It has been a nightmare for the Cyber security experts to curb the attacks on the present Infrastructure. On the other hand, firms have not stopped on evolving its technologies. But the question stands, while using the applications of these technology ‘Do we think ‘once’, about the security of those Appliances?’. And there stands, the most dangerous threat.
In the present world, most of the appliances are connected to the Internet, from the small sensors of the Health monitoring application to the Web servers of Google all the data take the help of the common medium. And we are still trying to make more dependencies over the Internet to avail its services. But on the evil side, most of the attacks in the current world is has been channeled through this common medium itself. Thinking from an attacker’s perspective, getting most of the devices connected to a single medium is like jackpot.
In the recent cases of Distributed- Denial of Service attacks, botnets played the pivotal role to increase the severity of the attacks. The botnets are logical collection of internet connected devices such computers, smartphones, webcams or IoT devices whose security has been breached and the control is with the attacker. Each such compromised device, known as a "bot", is created when a device is penetrated by malicious software from the attacker side. Even to the point of humor, these bots once used by the attackers, are put on sale or rented out in black-market. For the DDoS attacks, botnets are mainly used to flood the bandwidth or resources of a targeted system, usually one or more web servers. When a server is overloaded with these falsified connections, new connections can no longer be accepted hence leading to critical outages. The major advantages to an attacker of using a DDoS attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker’s advantages can cause challenges for defense mechanisms.
Going by the cases of the DDoS attack on the DNS provider, Dyn. On October,21,2016, attacks were perpetrated by directing huge amounts of traffic at the targeted server. The company was one of the major provider of DNS services to some of the major websites like Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, and the Playstation network. Beyond these high-profile sites, it is likely that thousands of online retail operations were disrupted. Due to the attack, it became difficult for these websites to continue its services uniformly. Aftermath it was found most of the bots used were home Wi-Fi routers and Internet protocol video cameras which were unsecured.
One more case which relates to DDOS attack was the Rio Olympics held last year. Rio Olympics were targeted by large-scale DDOS attacks fueled by an IOT botnet called LizardStresser. This story of DDOS attack started way before the start of the Rio Olympics where LizardStresser along with some other botnets attacked the organizations and public facing web properties affiliated with the Rio Olympics. As the games were nearing to closure, the botnets severed the attack peaked at 540 Gbps. Because of the proper mitigation measures already in-place set up by International Olympics Committee along with the Brazilian information security team, they still managed to broadcast at high speeds without causing any disruptions to the people.
In cases of abnormal traffic, it is always advisable for any organization to contact Internet Service Provider to determine whether it is an actual DDOS attack or degradation of performance caused by known factors. ISP’s can help in mitigating such attacks by throttling or rerouting malicious traffic and using load balancers to balance the traffic equally and to reduce the effect of the attack. Also having incident response plan and mitigations measures for such attacks beforehand would reduce the impact of the attack to a large extent and helps in defending it. And as a user of any IoT device, the user should take up responsibility for the security of his/her device. As it can at least reduce the risk of any DDoS attack. In maximum of the cases, the systems were attacked by personal devices with default password or similar unsecured cases. It is the responsibility of all the netizens, to use the Internet in a secured manner, if not we are already susceptible to get affected by any attack at any time.
Anandam and Sagar CKVV
Wiki DDoS : Link:
Cybersecurity has become an important aspect in day-to-day life as a result of evolution of more technologies and movement towards digitalization. This has been a main concern for IT industry and financial institutions like banks.
Since the past few years, banks have undergone a lot of changes especially in terms of adopting newer technologies moving towards digitalization and with the aim of increasing business scope and revenues. Such enhancements made banks to open up for cyber attacks and incidents.
Banks have already started investing money in cyber security practices and adoption of many advanced security practices to minimize the cyber prone risks. But all such measures may still be inadequate considering the current challenges in the industry.
In October 2016, one of the biggest security breaches in the history of India’s banks has happened, placing millions of debit card users at risk. Customers of India’s biggest lenders, including SBI, ICICI, HDFC and YES bank were affected with an estimated value of Rs 1.3 crore whisked off by the hackers. This incident has underscored India’s urgent requirement to overhaul consumer protection and cybersecurity regulations.
