Security Reports

Global Security Report: End of Year 2015


It’s been another rough year for netizens. Many different groups of attackers utilized many different avenues in order to help part the innocent from their money and their data, with the two being almost synonymous at this point. Once again, like in 2014 (and as we have predicted for 2016), major breaches filled media headlines costing victims hundreds of millions of dollars. Five major hotel groups, including The Trump Tower, Starwood Resorts, Hilton, and the Mandarin Oriental and White corporations, were among many others who continue to deal with breaches involving their point of sale systems (POS).

Others, including the United States government and the IRS, suffered breaches linked to international bad actors in China and Russia. Other attacks continued to invade inboxes as demonstrated by the spike in malicious activity at the end of November leading into December.

And let’s not forget everyone’s least favorite malware du jour, Cryptolocker and its many forms. This updated and aggressive family of crypto-ransomware continues to wreak havoc on those who refuse to make proper backups, which renders their data vulnerable, and consequently, their money. Here are a few of the more interesting events from 2015. These are presented as cautionary tales, stories to help keep everyone security minded and always thinking about what they can do to protect themselves and their businesses.

 

 

Cyber Security Legislation

In April 2015, the U.S. House of Representatives passed two cybersecurity bills: The Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPA). Both bills are aimed at enabling and incentivizing sharing of cyber threat information. The NCPA authorizes sharing of information with the Department of Homeland Security, while the PCNA allows for information to be shared with a broader range of agencies, provided the threats are more closely related to those agencies. For example, an energy company, like a power plant, would choose to share cyber threat intelligence with the Department of Energy, while a bank would share their breach with the Department of Treasury.

Meanwhile, the European Union is set to enact its most extensive data protection law to date: the General Data Protection Regulation (GDPR), The GDPR will replace the outdated E.U. Data Protection Directive of 1995 with new requirements that will cover issues from personal data privacy to corporate data breaches .

For individuals, the GDPR will protect their "right to be forgotten,” meaning an individual may request to be erased from a company’s database holding their personal data, provided there are no legitimate grounds for retaining it.

For multi-national companies operating in the European Union, the legislation will require data breaches to be reported to a supervisory authority without delay as soon as they have been discovered. Failure to comply with the GDPR could result in a hefty fine: four percent of the company’s global turnover.

 

 


Malicious Microsoft Macros

 

 

One of the common malicious attachment campaign types from this year was related to macros enabled documents. Macros are scripts built in to Office documents, like Excel or Word files. While these are rarely utilized by most users, hackers can use this often enabled feature to turn a Word file in to a malicious payload.

The emails carried a wide range of text to try and convince users to open the attachment, most commonly under the guise of an invoice. Macros are disabled by default in a normal Office installation. However, to bypass this, many hackers attempt to trick users, saying they must “enable” macros to see the real message, undoing all of Microsoft’s precautionary measures.

Most malicious macros are structured to download the actual payload from a remote server before executing it. This allows them to send a unique Word file that circumvent the victim’s local antivirus software, but also keeps the main payload remote and under the hacker’s control.

Hackers choose Word files over an .exe because users are more likely to simply open a Word file over opening an .exe. And along the same lines, if users have permanently enabled macros, they will get infected simply by opening the file. With users dealing with Word files much more than .exe files in email, this makes this attack vector a dangerous one for user that may not pay 100 percent attention to what they are clicking or from whom it came.

 

 


The Digital Ransom Business

 

Thanks to the emergence of Cryptolocker Trojan and its clones back in September of 2014, ransomware has become a household name. However, ransomware is not new; it has been around for about three decades when people began to own their own personal computers.

Historically, ransomware has been easy to bypass as it would typically lock the screen of the computer while demanding a ransom. A user needed only to circumvent the malware’s foothold in order to restore the computer to its normal working order. Often this was as easy as booting into Safe Mode and removing the offending files and services, much like many other non-complex Trojans. The simplicity of removing this rudimentary malware made it appear as more of a nuisance than malware, hence why “ransomware” seems like it has only just appeared in the past year.

