Guest post by Costin Raiu
As we turn the page to 2012, it makes sense to sit back and take a look at what happened during the past twelve months in the IT Security world. If we were to summarize the year in one word, I think it would probably be "explosive." The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to crack into top 10 of security stories of 2011. What I was aiming for with this list is to remember the stories that also indicate major trends or the emergence of major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.
1. The rise of Hacktivism
It’s difficult to imagine someone reading this list who has not yet heard of Anonymous, LulzSec or TeaMp0isoN. Throughout 2011, these groups, together with others were actively involved in various operations against law enforcement agencies, banks, governments, security companies or just major software vendors. Sometimes working together, in other cases, working against each other, these groups emerged as one of the main actors of 2011, through incidents such as security breaches of networks belonging to the United Nations, security intelligence firm Stratfor, FBI contractor IRC Federal, US Defense contractor ManTech or the CIA website. Interestingly, some of these incidents, such as the Stratfor hack revealed major security problems such as the storing of CVV numbers in unencrypted format, or extremely weak passwords used by the administrator.
2. The HBGary Federal hack
Although related to the first item on this list, I’d like to point this out as a separate story. In January 2011, hackers from the ‘Anonymous’ hacker collective broke into HBGary Federal’s webserver “hbgaryfederal.com” through an SQL injection attack. They were able to extract several MD5 hashes for passwords belonging to the company CEO, Aaron Barr and COO, Ted Vera. Unfortunately, both used passwords were very simple: six lowercase letters and two numbers. These passwords allowed the attackers to get access to the company’s research documents and tens of thousands of mails stored on Google Apps.
I believe this story is relevant because it shows an interesting situation – the usage of weak passwords together with old software systems and cloud application can turn into a security nightmare. If the CEO and COO would have been using strong passwords, maybe none of this would have happened. Or, if they would have had multi-factor authentication enabled on Google Apps, the attackers wouldn’t have been able to access the superuser account and copy all the company e-mails. It’s important to point out that even if better security measures were into place, we can’t rule out the possibility that the persistent hackers wouldn’t have found another way in. Persistence and determination, together with time, gives the attackers the upper hand.
3. The Advanced Persistent Threat
Although many security experts despise this term, it has made its way into the media and rocketed to the top with incidents such as the RSA security breach or imposingly sounding incidents such as operation “Night Dragon,” “Lurid,” or “Shady Rat.” Interestingly, many of these operations were not too advanced at all. On the other hand, there were many cases in which zero-day exploits were used, such as the RSA breach. In this case, the attackers took advantage of CVE-2011-0609 – a vulnerability in Adobe Flash Player - to run malicious code on the target machine. Another interesting zero-day is CVE-2011-2462, a vulnerability in Adobe Reader, which was used in targeted attacks against U.S. Defense contractor ManTech. Several things stand out in these attacks – many cases involved zero-day vulnerabilities in Adobe software such as Flash Player or Adobe Reader.
Additionally, many of these attacks were directed at U.S. targets, notably companies working with the U.S. military or government. From this point of view, the “Lurid” attack was interesting because it mainly targeted countries in the Eastern part of Europe, such as Russia or the CIS. These attacks confirm the emergence of powerful nation-state actors and the establishment of cyber-espionage as common practice. Additionally, many of these attacks seem to be connected and have major global ramifications. For instance, the RSA breach was notable because the attackers stole the database of SecurID tokens, which was later used in another high-profile attack.
4. The Comodo and DigiNotar incidents
On March 15th 2011, one of the affiliates of Comodo, a company known for its security software and SSL digital certificates, was hacked. The attacker quickly used the existing infrastructure to generate nine fake digital certificates, for web sites such as mail.google.com, login.yahoo.com, addons.mozilla.com or login.skype.com. During the incident analysis, Comodo was able to identify the attacker as operating from the IP address 22.214.171.124, in Tehran, Iran. If in the Comodo incident, only nine certificates were created, the DigiNotar breach was a lot bigger. On 17th June 2011, the hackers began poking at the DigiNotar servers and during the next five days, managed to get access to the infrastructure and generate over 300 fraudulent certificates. The hacker left a message in the form of a digital certificate containing a message in the Persian language, “Great hacker, I will crack all encryption, I break your head!” To make the link with Iran more solid, days later, the fake certificates were used in a man-in-the-middle attack against over 100,000 GMail users from Iran.
The attacks against Comodo and DigiNotar are an indication of two emerging trends: first of all, we already have the loss of trust in the certificate authorities (CA), but in future, CA compromises may become even more popular. Additionally, more digitally signed malware will appear.