One more such scenario relates to the Tesco bank of UK. In November 2016, it has halted all of its online transactions after a cyber-heist affected 40,000 of its customers. The bank which has more than seven million customers, reported that roughly 9,000 customers had as much as £600 ($763 approx.) siphoned from their bank accounts.
With the advancement in the cyber attacks, the defence mechanisms of banks became inadequate. In recent days, there has been a raise in cyber security incidents across the globe which have not only caused financial loss but also questioning the defence measures and reputation of many large organizations.
Some commonly faced challenges include:
To safeguard banks from such incidents, RBI came up with a set of guidelines for cyber security framework. These guidelines focus on the following three areas:
These guidelines will shift the cybersecurity scope for banking industry in the following areas:
Banks constantly need to gather and analyse the historical incidents data and then come up with the new measures which will be helpful in establishing the resilient systems. Also with the use of advanced technologies they can strengthen their existing systems to be prevented from cyber attacks.
Sagar CKVV & Shubham Atkare
Link : http://www.thehindubusinessline.com/money-and-banking/cyber-security-concerns-in-banks/article9517851.ece
Link : https://qz.com/816946/sbi-icici-bank-hdfc-bank-and-yes-bank-may-not-admit-it-but-they- have-much-to-answer-for-the-great-indian-debit-card-hacking
Link : https://www.welivesecurity.com/2016/12/30/biggest-security-incidents-2016
Link : http://www.pwc.in/assets/pdfs/consulting/cyber-security/pov-on-rbi-circular-online.pdf
Link : https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-risk-rbi-guidelines-for-cyber-security-framework-noexp.pdf
Cyberattacks on sensitive documents have made most of the threat in the cyber world in the recent weeks. The execution pattern of each malware remains slightly tweaked that the previous one but still the common issue stands in front of us is that, in all this malware propagation the attackers uses the network to spread like a wildfire. All the of these attacks follow distinct methodologies to avoid getting detected in its initial ages.
According to the Symantec Corp., it has identified hundreds of new malware families released into the wild, more than triple the amount seen previously, and a 36 percent increase in ransomware attacks worldwide. Japan, China, followed by India were ranked among the countries with most malware detection and the shares of the same for each country has rather increased on YoY. On the hand of this crazy data, USA being the biggest – and softest – target of all the whole world. Symantec found 64 percent of Americans are willing to pay a ransom, compared to 34 percent globally. And the average ransom spiked 266 percent, with criminals demanding an average of $1,077 per victim. But does it mean that the data were restored on successful payment of the ransom. There is a big negation on this statement too. Rather many of the cases were noticed around the world where data of these victims were not restored. Hence the word digital extortion, has come to existence. After the cyber-attacks started on May 2017 from the advent of WannaCry, the world has seen multiple cases of such digital extortion and wiper malware attacks around the world like Petya, Shamoon, Stone Drill and so on.
“New petya is not a ransom ware; it’s a destructive wiper malware”
The Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States. It is a nasty malware designed to look like ransomware but the main intention is to wipe out the computer alright and destroying all records from the targeting systems. It works in a way that reboots victims computers and encrypts the hard drive’s master file table, makes the master boot record inoperable and restricts access to the system by seizing information about file names, sizes and locations on the physical disk.
“Shamoon 2: Delivering Disttrack”
Shamoon, also known as Disttrack, was a modular computer virus discovered by Seculert in 2012, was used for cyber espionage in the energy sector. The Shamoon 2 attack campaign has brought three waves of destructive cyber-attacks within Saudi Arabia since late November 2016. The attackers likely gathered the list of known hostnames directly from Active Directory or during their network reconnaissance activities conducted from a compromised host. This network reconnaissance, coupled with the credential theft needed to hardcode Disttrack payloads with legitimate username and password credentials, leads us to believe that it is highly likely the threat actors had sustained access to the targeted networks prior to Shamoon 2 attacks.
From gathering files associated in the third wave of Shamoon 2 attacks, it was found that a Zip archive that contains files which the attacker used to infect other systems on the targeted network from a single compromised system they then used it as Disttrack distribution server. The attacker deploys the Zip archive to this distribution server by logging in to the compromised system using Remote Desktop Protocol (RDP) with stolen, legitimate credentials and downloading the Zip from a remote server. The actor uses this single compromised system to distribute Disttrack to other systems in different parts of the network, where the Disttrack Trojan would attempt to spread to 256 other systems on each local network.
