Security Reports

Once again it was another busy year in the cyber security realm. We certainly saw our fair share of what has become commonplace attacks from botnets such as Zeus and Asprox as they attempt to spread spam and malware campaigns ad infinitum and attempt to build their numbers at the same time. We also saw some activity in the geo-political side as apparent hacktivists and nation states conducted cyber-attacks against their marks. However, one topic was certainly discussed above all else and that was the massive amount of data breaches that occurred during the year. Though nothing new, the breaches of 2014 gained so much attention due to their high profile victims and the widespread effects on so many people. This wave that would envelope the entire year actually began late in 2013 with the massive Target breach during the Holiday shopping season where around 70 million personal records were stolen which eventually led to a 46% loss in profits for the corporate giant. This 12 month report will discuss these issues and many of the others we witnessed in 2014. In addition we will share metrics as seen by AppRiver's SecureTide™ and SecureSurf™ filters from our nodes throughout the world. We'll point out recent trends in spam and malware both from an email and web perspective and share some insight about what we can expect for the rest of the year.

Troy Gill: Proposed cybersecurity laws

The Year of the Breach

Before 2014, the world had certainly fallen victim to cyber breaches. Breaches would occur in a random smattering that gave the illusion that it was rare and possibly more difficult for the average internet user with ill-intent to pull off. Unfortunately, this infrequency of the past likely led to the strengthening of the "it won't happen to us" attitude that so many individuals, SMB's and major corporations adopted and held on to. There has always been an issue in business when it comes to strengthening security and that has been the struggle to convince those in control of the purse strings that the cost of prevention is much less than the cost of remediation. This left a lot of companies vulnerable to the barrage of attacks against high profile retailers and service providers during the year of 2014.

Fred Touchette: "The Year of the Breach"

According to the resources at the Identity Theft Resource Center, there were 761 unique cyber breaches during the past year that led to theft or compromise of 83,176,279 individual records. These numbers are compiled from reported cases of breaches by the companies themselves or reports from other reputable sources. The victims of the breaches include healthcare providers, service providers and major retailers.

While technically still in 2013, the December attack on Target's Point of Sale systems really set the scene for the breaches that were to come in 2014. It was just before Christmas time when everyone was out and about shopping for the holidays when some disturbing news that attackers had found a way to slip a simple piece of data scraping malware by the name of BlackPOS or Katoxa onto all of the point of sale systems and at each Target store. This led to the realization that over 40 million customer debit and credit card accounts were then exposed to the attackers. If these numbers were to be included in the 2014 figures that would add up to over 123 million compromised accounts total. Certainly this was a record setting year.

Just as the details of the Target breach were coming to light, it began to become frighteningly apparent that they weren't the only ones affected by this new wave of attacks. Very shortly thereafter, announcements would begin airing claiming Beef O'Brady's, Staples, Home Depot and Sally's Beauty Supply would also be among those who were infected with PoS scraping malware.

Home Depot would be the biggest single PoS style breach to happen during 2014 , exposing around 56 million accounts and 53 million customer email addresses between April and September which is over half of the total accounted breaches of the entire year and the largest retail credit card incident on record. This was obviously a huge blow to the company creating a lot of trust issues between the retailer and its customers, but this wasn't Home Depot's only problem during 2014. The popular hardware mega store also had its share of inside jobs during the year beginning in February when 3 HR employees were arrested for illegally accessing fellow employee data and setting up fraudulent credit card accounts. This event led to the exposure of around 20,000 accounts. Fast forward to May where for a couple of weeks a single Home Depot employee, operating out of the tool rental area of their store, began accessing systems in order to obtain credit card transaction info specific to tool rentals. This led to the exposure of another 30,000 private records.

Monetary gain wasn't the only reason for the attacks this past year as other groups used hacktivist reasoning to gain entry and expose customer information as well. One of those major targets was the Sony Corporation who just doesn't seem to learn their lessons. Some would think that a high profile attack back in June of 2011 by hacktivist group Lulzsec, who utilized a simple SQL injection attack to gain its access to Sony's systems, would have led to immediate action as far as the strengthening of and heightened awareness in all things security, and perhaps they did make changes, but as 2014 proved, it was not enough. Sony was the target of two separate attacks in December 2014 alone by two separate groups. One group called themselves the Guardians of Peace and attacked Sony on December 2nd exposing 47,740 employee records as well as stealing unreleased movies and materials. This was all in the name of stopping the movie "The Interview" from airing which depicts North Korea's Kim Jong Un in an apparent unsavory light. A few weeks later, on Christmas Day, when all of the good boys and girls around the world were unwrapping their new video games and anxiously scurrying towards their game systems were a bit more than flummoxed to find that the entire PlayStation Network as well as Xbox Live, which is required to play online, was down, suffering from Distributed Denial of Service attacks by another group calling themselves the Lizard Squad. Even though the Lizard Squad deals more in DDoS attacks as opposed to actual breaches, their efforts were not left unnoticed. They have even been engaged in selling a DDoS subscription tool by the name of Lizard Stresser, all of this even while one of the members of the group suspected to be involved with the Christmas Day attacks, as well as other cyber fraud activity, has been arrested and is awaiting trial.