In June 2010, researcher Sergey Ulasen from the Belarussian company VirusBlokada discovered a most intriguing piece of malware which appeared to use stolen certificates to sign its drivers, together with a zero-day exploit which used .LNK files for replication in a typical Autorun fashion. This malware became world famous under the name “Stuxnet,” a computer worm containing a very special payload, directly aimed at Iran’s nuclear program. To achieve this, Stuxnet hijacked Siemens PLCs and reprogrammed them in a very subtle way which indicates one single possibility – sabotaging the uranium enrichment process at Iran’s Natanz plant. Back then, when I saw the code which reprogrammed the PLCs responsible for controlling the 64,000 RPMs centrifuges, I thought to myself that it’s impossible to write something like this without having access to the original schematics and source code. But how could have attackers obtained something as sensitive as the custom code which controls the billion dollar facility?
One possible answer lies within the Duqu Trojan. Created by the same people as Stuxnet, Duqu was discovered in August 2011 by the Hungarian research lab CrySyS. Originally, it wasn’t known how one gets infected with Duqu – later, malicious Microsoft Word documents exploiting the vulnerability known as CVE-2011-3402 were discovered as a means of entry for Duqu. Compared to Stuxnet, the purpose of Duqu is quite different; this Trojan is actually a sophisticated attack toolkit which can be used to breach a system and then systematically siphon information out of it. New modules can be uploaded and run on the fly, without a filesystem footprint. The highly modular architecture, together with the small number of victims around the world made Duqu so hard to detect for years – the first trace of Duqu related activity we were able to find actually dates back to August 2007. In all the incidents we have analyzed, the attackers used an infrastructure of hacked servers to move the data, sometimes hundreds of megabytes, out of the victim’s PCs. Duqu and Stuxnet represent the state of the art in cyberwarfare and hint that we are entering an era of cold cyberwar, where superpowers are fighting each other unconstrained by the limitations of real world war.
6. The Sony PlayStation Network hack
On April 19th, 2011, Sony learned that its PlayStation Network (PSN) was hacked. At first, the company was reluctant to explain what happened and claimed the service, which was suspended on April 20th, would be back in a few days. It wasn’t until April 26th that the company acknowledged personal information was stolen, which potentially included credit card numbers. Three days later, reports appeared which seemed to indicate that 2.2 million credit card numbers were being offered for sales on hacker forums. By May 1st, the PSN was still unavailable, which left many users not just with their credit cards stolen, but frustrated for not being able to play the games they already paid for. Unfortunately for Sony, the story was not over because in October 2011, the PSN was again making the headlines with 93,000 compromised accounts that had to be locked down by Sony to prevent further misusage.
The Sony PSN hack was a major story for 2011 because it points out several main things – first of all, in the cloud era, Personally Identifiable Information is nicely available in one place, over fast internet links, ready to be stolen in the case of any misconfigurations or security issues. 77 million usernames and 2.2 million credit cards can be considered normal “booty” in the cloud era.
7. Fighting cybercrime and botnet takedowns
If the attackers from the PSN incident are still unidentified, 2011 was definitively a bad year for many cybercriminals that got caught and arrested by law enforcement authorities around the world. The ZeuS gang arrests, the DNSChanger gang takedown and the Rustock, Coreflood and Kelihos/Hilux botnet takedowns were just a few examples. These indicate an emerging trend, which is of course “attribution.” Bringing down one cyber-criminal gang goes a long way to slow criminal activity around the world and sending a message to the remaining gangs that this is no longer a risk-free job. One particular case I’d like to mention is the Kelihos takedown, which was performed in cooperation between Kaspersky Lab and Microsoft’s Digital Crimes Unit. As part of this effort, Kaspersky Lab initiated a sinkhole operation for the botnet, counting many tens of thousands of infected users per day. Here’s where the big debate starts: knowing the bot update process, Kaspersky Lab or a law enforcement agency could effectively push a program to all the infected users, notifying them of this fact, or, even cleaning their machines automagically. In a poll ran on the Securelist website, a whopping 83% of the users voted that Kaspersky should “Push a cleanup tool that removes the infections,” despite this being illegal in most countries. For obvious reasons, we haven’t done so, but it outlines the vast limitations of today’s legal system when it comes to fighting cyber-crime in an effective manner.