“Stone drill wiper malwares targeted European hard drives”
Researchers at Kaspersky lab released new information about another piece of wiper malware found in the wild called “Stone drill” targets organizations in Saudi Arabia and also found in a European petro-chemical organization. In this, the malicious code injects itself into the memory process of the victims preferred browser and makes heavy use of anti-detection techniques. Stone drill also makes use of the same Win Main signatures, backdoor commands, decryption routines, and command-and-control (C&C) center names. By infiltrating the browser rather than drives, the malware is more likely to remain undetected for the time it needs to wipe data by overwriting both physical and logical drives with random numbers
Safeguarding methods - Protect Yourself
Anandam Roychowdhury & Swetha Kanala
ISTR Financial Threat Review – May 2017 , Published by Symantec Corp.: Link :
Symantec Security Response Publications: Link:
The Hackernews blog : Link:
Paloaltonetworks blog: Link:
The world is yet to recover from the consequences of the leaks related to the EternalBlue and DoublePulsar. Yet multiple leaks have been released by the “de-classifying” website, WikiLeaks.org. The present ransomware attacks are based on few leaks by the ShadowBroker group on August 2016 based on the DoublePulsar and EternalBlue revelations. To that comparison, WikiLeaks from March 2017 has already released 14 Part releases from the Vault 7 of the United States Central Intelligence Agency (CIA).
From its advent, WikiLeaks has published thousands of media and detailed publication of secret information. Some of it famous Leaks include the 2008 Peru oil scandal, Afghan and Iraq War document leak, 2013 mass surveillance disclosures (by the help of Edward Snowden), 2016 Democratic National Committee email leak and Podesta emails and so on. All of these leaks have created havoc in the mind of common people who are away from the diplomatic layers of the countries. The Vault 7, which contains a series of documents with detail activities and capabilities of the CIA to perform electronic surveillance and cyber warfare. The files which were disclosed were from the range of the time-frame 2013-16. The documents from the vault has clearly shown the capabilities of the Agency to monitor data from most of the smartphones (including iOS and Android OS platform), desktop web browsers (including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera), cars, smart Televisions and so on.
The scope of these leaks explicitly can easily exploit any system to get information with ease. For example the Elsa files which were released on 28th June 2017, is a geo-location malware for Wi-Fi-enabled devices running on the Microsoft Windows OS. It will be able to provide pattern of live geo-location information by recording the details of Wi-Fi access points near the target machine and transmitting that metadata to 3rd Party databases (exist to support location services in the Firefox, Chrome and Internet Explorer browsers) for resolution into latitude, longitude and an accuracy measure.1 This type of monitoring tools can easily be implanted into the system of the Target User without getting detected.
Some of these files were so well planned, that they were set-up to avoid the Personal Security Products (PSP) in other words the antivirus software such as MS Security Essentials, Symantec Endpoint or Kaspersky IS. This type of exploits include the Grasshopper (released on 7 April, 2017), which includes the Grasshopper framework, a platform used to build customized malware payloads for Microsoft Windows operating systems. The Leak Marble Framework (released 31 March, 2017) similarly used certain obfuscated or scrambled codes to avoid the suspicion and complete its task without throwing much information about the code.