Fred Touchette: A stronger security posture

Here is a brief and incomplete list of a few of the other high profile breaches from 2014:

Troy Gill: What's missing from the new legislation

Vulnerabilities

Much like some of the very high profile data breaches of 2014, some equally as troubling vulnerabilities made themselves known during the past year, some threatened to make us think about whether or not or online communications were safe at all in any situation. The answer is yes, but only if precautions are taken. Though, these news-making threats to security tried to prove otherwise.

The first major vulnerability of the year was most certainly the Heartbleed Bug or CVE-2014-0160. Heartbleed was a hole in OpenSSL's implementation of TLS or its Transport Layer Security Protocols. The news of this bug spread very quickly as it left over half a million websites exposed to what was thought to be secure communications to hackers. Aside from being used independently the OpenSSL platform is also a native component of Linux and therefore affected all sites utilizing the Apache or Nginx platforms. Shortly after its public announcement, proof of concept Heartbleed exploits began popping up on the internet, mostly by security researchers. The connotations of Heartbleed was pretty scary, though the powers that be were quick to plug the hole and everyone escaped relatively unscathed.

The next big hitter on the vulnerability scene was a bug by the name of Shellshock. Shellshock was another blow to the open source community and others as it affected the Bash Shell available in every version of Unix, this includes Linux as well as Apple systems who share the shell. Shellshock, as it turns out, is a vulnerability that has been lying dormant in Bash since its inception 23 years ago and was only recently discovered. A cleverly crafted, yet simple one line code can be given to the Bash shell with this vulnerability in order to get the host machine to execute hidden commands. These can be used to gain private information or to further infect the host. In this case, the bad guys wasted no time in leveraging this exploit in order to create a Shellshock botnet by the name of "Wopbot". Wopbot was used primarily for DDoS style attacks against Akamai and the Department of Defense.

Another big vulnerability came with a seemingly unusual name, POODLE. POODLE doesn't actually refer to a breed of dog in this instance but instead it is an acronym standing for - Padding Oracle On Downgraded Legacy Encryption. The attack utilized a man in the middle style set up to intercept communications and would force downgrade the affected browser's security. That is, if a client and server were trying to use SSL 3.0 or TLS in order to secure communications, the POODLE exploit could be pushed into the transaction forcing them both to downgrade the security of their communication to something more vulnerable such as SSL. POODLE was soon referred to as Poodlebleed referencing Heartbleed from earlier in the year. Even though Poodlebleed made less of a news splash than Heartbleed, it could've proven a bit more dangerous considering it could affect any system utilizing SSL 3.0 as opposed to Heartbleed that only affected OpenSSL implementations of the security protocol.

Attacks

As was to be expected, 2014 was another active year on the cyber front lines. We saw countless new threats attempting to break their way into unexpecting or unsecured systems. Botnet building activity remained high with front runners Zeus and Citadel, banking Trojans, leading the pack and Asprox, a botnet focused on sending spam, coming in a close third. While this has become the norm in day to day activity, it was the new advances in Ransomware that got everybody's attention early on this year.

They came in a few different varieties beginning with Cryptolocker and then Cryptowall, followed by Cryptodefense, but they all packed the same punch that caught a lot of people off guard. By now most people have likely dealt with or at least have heard of these particular attacks and most people have learned about the value of a good file backup policy because of them. For those who may still be luckily unaware of this alarming wave of Crypto-Ransomware, here's a brief refresher. This malware would first enter a system primarily through email, though later versions did utilize drive by download techniques from infected websites. Once the malware was executed it would begin to encrypt nearly every file on the victim's hard drive save for those that the computer required to operate. After it finished this AES and RSA style encryption it would then notify the target of what was going on. They would be served a pop-up window that explained that all of their files were now encrypted and in order to get the private key needed to unencrypt them, they would need to pay a ransom. The ransom varied but was usually between $100 and $300 USD. If the ransom wasn't paid within the time period, the files would be gone forever. There were mixed reports from people that gave in and tried to pay the ransom. Some people claimed it to be successful while others not so much. AppRiver's own testing proved to be unsuccessful where we attempted to submit a "payment", but never received a reply either way. So most people learned that the best way to bounce back from a Cryptolocker infection was to wipe the infected machines and restore them from backups. This is when a lot of people realized that they should have been backing up their important files the hard way.

Sony, Cyber Attacks, and Sanctions

In 2014 we witnessed a first in the cybersecurity world; real life sanctions on a country for a cyberattack. The beginning of this series of events started with a movie produced by Sony Pictures called 'The Interview'. The movie was a comedy about a plot to assassinate Kim Jong Un, North Koreas leader. North Korea took great offense over this and gave some remarks about how there will be consequences if it was released.