8. The rise of Android malware
In August 2010, the first Trojan for the Android platform appeared as Trojan-SMS.AndroidOS.FakePlayer.a, which masqueraded as a media player app. In less than one year, Android malware quickly exploded and became the most popular mobile malware category. This trend became obvious in Q3, when we received over 40% of all the mobile malware we saw in 2011. Finally, we hit critical mass in November 2011, when we received over 1000 malicious samples for Android, which is almost as much as all the mobile malware we have received in the past 6 years! The huge popularity of Android malware can be attributed to several things – most notably the wild growth of Android itself. Secondly, the documentation available on the Android platform makes the creation of malware for Android quite trivial. Finally, there are many who blame the Google Market for its weak screening process, which makes it easy for cybercriminals to upload malicious programs. While there are only two known malicious programs for iPhone, we are now approaching 2000 Android Trojans in our collection.
9. The CarrierIQ incident
CarrierIQ is a small, privately owned company founded in 2005 and operating out of Mountain View, Calif. According to their web site, the CarrierIQ software is deployed on over 140 million devices around the world. Although the declared purpose of CarrierIQ is to collect “diagnostic” information from the mobile terminals, Trevor Eckhart, a security researcher, demonstrated that the extent of information CarrierIQ is collect goes beyond the simple “diagnostic” purpose and includes things such as keylogging and monitoring URLs opened on the mobile device. CarrierIQ is built in a typical Command and Control architecture – the admins can set up the kind of information which is collected from the terminals and which information is being sent “home.”
While it is obvious that CarrierIQ does collect a lot of information from your mobile phone, it doesn’t necessarily mean it is evil, or so we are advised to think by its creators or companies such as HTC, which support its usage. Being a U.S.-based company, this means that CarrierIQ could be forced to disclose much of the collected information to US law enforcement, if presented with a warrant. This legal loophole could effectively turn it into a government spy and monitoring tool. If this is indeed the case, or not, many users have decided that it’s best to get rid of CarrierIQ from their phones. Unfortunately, this isn’t a very simple process and is different for iPhones, Android phones and BlackBerry terminals. In the case of Android, you may have to root your phone in order to get rid of it. Alternatively, many users have decided to flash a custom Android firmware instead, such as Cyanogenmod. The CarrierIQ incident shows that we are vastly unaware of what exactly is running on our mobile devices, or the level of control which the mobile operator has on your hardware.
10. MacOS malware
While I do realize that I’ll put myself into the line of fire by even just mentioning Mac OS X malware, I think it’s an important story from 2011 which shouldn’t be overlooked. Products called MacDefender, MacSecurity, MacProtector or MacGuard, which are actually Rogue AV products for Mac OS appeared in May 2011 and quickly became popular. Distributed through black-hat SEO techniques in Google searches, these programs rely on social engineering to get the user to download, install and then pay for the full version. Most of the users who decide to pay $40 for the supposedly “full” version, later discover that they actually paid $140, and sometimes, they paid multiple times.
The expansion of PC threats (Rogue AV programs being one of the most popular malware categories for PCs) to Macs is one of the important trends of 2011. In addition to Mac OS Rogue AVs, the DNSChanger family of Trojans deserves a special mention as well. First identified around 2007, these small Trojans perform a very simple and straightforward system compromise, by changing the DNS settings to point to the criminals’ private DNS servers, before uninstalling themselves. Hence, you may get infected with a DNSChanger, have your DNS settings changed and you may be happily thinking you’re fine because there’s no malware on your computer, while criminals abuse the DNS communication to make you visit fake websites and perform click fraud and man-in-the-middle attacks. Luckily, in November 2011, the FBI arrested six Estonian nationals as part of an operation called “Ghost Click,” as the gang behind the DNSChanger malware.
According to FBI data, during the past four years, they infected over 4 million computers in more than 100 countries and generated approximately $14 million in illegal profit. These incidents show that malware for Mac OS is as real as the malware for PCs, and that even modern security practices fail against carefully elaborated social engineering techniques. It is without doubt that we will see both of them being abused in the future.
SUMMARYTo summarize, these 10 stories are probably just a tiny speck in the galaxy of 2011 security incidents. The reason I selected them is because they point to the major actors of 2011 which will no doubt continue to play a major role in the cyber-security blockbuster which is around the corner. These are the hacktivist groups, the security companies, the Advanced Persistent Threat in the form of superpowers fighting each other through cybere-spionage, the major software and gaming developers such as Adobe, Microsoft, Oracle or Sony, Law Enforcement Agencies and traditional cybercriminals, Google, via the Android operating system and Apple, thanks to its Mac OS X platform. The relations between these can be complicated, full of drama, contain many super-secret details and be as mysterious and darkly dreaming as Showtime’s Dexter. One thing is for sure – these same stars will be playing in all the major 2012 security blockbuster movies.
* Costin Raiu is director of Kaspersky Lab's global research and analysis team. Follow Costin on Twitter (@craiu). Disclosure: Ryan Naraine is employed by Kaspersky Lab.