4. The LinkedIn, Last.fm, Dropbox and Gamigo password leaks
In June 2012, LinkedIn, one of the world’s biggest social networks for business users was hacked by unknown assailants and the password hashes of more than 6.4 million people leaked onto the Internet. Through the use of fast GPU cards, security researchers recovered an amazing 85% of the original passwords. Several factors made this possible. First of all, LinkedIn stored the passwords as SHA1 hashes. Although better than the very popular MD5, modern GPU cards can crack SHA1 hashes at incredible speeds. For instance, a $400 Radeon 7970 can check close to 2 billion SHA1 password/hashes per second. This, combined with modern cryptographic attacks such as the usage of Markov chains to optimize brute force search or mask attacks, taught web developers some new lessons about storing encrypted passwords.
When DropBox announced that it was hacked and user account details were leaked, it was yet another confirmation that hackers were targeting valuable data (especially user credentials) at popular web services. In 2012, we saw similar attacks at Last.fm and Gamigo, where more than 8 million passwords were leaked to the public.
To get an idea of how big a problem this is, during the InfoSecSouthwest 2012 conference, Korelogic released an archive containing about 146 million password hashes, which was put together from multiple hacking incidents. Of these, 122 million were already cracked.
These attacks show that in the age of the ‘cloud’, when information about millions of accounts is available in one server, over speedy internet links, the concept of data leaks takes on new dimensions. We explored this last year during the Sony Playstation Network hack; there is perhaps no surprise such huge leaks and hacks continued in 2012.
5. The Adobe certificates theft and the omnipresent APT
During 2011, we saw several high profile attacks against certificate authorities. In June, DigiNotar, a Dutch company, was hacked out of business, while a Comodo affiliate was tricked into issuing digital certificates in March. The discovery of Duqu in September 2011 was also related to a Certificate Authority hack.
On 27 September 2012, Adobe announced the discovery of two malicious programs that were signed using a valid Adobe code signing certificate. Adobe’s certificates were securely stored in an HSM, a special cryptographic device which makes attacks much more complicated. Nevertheless, the attackers were able to compromise a server that was able to perform code signing requests.
This discovery belongs to the same chain of extremely targeted attacks performed by sophisticated threat actors commonly described as APT.
The fact that a high profile company like Adobe was compromised in this way redefines the boundaries and possibilities that are becoming available for these high-level attackers.
6. The DNSChanger shutdown
When the culprits behind the DNSChanger malware were arrested in November 2011 during the “Ghost Click” operation, the identity-theft infrastructure was taken over by the FBI.
The FBI agreed to keep the servers online until 9 July 2012, so the victims could have time to disinfect their systems. Several doomsday scenarios aside, the date passed without too much trouble. This would not have been possible without the time and resources invested into the project by the FBI, as well as other law enforcement agencies, private companies and governments around the world. It was a large scale action that showed that success against cybercrime can be achieved through open cooperation and information sharing.
7. The Ma(h)di incident
During late 2011 and the first half of 2012, an ongoing campaign to infiltrate computer systems throughout the Middle East targeted individuals across Iran, Israel, Afghanistan and others scattered across the globe. In partnership with Seculert, Kaspersky Lab investigated this operation and named it “Madi”, based on certain strings and handles used by the attackers.
Although Madi was relatively unsophisticated, it did succeed in compromising many different victims around the globe through social engineering and Right-To-Left-Override tactics. The Madi campaign demonstrated yet another dimension to cyber-espionage operations in the Middle East and one very important thing: low investment operations, as opposed to nation-state sponsored malware with an unlimited budget, can be quite successful.
8. The Java 0-days
In the aftermath of the previously mentioned Mac OS X Flashback attack, Apple took a bold step and disabled Java across millions of Mac OS X users. It might be worth pointing out that although a patch was available for the vulnerability exploited by Flashback since February, Apple users were exposed for a few months because of Apple’s tardiness in pushing the patch to Mac OS X users. The situation was different on Mac OS X, because while for Windows, the patches came from Oracle, on Mac OS X, the patches were delivered by Apple.
If that was not enough, in August 2012, a Java zero-day vulnerability was found to be massively used in-the-wild (CVE-2012-4681). The exploit was implemented in the wildly popular BlackHole exploit kit and quickly become the most effective of the whole set, responsible for millions of infections worldwide.
During the second quarter of 2012, we performed an analysis of vulnerable software found on users’ computers and found that more than 30% had an old and vulnerable version of Java installed. It was easily the most widespread vulnerable software installed.
In the middle of August, details appeared about a piece of highly destructive malware that was used in an attack against Saudi Aramco, one of the world’s largest oil conglomerates. According to reports, more than 30,000 computers were completely destroyed by the malware.
Detailed analysis of the Shamoon malware found that it contained a built-in switch which would activate the destructive process on 15 August, 8:08 UTC. Later, reports emerged of another attack of the same malware against another oil company in the Middle East.
Shamoon is important because it brought up the idea used in the Wiper malware, which is a destructive payload with the purpose of massively compromising a company’s operations. As in the case of Wiper, many details are unknown, such as how the malware infected the systems in the first place or who was behind it.
10. The DSL modems, Huawei banning and hardware hacks
In October 2012, researcher Fabio Assolini published the details of an attack which had been taking place in Brazil since 2011 using a single firmware vulnerability, two malicious scripts and 40 malicious DNS servers. This operation affected six hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems.
In March 2012, Brazil’s CERT team confirmed that more than 4.5 million modems were compromised in the attack and were being abused by cybercriminals for all sorts of fraudulent activity.
At the T2 conference in Finland, security researcher Felix ‘FX’ Lindner of Recurity Labs GmbHdiscussed the security posture and vulnerabilities discovered in the Huawei family of routers. This came in the wake of the U.S. government’s decision to investigate Huawei for espionage risks.
The case of Huawei and the DSL routers in Brazil are not random incidents. They are just indications that hardware routers can pose the same if not higher security risks as older or obscure software that is never updated. They indicate that defense has become more complex and more difficult than ever - in some cases, even impossible.
Conclusions: From Explosive to Revealing and Eye-opening
As we turn the page to 2013, we’re all wondering what’s next. As we can see from the top 10 stories above, we were very much on the ball with our predictions.
Despite the arrest of LulzSec’s Xavier Monsegur and many prominent ‘Anonymous’ hackers, the hacktivists continued their activities. The cyber-warfare/cyber-espionage campaigns grew to new dimensions with the discovery of Flame and Gauss. APT operations continued to dominate the news, with zero-days and clever attack methods being employed to hack high-profile victims. Mac OS X users were dealt a blow by Flashfake, the biggest Mac OS X epidemic to date while big companies fought against destructive malware that wrecked tens of thousands of PCs.
The powerful actors from 2011 remained the same: hacktivist groups, IT security companies, nation states fighting each other through cyber-espionage, major software and gaming developers such as Adobe, Microsoft, Oracle or Sony, law enforcement agencies and traditional cybercriminals, Google, via the Android operating system, and Apple, thanks to its Mac OS X platform.
Security in 2011 was best described as "explosive" and I believe the incidents in 2012 raised eyebrows and piqued the imagination. We came to understand the new dimensions in existing threats while new attacks are beginning to take shape.
* Costin Raiu is director of Kaspersky Lab's Global Research and Analysis Team. (See important disclosure).