The eloquence and effectiveness of Cryptolocker began to flood the mainstream media (and our support department) with ransomware attacks in September 2014. Now, instead of simply making a half-hearted threat with a splash screen that made a threat and demanded a ransom, the new family of malware encrypted every document on its victims’ machines that it could find. This way, even if someone were to uninstall the malware component, all of their files would still be unusable due to the fact that they were encrypted with one of the industry’s most trusted algorithms, AES.

In addition to that, the AES key, required to decrypt the files, was again encrypted with yet another strong industry standard, RSA-2048. This made the retrieval of the encrypted files nearly impossible without the decrypted key from the bad guys.

Some industry professionals were able to figure out how to crack the original Cryptolocker keys after having gathered a good deal of these keys and reverse engineering them against samples of the encrypted files. This took so long happen though, it was too late for most businesses who had by then chosen between paying the ransom or starting over on all of their encrypted files—from scratch. Additionally, these tools were introduced after several new versions of the malware had already been released and were actively making the rounds.

Even though any network or IT security professional at the time already knew the importance of good routine backups, everyone got to learn how many of those professionals were actually doing it. In fact, a good backup is all it takes to completely render a crypto attack such as these null and void. The sad fact was that tons of people fell prey to successful Cryptolocker attacks, which means that none of these businesses were practicing some very basic security protocols.

In October of 2015, FBI special agent Joseph Bonavolonta, told attendees at the Cyber Security Summit 2015 in Boston that those who find themselves infected with heavy hitters such as Cryptolocker or CryptoWall, may be better off simply paying the ransom. He was saying this likely because there had already been a solid year full of these crypto attacks and they were still widely successful. Obviously, people still hold on to the “It can’t happen to me” attitude instead of performing simple and necessary security procedures, such as making backups, otherwise people wouldn’t have anything to worry about.

We believe that businesses should never help cybercriminals profit off of extorting their victims by paying a ransom. Instead, businesses should back up their files regularly, eliminating the need of paying the ransom. Ultimately, if IT professionals would schedule regular file backups, no matter how good the encryption code was, ransomware campaigns would all fail, since there would be no need for a business to pay a ransom.

Unfortunately, the outlook is bleak for businesses who do not back up their files. There have been several versions of crypto-ransomware this past year and they are still working and victims are still paying these criminals. Thanks to this, we can guarantee that we will continue to see old and newer versions of ransomware flooding the Internet.

 

JavaScript Obfuscation

Along the same lines as macro files, we saw a large increase of volume in malicious JavaScript files in the later parts of 2015. Hackers write the JavaScript in an obfuscated way, to throw off anyone or anything, like an antivirus engine, analyzing the malware. 

JavaScript files were used frequently in campaigns for crypto-ransomware, like TeslaCrypt in 2015. The benefit of a hacker using this type of file format is that they can continually write the malware in a way to bypass AV engine signatures, by developing bloated arrays and complex algorithms to pilfer valuable data from the array of “useless” information. 

Once they have found a version of their JavaScript file that can avoid the detection of most antivirus solutions, they can then use a botnet to send out millions of email messages with the malicious files attached. And since the JavaScript files are so small, these campaigns usually come in very heavy in counts so they can get as many of the messages through scanners as possible before an antivirus solution blacklists it. Luckily, many AV engines are able to recognize when a file is attempting to execute malicious actions due to the basic similarities obfuscated JavaScript files share.

 


Wire Transfer Fraud

 

The use of social engineering to defraud companies via wire transfer emails also picked up in 2015. The targeted users represented many verticals, from large enterprises to small nonprofits. Typically in these fraudulent emails, the victim, who is normally a high level executive, receives a spoofed message from a hacker posing as the CFO, or even CEO of a partner company, requesting a money transfer be placed for a vendor payment or company acquisition. Of course, instead of this money being applied to the vendor or merger in question, it instead is applied to a remote account the hacker controls.

These messages can be innocuous at first, with the hacker (disguised as an executive or internal employee) asking the victims if they are at their desks. To pull this off, the hacker sends the emails using a display address of the company’s domain, but uses a reply-to address of an external domain, often a free email service. Using this method, the victims can often end up conversing with the hacker via email without realizing they are being duped.