Then comes the attack against Sony where a few things happened. The network was breached, documents and emails stolen, and desktops had their background changed to inform users of the hack. This group calling themselves the Guardians of Peace, later released a message threatening a 9/11 type of attack on theaters if they were to show the move 'The Interview'. This threat cased cinema companies and Sony to decide not to release the movie. As most people know by now, it did end up getting released.

The United States claimed the attack originated from North Korea. President Obama then decided for sanctions against the country, leading to where we are now with the first sanctions rolled out due solely to a cyberattack. The sanctions are against a select few (10) important individuals in North Korea, so it has drawn some criticism for how ineffective it may be. North Korea is already under many constraints and some believe that these financial sanctions on 10 people will have little to no effect.

Jon French: Implications of the Sony breach

Cyber warfare for countries has been an escalating issue in recent years and this has been a major one brought in to the light. This could potentially set a precedent in the U.S. for real world retaliations for future cyber-attacks from countries. With so many facets of everyday life relying on networks and computers, this move can easily blend lines between what actions are considered real world and virtual. The US has been ramping up its cyber capabilities for years to try and stay ahead in the game.

On Dec 11th 2014, the Cybersecurity Act was passed by the Senate. This will set industry standards for the energy, telecommuncations, and finance sectors. The act describes how partnerships can be developed between Homeland Security and the private sector to come up with these standards and continue with research and development in cybersecurity to further secure networks. It has pieces on sharing information as well as setting up competitions and challenges to stimulate innovation in security. While stepping up the cybersecurity game has been something long in the works, the government is finally catching up with getting everything on track and in writing for how it should be operated and what the future plans are.

The US is not the only one aiming to get government cybersecurity sectors up and running though. Many other countries are now aiming to do exactly the same due to the growing threat of cyber espionage and attacks on critical infrastructure. Places like China and Israel are building up their cybersecurity footprint and preparing for responses to attacks. Countries all over are starting to dig in to cyber warfare. Both defense and offense technologies. This creates a snowball effect where if a country does fall behind, they can fall victim to serious breaches of security or loss of vital systems to the countries operation.

A recent example would be that South Korea has started bulking up in security due to recent attacks on a nuclear power plant there. The attackers were able to infiltrate and non-critical data and documents. Fortunately they did not cause any harm to the systems that would affect the plants operation. This could have been a much larger impact on people's lives and physical wellbeing if the attackers were able to do something severe to the plants operation.

This is a prime example though that these attacks are happening and will continue to happen. The only choice for most governments is to dive in to cybersecurity and try to stay ahead of the attackers. The amount of time and effort governments are putting in to this technology goes to show how serious they are taking it and how serious these attacks could be in the future.

Traffic by Region

This chart represents region of origin for spam as detected by AppRiver filters. Spam originating from North America overtook Europe in 2014, driven by increased output in US based spam. North America and Europe are now accounting for sixty nine percent of the spam traffic we see.

Spam by Country

This chart represents the top countries from which spam originated during 2014. The US remained the top point of origin for spam as we saw 7.3 billion spam and malicious emails with the US as its point of origin throughout 2014. Spam emanating from the US increased by 152 percent over the previous year.

Spam Traffic

This chart displays spam traffic throughout 2014. Spam traffic increased significantly after a somewhat average January but then tapered back of in June. March yielded the most spam traffic we have recorded in a single month since 2008. Our spam filters quarantined a total of 30.5 billion spam emails in 2014.

Virus Traffic

This chart displays virus traffic from 2014. Malware distrubutors were very busy ovcer the first few months of 2014. Traffic has normalized since February but the periods of moderate traffic are always short lived. In 2014, we quarantined 893 million messages containing a malicious attachment.

SecureSurf Usage

This chart represents the top 10 blocked categories as a percentage of blocked traffic. Though each customer has the ability to customize their own web filtering policies, this chart is based on the average user usage.

Top Email Virus Threats

These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before any of them).

Top Threats

• X.W32.pay.dblxa
• X.Dbl.ext.pdf.0205a
• X.YTBNscr.zip
• X.W32.Sasfis.pak
• X.HeurNMK.exe
• X.W32.kryp.pak.717
• Suspect.DoubleExtension-z
• X.HeurNMQ.exe
• X.W32.Nac.pak.1024a
• X.Troj.Zbot.Generic.pak
• X.MrinvBasic.exe
• X.HeurNMS.exe
• FakeAlert
• X.AsprxCrtNotenmb.zip
• X.HeurNMF.exe
• X.HeurNMD.exe
• X.BoaSecT.zip
• X.W32.Bredolab.pak
• X.W32.Bredo.App.pakc
• X.W32\photoPak

Email Viruses

• 202822300
• 156166824
• 88290922
• 76985348
• 31547605
• 14916426
• 12768511
• 11957231
• 11160642
• 10800420
• 7996019
• 7684476
• 7469576
• 7319469
• 7202657
• 6835177
• 5804133
• 4952448
• 3768042
• 3768042

To download this report in PDF format, click here.