontheSWIFTglobalfinancialmessagingnetwork.
16
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
bank,thetheftof$81millionfromBangladesh’scentralbankandtheattackonSonyPicturesin2014.
TypesofHackersAccordingtocybersecurityeducationgroupCybrary,thetypicalhackerisnotthe15-year-oldboyworkingathisbedroomdeskthatwemightimaginebasedonwhatwehaveseeninmovies.Thegroupdefinessevendistincttypesofhackers:
Source:Cybrary.it
1. Scriptkiddie:Asmentionedpreviously,scriptkiddiescopyothers’codetorepurposeitasavirusorasastructured-programminglanguageinjection,whichisusedtoattackdatabases.
2. Whitehat:Thesehackers,alsoknownasethicalhackers,usetheircomputerskillstohelpothers.Forexample,theymighthelpcompaniestesttheirresiliencetooutsideattacks.
3. Blackhat:Thesearethebadactorswhoattempttofindbanksorcompanieswithweakdefensesinordertostealinformation.Thesetypesofhackerscanbemembersoforganizedcrimesyndicatesorstate-sponsoredinfiltrators.
4. Grayhat:Thesehackersaremoreambiguousintheirhackingaims(theyoperateinagrayarea).Theydonotgenerallystealfromtheirvictims,althoughtheymaydefacewebsites.Theytendnottousetheirhackingskillsforgood,althoughtheycouldiftheychoseto.
5. Greenhat:Thesearehackersintraining,or“n00bz”(“newbies”),whoseektolearnhackingsecretsfrommoreexperiencedhackers.
6. Redhat:Thisgrouprepresentsthevigilanteswithinthehackerworld.Theyusehackingtechniquestodisableorhinderotherhackers,suchasbyuploadingvirusestothehackers’ownsystems.
7. Bluehat:Thesearealsofairlyinexperiencedhackers,whoareknowntopurelyseektoenactrevengeonthosewhohaveangeredthem.
OrganizedCrimeCybercrimeisabillion-dollarindustry,accordingtotheUnitedNationsInterregionalCrimeandJusticeResearchInstitute,andthehighrewardsandlowriskassociatedwithcybercrimehaveattractedcriminalgroupsthatplan,organizeandcommitallformsofonlinecrime,includingfraud,theft,extortion,andchildabuse.ThedecentralizedstructureandanonymityoftheInternetmakeitdifficultforlawenforcementagenciestolocatecybercriminals.
Cybercrimeisabillion-dollarindustry,accordingtotheUnitedNationsInterregionalCrimeandJusticeResearchInstitute,andthehighrewardsandlowriskassociatedwithcybercrimehaveattractedcriminalgroupsthatplan,organizeandcommitallformsofonlinecrime,includingfraud,theft,extortion,andchildabuse.
17
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
Source:iStockphoto
TheDarkWebasMarketplaceTheanonymityofthedarkweb(ordeepweb)hasmadeitanidealmeetingplaceforcriminals,hackers,drugpeddlers,gamblersandchildabusers,amongothers.Aspreviouslymentioned,nation-state-gradehackingtoolsarenowavailableforasmallsum,payableinuntraceablebitcoin,makingitpossibleforalargernumberofindividualstocommithigh-levelattacks.
AMarch20,2017,articleintheInternationalBusinessTimesreportedthatadarkwebvendornamed“SunTzu583”hadoffered21,800,969Gmailaccountsfor$450(0.4673bitcoins)inadditionto5,741,802Yahooaccountsfor$250(0.2532bitcoins).Someoftheaccountsincludepasswordsorhashedpasswords,manyofwhichwerestolenasaresultofdatabreachesofMySpace,AdobeandLinkedIn,andwerealreadydisabled.
State-SponsoredHackersManyattackstodayarereportedlysponsoredbynondemocraticstatessuchasRussia,ChinaandNorthKorea.Thecountriesarereportedtosometimesactaloneandsometimesincooperationwithorganizedcrimesyndicates.TheUS,too,hasusedhackingandcyberwarfaretoachievemilitaryandforeign-policyobjectives.Forexample,theUSusedtheStuxnetwormtodisableIraniancentrifugesengagedinturninguraniumnuclearfuelintoweapons-gradematerial.