This method is used to steal thousands of dollars from companies in fraudulent transfers, often with the requests in the $20-50K range. While that is quite a bitter pill to swallow, many attempts are for much higher amounts and can lead to financial ruin for some companies.

A network hardware company called Ubiquiti was victim to one of these schemes in mid-2015, except instead of wiring tens of thousands of dollars, they were defrauded of $40M. They were able to recover a few million, but it is likely that the majority of the cash will never be back in their hands. Many companies spend much time and money on protecting their network traffic or public facing servers from hacks, which is extremely important. But these social engineering spear phishing attempts are why it is equally paramount to protect employee communications as well.

 


Point of Sale Malware

Consumers and businesses alike have become cognizant of every time a major retailer is involved in a breaking-news data breach. . This is mostly thanks to the many breaches involving the retailers’ point of sale systems, the network that takes care of all of the sales transactions. Most people will picture it as the terminal and device that credit cards are swiped through at the cash register. These devices also feed a company-wide database of all of these transactions, including credit card and bank account numbers for any shopper who has ever swiped a credit card in the store.

When the Target and Home Depot breaches occurred just over a year ago, nearly 166 million credit card numbers combined were stolen from these two companies. Even after these major breaches, many companies would fall prey to these breaches repeatedly. This made many consumers afraid to use their credit cards when shopping as they worried over which retailer would be compromised next.

Ultimately, these breaches compelled several U.S. banks to finally adopt chip and PIN enabled credit cards, which the U.K. has successfully been using for quite some time. However, many retailers either do not use or do not have the proper chip readers, meaning that while the banks get an A for effort, the same vulnerabilities with magnetic strips are still there. Most of these breaches occurred because hackers were able to get user credentials to internal systems or even third party systems, such as a business’ HVAC vendor’s control networks. From there, hackers were simply able to pivot through these initial entry points and into the retailers’ networks where they were able to find for a treasure chest—of credit card and banking numbers.

POS malware works very simply. Using small bits of code at credit card terminals, it waits for credit card transactions and copies each one as it is made. Once it has accumulated a large number of these transactions, the software will send it off in bulk to the hackers, just like the legitimate credit card transactions are batched at the end of the shopping day and sent off to the bank. Because the malware is so small and the actual point of the initial breach can be hard to detect or locate, many of POS malware is quite effective and copycat hackers continue to use these techniques.

It is important for retailers to maintain robust authentication policies, such as two factor authentication, whenever possible, to prevent a hacker from infiltrating their POS network. Also, since many of these attacks involved third party vendors, it is just as important to make sure that third party vendors are also enforcing vigorous authentication policies.

 



Major Breaches of 2015

While data breaches aimed at stealing credit card numbers continued, we also saw many attacks against industries with access to consumers’ personally identifiable information, such as health insurance companies and dating sites. These industries’ databases typically hold a trove of personally identifiable information, like health records, social security numbers, and addresses, making them the prime targets for a hacking attempt.

 


Anthem and Premera Breaches

Two of the biggest health insurance breaches included, Anthem the U.S.’s second largest health insurance company, and Blue Cross Blue Shield provider, Premera. The combination of these two attacks resulted in the largest breach involving medical records to date, a combined 90 million records between them.

While compared to the combined 166 million credit card numbers between the 2014 Target and Home Depot breaches, it may seem like the 90 million records pale. However, when considering that the 90 million records often contained home addresses, email addresses, names, and even social security numbers in each breached record, it dwarfs them.

The personally identifiable information gained in these breaches gives hackers detailed information about their victims, which is used for nefarious reasons. Aside from using this stolen information to create fraudulent accounts in the victims’ names, hackers also had the opportunity to use victims’ personally identifiable information in spear phishing attacks, such as requesting money for a medical procedure recorded in their health insurance.

Unlike previous data breaches that were linked to organized crime groups, these attacks seem to link to state-sponsored attacks from China. Chinese hacking groups Deep Panda and Shell Crew, were among several groups that were speculated to have been trying to access the Anthem database since early 2014. After they succeeded with Anthen, they targeted their sights on Premera.