The Dark Matter Leak (released on 23 March, 2017) was one of the leaks which included some of the vulnerabilities and exploits based on the Apple Mac firmware. One of the content revealed for a tool named ‘NightSkies 1.2’, a beacon tool which was expressly designed to be physically installed onto factory fresh iPhones. As per the claim, the CIA has been infecting the iPhone supply chain of its targets since at least 2008. The other exploits in this Leak included a project named ‘Sonic Screwdriver’ project which, as explained by the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting" allowing an attacker to boot its attack software for example from a USB stick "even when a firmware password is enabled".1
There were many certain vulnerabilities and exploits which were disclosed through these leaks which are still “in progress”. On one side it is well proven how CIA or the US government has been peeking through the systems worldwide. On the other hand, these leaks have provided the attackers huge prosper. After the 1st release of the Vault 7 was leaked, CIA released a comment on the WikiLeak that, "The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the Intelligence Community's ability to protect America against terrorists or other adversaries," though they maintained their silence on authenticating the Leak.2 Only time can tell what has been jeopardized and what not. Aftermath the leak, some of the affected companies like, Cisco came forward and circulated the mitigation advice. Still it is very hard to determine at this stage what other type of exploits, vulnerabilities etc., has been created by CIA. It is very comical that the statements released from the US counterpart were nation centric whereas once exploited the attack spreads all over the world. President Donald Trump though accepts the allegations of the Leak unlike CIA and trusted his own organization by putting up the statement, "Because I don't want to do anything that's going to violate any strength of an agency. We have enough problems. And by the way, with the CIA, I just want people to know, the CIA was hacked, and a lot of things taken -- that was during the Obama years. That was not during us. That was during the Obama situation. Mike Pompeo is there now doing a fantastic job." (Transcript from reference site 3). It would be high time for the industry to work upon the loopholes which were exposed through the leak, rather than waiting to authenticate the Leaks and mitigate before the attacker tries to exploit the systems. Only time can tell what has been jeopardized by the revelation of these documents.
1 - WikiLeaks site: Link : https://wikileaks.org/vault7/index.html
2 – Business Insider Article : Link : http://www.businessinsider.in/CIA-Americans-should-be-deeply-troubled-by-WikiLeaks-disclosure/articleshow/57546484.cms
3 - Transcript, Tucker Carlson Tonight : Link : https://www.realclearpolitics.com/video/2017/03/16/carlson_to_trump_why_not_gather_evidence_confront_intelligence_agencies_if_you_were_wiretapped.html
The cyber-world was shaken by one of worst Ransomware attack leaving over 300,000 systems infected. This attack has shown major vulnerabilities in the present IT infrastructure. But the question is, was it evitable? Or something happened that exposed the vulnerabilities.
In August 2016, a hacker’s group named "The Shadow Brokers" declared that they have a stolen malware code from the Equation Group. Yes, the same Equation Group which is associated with the National Surveillance Agency (NSA), which itself is described as one of the most sophisticated cyber-attack groups in the world.
Aftermath the incident, on April, 14, 2017, The Shadow Brokers group further released a network infection vector, EternalBlue and a backdoor implant tool named DoublePulsar. Both of them were the part of the stolen malware codes which were stolen from the Equation Group.
The EternalBlue exploits the Microsoft’s implementation of the Server Message Block (SMB) protocol. SMB is one of the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. It operates over TCP ports 445. On successfully exploitation of the vulnerability, an encrypted payload containing roots for the malware is loaded on the remote machine. Microsoft tried to put a check on this exploits and on March 14, 2017, Microsoft issued security bulletin and released patch under MS17-010 *, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
Coming to the other leak, which was released by Shadow Brokers group, the DoublePulsar, which is a backdoor implant tool. As described by Symantec Corporation^, “The Trojan is a configurable implant found in a data dump released to the public by an attack group calling itself the Shadow Brokers. When the Trojan is executed, it creates the file: Doublepulsar-1.3.1.exe. The Trojan opens a back door on the compromised computer and connects to a remote location. The Trojan may connect to preconfigured IP addresses and ports.” The Trojan further communicates with the attacker through the SMB protocol which was already a vulnerable protocol and has been exploited through the EternalBlue. The Trojan as described by the Symantec Corporation may perform the following actions^:
These functions of the DoublePulsar helped the attacker to execute any raw shellcode payload into any vulnerable system. DoublePulsar is a full kernel payload giving full control over the system. It does not open new ports but make use of the same port as the one the SMB service runs on. This malware infects computers running Windows and it opens a backdoor through which other malware can be loaded onto infected computers.
Another fatal feature of the DoublePulsar is that, it is a RAM resident implant, hence making untraceable through any anti-virus hence it becomes impossible for them track and stop the attack. Moreover, making the system vulnerable for further attacks. Since the implant stays in the memory of the system, once the machine is rebooted, it’s gone, leaving no traces.
DoublePulsar is a loading platform for extra malware whose purpose is providing a covert channel by which other malware or executables can be loaded very easily. It’s a unique payload because it can infect a system, stay low for a little bit, and come back later when it wants to do something more intrusive.