ExamplesofhackingbyRussia,ChinaandNorthKoreainclude:
• TheinfiltrationoftheUSDemocraticNationalCommitteenetworkbyGuccifer2.0,andthesubsequentleakofthedocumentstoWikiLeaks.Guccifer2.0claimedinaninterviewtobeRomanian,butcybersecurityexpertsbelievethattheentityisaRussianstate-sponsoredhackinggroup.
18
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
Source:Democrats.org
• ThehackingandreleaseofemailsresidingonSonyPictures’servers.ThehackwasattributedtoNorthKoreaasrevengeforSonyreleasingthefilmTheInterview,whichsatirizedNorthKorea’sleader,KimJongUn.
• Thetheftofasmanyas21.5millionrecordsfromtheUSOfficeofPersonnelManagement.Therecordsincludedsecurityclearanceinformation,personaldetailsandbiometricinformation.Chinaisthesuspectedperpetratoroftheattack.
• TheinfiltrationofUkraine’selectricalpowergrid,resultinginthreeenergydistributioncompaniesbeinginvaded,30electricalsubstationsbeingswitchedoff,andabout230,000peoplebeingleftwithoutpowerforseveralhours.Accordingtocompanyrepresentatives,theattackderivedfromcomputerswithRussianIPaddresses.
CurrentandFormerEmployeesUnfortunately,manyinformationsystemsareinfiltratedbydisgruntledemployeesorformeremployees.Currentemployeescansometimesobtainsupervisorcredentialsandusethemtograntthemselvesortheircohortscertainprivileges(privilegeescalation).Theseprivilegesallowthemtosnooponoff-limitsservers,dataandservices,whichcanbeviewedforentertainment,datatheftorsabotage.
Inaddition,employeesinsomeindustries(suchasfinancialservices)mayseektotransfersensitivecompanyinformation,includingclientlistsandotherdata.Theymaytransfertheinformationbyemail,byuploadingittocloud-basedserversorbysavingittoanexternalstoragedevicebeforeleavingtoworkforacompetitor.
Unfortunately,manyinformationsystemsareinfiltratedbydisgruntledemployeesorformeremployees.Currentemployeescansometimesobtainsupervisorcredentialsandusethemtograntthemselvesortheircohortscertainprivileges(privilegeescalation).
19
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
NotableCasesofHackingTherehavebeenanumberofhigh-profilehacksoflargecorporationsinrecentyears,including:
• HomeDepot:Anindividualwhostoleavendor’spasswordandusedvulnerabilitiesintheWindowsoperatingsystemtomovetoamoresecuresystemstoleinformationon56millioncreditcardaccounts,aswellas53millionemailaddresses,fromHomeDepot.AWindowspatchwasinstalled,butnotuntilaftertheinfiltratorhadalreadyenteredthesystem.
• RSA:Ironically,thiscybersecuritycompany(nowadivisionofDell)wasinvadedinMarch2011viaaphishingemailembeddedinaMicrosoftExcelworksheet.TheemailallowedahackertotakeadvantageofavulnerabilityinAdobeFlashsoftwaretoinstallabackdoor,whichwasthenusedtostealpasswordsandcompanydata.
• Target:InDecember2013,Targetdisclosedthathackershadstolencreditanddebitcarddataonasmanyas40millionaccountsviamalwareinstalledinthecompany’spaymentsystem.Thecompany’sFireEyemalwaredetectionsoftwarehadissuedanalert,butitwasnotheeded.
• TJXCompanies:Overan18-monthperiodthrough2007,46.5millioncreditanddebitcardnumberswerestolenfromTJXCompanies.Atthetime,itwasthelargestdatabreachever.
• Yahoo:InFebruary2017,Yahoodisclosedthatithadbeenhackedathirdtime.AbreachinAugust2013allowedhackerstostealdetailsfor1billionuseraccounts.
20
June6,2017
DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.
DeborahWeinswig,CPAManagingDirectorFungGlobalRetail&TechnologyNewYork:917.655.6790HongKong:852.6119.1779China:[email protected],CFASeniorAnalystHongKong:8thFloor,LiFungTower888CheungShaWanRoad,KowloonHongKongTel:85223004406London:242-246MaryleboneRoadLondon,NW16JQUnitedKingdomTel:44(0)2076168988NewYork:1359Broadway,9thFloorNewYork,NY10018Tel:6468397017
FungGlobalRetailTech.com