LastPass Master Passwords Pilfered

On June 15, 2015, the secure password management company, LastPass, started informing users of a data breach. The breach of LastPass data was alarming to many consumers since security and passwords are the company's cornerstone. Some of the data stolen during the breach included email addresses of users, password reminders, and authentication hashes. While this was very alarming, possibly the worst part to hear for users was that their master password hashes had been taken.

LastPass did assure users that their password vaults were not taken (the vault contains all of the stored passwords that were saved by the user), but as any LastPass user knows, having the master password means the hacker could obtain access to everything. Fortunately, LastPass actually uses a strong protection of the master passwords by using "a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side." While this was somewhat reassuring, LastPass still strongly advised their customers to change their master passwords and to consider using two-factor authentication.

 


Ashley Madison Users Make a Date with Fate

Ashley Madison, a dating website specifically for married people who want to have an extramarital affair, was targeted in a “hacktivist” attack by the Impact Team intended to expose the unfaithful to the world.

The data was first stolen in July and in August, Anonymous threatened to release the data publicly–if the Ashley Madison website (and its affiliated site Established Men) were not taken offline entirely. Ashley Madison executives thought the hacktivists were bluffing and chose to remain operational. When the deadline passed to take down the site, the unfaithful customers’ data was released via the Dark Web and BitTorrent, with numerous sources (including a few of Ashley Madison’s publically-disgraced customers) having indicated that the data dump was indeed the real thing.

The allure of Ashley Madison to many was its promise of discretion and security; after all, these were mostly customers who did not want their spouses to know what they were doing. However, following the dump on the Dark Web, it was revealed that Ashley Madison at times never bothered to confirm email addresses being used to register accounts. In other words, virtually anyone could register an account using someone else’s email address, meaning many on the last may have been morally inculpable, but incriminated by someone else.

Whatever one’s opinion about whether the Impact Team acted as a vigilante or villain, it has opened many questions related to online security practices that any company that handles personally identifiable information should be following. Additionally, the exposed credit card numbers and addresses touched many more than the customers’ themselves; it also brought embarrassment and fraud to many families.

Shortly after the database was leaked, attacks began utilizing the information to blackmail the victims. The Impact Group, the same group that claimed the original breach was hacktivism, began blackmailing the exposed victims. The Impact Team threatened to email the victims’ family “proof” of their unfaithfulness (financial transaction records on the site linked to their personally identifiable information) unless they paid the extortion, normally around $450. While many may think Ashley Madison’s victims are beyond reproach, this tactic could be used with Anthem and Primera’s patients’ health records.

 


Experian Extends Credit to Hackers

In late September of 2015, global information services and credit bureau, Experian announced that they were the victim of a data breach that may have been transpiring over the past two years. The hackers managed to leverage a flaw in Experian’s encryption implementation to gain access to data belonging to consumers who had applied for financing with mobile phone and data provider, T-Mobile. According to Experian, the attackers nabbed 15 million records held in one single file containing the names, addresses, and social security numbers of the T-Mobile applicants. Naturally, the stolen information was then sold on the Dark Web. Experian offered affected consumers free credit monitoring after the breach.

 


OPM & IRS Breached

The Office of Personnel Management (OPM) is entrusted with protecting the millions human resources records from current and former federal workers, including military service members. When the OPM announced in Q2 that an estimated 18 million federal workers’ OPM records had been compromised, it was particularly disturbing that a federal agency was not immune from cybercrime. Included in the personal data stolen were financial histories, foreign trips taken, current and past residences, names of neighbors/friends/coworkers/roommates/relatives, and social security numbers. Since the OPM handles sensitive information, like security clearances, they are privy to confidential information revealed during an investigation for approval. This could be a hoard of data for anyone looking to contact and phish information about individuals involved in the breach, or worse, to blackmail them into doing something illegal.

While there is currently no definitive proof of who orchestrated this breach, the U.S. government is claiming it was linked to a hacking group based in China. Of course, China has denied any such claims. The U.S. also says there is evidence linking the OPM intrusion to one earlier in the year that involved the large insurance provider Anthem.