It is to be noted that the presence of DoublePulsar in a system doesn’t mean they’re infected by the NSA or The Shadow Broker groups. It means there is a loading platform which is ready and waiting for whatever malware anyone wants to give it. #
The maximum number of system affected by the WannaCry Ransomware attack did keep Port 445 (SMB protocol port) active though after Microsoft’s Path release dated March, 14, 2017 which helped the attackers to plant the DoublePulsar through the EternalBlue exploit. It can be called negligence from the user side or just a simple method to exploit the vulnerability of the cyber-infrastructure. It won’t be great deal of surprise if further such exploits and vulnerabilities shared by the Shadow Brokers from the NSA dumps.
Anandam Roychowdhury & Swetha Kanala
* Microsoft Security bulletin MS17-010 :
^Symantec Corporation security response page for DoublePulsar : https://www.symantec.com/security_response/writeup.jsp?docid=2017-042122-0603-99&tabid=2
# Secpod.com blog :
Dearbyte.com blog :
Google, the tech giant which used to allow free placement of applications by their developers will put an end to this freedom of sharing apps for free in Play Store. Serious problems like lack of quality and much junk are main provocation towards taking such an action. The strategy of quality check was adopted by Apple since a long time, but lately Google too realized its importance.
Besides Google encouraging its programmers to create high-quality applications for years, but their efforts have not always been successful, there has been lots of useless, poor quality and very insecure applications in play store. With this concern, Google has set a new guideline as fixation of the problem arose. Google will now reduce the visibility of apps that perform poorly in terms of stability and power efficiency in the Play Store.
Is security taken for granted for free synonymous system?
As already mentioned unlike Apple who keeps tight control over applications that may be available on the App Store, Google’s approach has been far more too lenient which has resulted in applications failure constantly, crash, or even have abrupt power consumption besides Play Store attracting programmers in learning and facilitates developer creativity.
To improve the Android experience and overall device performance, Google reaffirms its commitment to focus on the speed, security, and stability of the operating system, not just for end users but also for programmers. This will ensure a system with capability to reach millions of users and programmers. Thus, tightest rules, receiving various metrics and scores on the stability of your applications will be under the umbrella of any application making to render better time and battery usage. The metrics which Google uses to gauge an app’s standard are as follows:
Last February, Google announced that an app’s performance will affect its “promotion,” which means applications must meet minimum standards and meet the metrics mentioned about the risk of not being visible in the Play Store.
Hoping that with the set criteria, we can feel safe under the protective umbrella of Google Play store and continue enjoying the amazing apps.
With latest buzz around “WannaCry”, everybody is alert on the security aspect of their smart friend cum phone. This intruding suspicion will leave you amazed to discover another trojan-based malicious code “Xavier” found in more than 800 apps on Google Play Store. Analysis report by the security firm TrendLabs, claims that the Trojan ad library have been observed to affect apps which were downloaded millions of times from Google Play Store itself.
Android, the mobile platform of tech giant ‘Google’ being the most widely used operating system worldwide, is perhaps most exploited in computing security due to its evolving popularity. All mobile apps have to undergo a scan process before it is published in Google Play Store, but as the saying goes ‘No one is perfect’, Google’s system can be fooled indirectly or directly for an attack remotely planned. Does this question the quality of apps developed for Google Store? Member of the AdDown family, Xavier existed for over two years when its first version called joymobile, appeared in early 2015 with capability of remote code execution. This ad library is far beyond collecting and leaking user info due to its expertise in installing other APKs silently if the device is rooted. Infected devices resulted in generation of large volumes of fraudulent clicks on ads, converting into revenue for their creators. Free apps like Photo Editors, Wallpapers which receives downloads millions of times have been the incubator for Xavier malware.
Flavours of technical aspect:
As stated earlier, the ad library is integrated into apps for enabling advertising to revenue for their developers. With time, this malware has become more powerful, posing a more sophisticated kind of malicious software now. Surpassing detection, remote code execution and user information theft, Xavier is now smart enough to dodge security programs like antivirus, or anti-adware. Remotely downloading executable codes from a server, it is configured to calmly collect user data which includes, email address, device id, OS version, countries, SIM operators etc. Countries like Vietnam, Philippines, Indonesia witness the highest number of download attempts with traces of affected apps in some parts of U.S and Europe.
Apps for your smartphones should only be downloaded from Trusted Developers only after going through reviews and ratings before giving it some space.