A class action lawsuit has been filed against the OPM by those affected. A key point to see in the filed lawsuit is that since 2007, the OPM has been informed by its Office of Inspector General that there were serious problems in their cybersecurity, and allegedly the OPM failed to take any action on those issues. If this is indeed the case, this very well shows why no company should ignore security risks to systems, especially for years.

Bad luck did not end there for the U.S. government. Between February and May of this past year, another division of government, the IRS was also hacked, this time by a Russian group who made off with 334,000 private tax payer records.

In this instance, the hackers used information about the tax payers involved which they had gleaned from other sites around the Internet in order to correctly answer security questions in the IRS’s ‘Get Transcript’ application. The ‘Get Transcript’ application allows individuals to view their own tax account information and transactions. In this instance, it allowed hackers to reroute the potential tax returns of its victims to accounts held by the attackers or their mules. At the end of the day, this hack generated around $50Min stolen funds. In response to the hack, the IRS notified the victims of this attack by mail and offered them free credit protection and Identity Protection PINs.

Attacks such as this one demonstrate a strong reason why consumers should share as little personal information as necessary online. Even seemingly harmless information shared on social media sites, for example, can be used against its victims in spear phishing attacks. In addition, consumers should make sure that they are really choosing challenging passwords and security answers online. For example, and avid dog lover who posts pictures of his dog with the dog’s name to social media would be wise to pick a security question/answer that does not include the pooch.

 


Metrics – 2015


Traffic by Region

This chart represents region of origin for spam as detected by AppRiver filters. North America was the point of origin for nearly half of the spam AppRiver’s filters saw in 2015.

Region of Origin for spam as detected by AppRiver filters


 

This chart represents the top ten countries (not including the U.S.) from which spam originated during 2015 as seen by AppRiver’s filters. The U.S. remained the top point of origin for spam as AppRiver’s filters saw nearly 8.6 billion spam and malicious emails with the U.S. as its point of origin throughout 2015. The Netherlands is seen here in the top ten for the first time and was second largest spam point of origination in 2015.

Top ten countries from which spam originated during 2015

 

 

 


Spam Traffic

This chart displays spam traffic throughout 2015. Spam traffic remained at similar levels seen in the previous year. In all, AppRiver quarantined around 26 billion spam messages in 2015.

2015 Spam Traffic

 

 

 


The chart below displays spam and malware email traffic as a percent of all email traffic. Throughout 2015, spam comprised around 81-87 percent of all email traffic observed by AppRiver’s filters. However, the month of December proved to be an exception to the prior trend. Where malware comprised roughly four percent of all email traffic from January-November, the figure spiked tremendously in December as malware comprised 27 percent of all email traffic during that month.

2015 Malware email traffic

 

 

 


This chart displays virus traffic from 2015. Malware distribution was steady until late November. Beginning in the last few days of November and throughout December, AppRiver’s filters saw an unprecedented spike in malicious emails. Virus traffic in December was the largest volume AppRiver has seen in a single month ever. In the first 11 months of 2015 (Jan-Nov), AppRiver’s filters quarantined 944 million emails containing malware. However, in December alone, AppRiver’s filters quarantined 705 million messages containing malware.

2015 Virus traffic

 


Top email virus threats

These are the top 20 malware threats AppRiver saw in December 2015 in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver’s security analysts. This does not mean that other antivirus vendors did not eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before any of them.

Top Email Virus Threats

  • X.ObfJSheurNM1214a
  • X.MrinvBasic.exe
  • X.ObfJS129a
  • X.EmbdMacIV1215b
  • X.YTBNscr.zip
  • X.ObfJS122a
  • X.BDdocMGenMal.mso
  • X.BadMacAOa_b.doc
  • X.EmimMacGen1130
  • X.HeurFXexeBSc.exe
  • X.HeurFXexeBSa.exe
  • X.BDexYR.heurB.exe
  • X.HeurNMQ.exe
  • X.MSdl.STRMa.mac
  • X.BDMcrHeurDoc.doc
  • HEUR\Infected.WebPage.Gen
  • X.W32Troj.patre.zip
  • X.Suspw18IMp.exe
  • X.MSW.Mac.DLfile.100114a
  • X.HeurFXexeBSb.exe