201309 Sym IntelligenceReport

8/12/2019 201309 Sym IntelligenceReport

1/35

SYMANTEC INTELLIGENCE REPORTSEPTEMBER 2013


2/35

p. 2

Symantec CorporationSymantec Intelligence Report :: SEPTEMBER 2013

CONTENTS

CONTENTS

3 Executive Summary

4 BIG NUMBERS

7 TIMELINE

10 TARGETED ATTACKS

11 Targeted Attacks in 201311 Targeted Attacks per Day11 Anatomy of Latest Watering Holes12 First Attacks Logged by Month12 Top 10 Industries Attacked13 Attacks by Size of Targeted Organization13 File Extensions of Attachments13 First Attacks Logged by Size

14 Q&A on Hidden Lynx

16 Social Media17 Top 5 Social Media Attacks, 2013

18 DATA BREACHES19 Top 5 Data Breaches by Type of Information Exposed19 Timeline of Data Breaches, 2013

20 MOBILE21 Mobile Malware by Type22 Cumulative Mobile Android Malware

23 VULNERABILITIES24 Total Vulnerabilities Disclosed by Month24 Browser Vulnerabilities24 Plug-in Vulnerabilities

25 SPAM, PHISHING, & MALWARE

26 Spam26 Top 5 Activity for Spam Destination by Geography26 Global Spam Volume Per Day26 Top 5 Activity for Spam Destination by Industry27 Top 10 Sources of Spam27 Average Spam Message Size*

27 Top 5 Activity for Spam Destination by Company Size27 Spam by Category27 Spam URL Distribution Based on Top Level Domain Name*

28 Phishing28 Top 10 Sources of Phishing28 Top 5 Activity for Phishing Destination by Company Size28 Top 5 Activity for Phishing Destination by Industry28 Top 5 Activity for Phishing Destination by Geography29 Phishing Distribution in September29 Organizations Spoofed in Phishing Attacks

30 Malware30 Proportion of Email Traffic in Which Virus Was Detected30 Top 10 Email Virus Sources31 Top 5 Activity for Malware Destination by Industry31 Top 5 Activity for Malware Destination by Geographic Location31 Top 5 Activity for Malware Destination by Company Size

32 Endpoint Security32 Top 10 Most Frequently Blocked Malware

33 Policy Based Filtering33 Policy Based Filtering

34 Contributors

34 About Symantec

34 More Information


3/35

p. 3


Executive Summary

Welcome to the September edition of the Symantec Intelligencereport. Symantec Intelligence aims to provide the latest analysis ofcyber security threats, trends, and insights concerning malware,spam, and other potentially harmful business risks.

In this months report we take a detailed look at targeted attacks in 2013 so far. What weve foundis that attackers have continued to refine their techniques, adding new tricks to attack methodssuch as watering holes and spear phishing in order to increase the likelihood of snaring theirintended targets.

We also take a look at targeted attack trends over the last three years to get a better feel for howattackers are operating. While weve noticed is that attacks per day are lower compared to lastyear, attacks are up 13 percent over a three year period. We also take a look at the times of the yearattackers are more likely to kick off targeted attack campaigns, who theyre targeting, and the typeof malicious payloads theyre using.

While looking at targeted attacks, I sat down with one of our leading threat researchers to talkabout a targeted attack group recently discussed in a new Symantec whitepaper . We talk aboutwho the Hidden Lynx group is, how they operate, and what theyre after, as well as what the futuremight hold for these attackers.

Also, this months timeline focuses on stories surrounding targeted attacks during the month ofSeptember, recapping what happened and what that means to you.

We hope that you enjoy this months report and feel free to contact us with any comments orfeedback.

Ben Nahorney, Cyber Security Threat Analyst

[email protected]
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdfmailto:[email protected]:[email protected]://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf


4/35

p. 4


B I G N

U MB E R

S


5/35

p. 5


Overall Email Phishing Rate:

1 in 736

1 in 6261 in 1,056

Aug

Jul

Sep

HIGHER NUMBER = LOWER RISK

Overall Email Virus Rate:

1 in 465Jul

Aug

Sep

HIGHER NUMBER = LOWER RISK

1 in 340

1 in 383

Estimated GlobalEmail Spam Rate Per Day

SPAM AS PERCENT OF ALL EMAIL

Jul Aug Sep0

10

20

30

40

50

60

70

80

90

100

65 % 66 % 68 %

New Vulnerabilities

469

Aug

561

July

549

Sep

Aug 2

July 3

Sep 7

MobileVulnerabilities


6/35

p. 6


Data Breaches

144

Number of Breaches(Year-to-Date)

91,247,719

Number of IdentitiesExposed (Year-to-Date)

Mobile Malware Variants

V A R I A N T

S ( C U M U L A T I V E

)

161 213

SepAugJul

161

213 249

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

SAJJMAMFJAN2013

DNOS

7,1017,101


7/35

p. 7


T I ME L I N

E


8/35

p. 8


September Targeted Attacks Timeline

September 04 Attackers took advantage of this months G20 summit in St.Petersburg in Russia to target multiple groups . This campaigntargeted financial institutions, financial services companies,government organizations, and a number of other organizationsinvolved in economic development.

The attackers sent emails that claimed to come from a G20representative. The email thanked the targets for circulatingupdated building blocks, referring to the theme of multipledocuments discussing the UK governments feedback on howto address development, anti-corruption and employment. Themessage continued, saying that the UK government has madecomments on these documents and the sender claims that theyare attached in the email.

Symantec detects the executable as Backdoor.Darkmoon , aremote access Trojan that has previously been used in a numberof targeted attack campaigns including the Nitro Attacks .

September 06 A new banking Trojan has been found targeting online bankingusers in a variety of countries. The Trojan was part of acampaign where the attackers posed as a legitimate organizationand sent emails with disguised malicious attachments tovictims. These emails either claimed that postal trackinginformation or an invoice was attached.

The attackers were aiming to obtain login credentials to gainaccess to victims online bank accounts using the Trojanskeystroke logging capabilities. The malware could injectmalicious code into targeted banks Web pages. Securityresearchers also said that the Trojan attempted to trick victimsinto installing a mobile app in order to bypass two-factorauthentication to log into bank accounts. After a victimscomputer was infected, a malicious Web page appeared andasked them to input their mobile device model and number. Theattackers then sent a text message linking to the malicious app.

September 09 Malicious actors are always quick to exploit our desire to beinformed of the latest news, often using current affairs as emailsubject lines or topics in order to target victims with malware.

As expected, the current situation in Syria is being used in thisway. Symantec Security Response has published a blog detailinga targeted attack campaign that used the recent chemical attackin Syria as a lure . The email referred to a recently publishedarticle by the Washington Post , taking the text directly fromthe original news item and placing it in a malicious Worddocument. The malicious document contained Backdoor.Korplugand exploited the Microsoft Internet Explorer Use-After-FreeRemote Code Execution Vulnerability (CVE-2013-2551).

September 12An ongoing cyber espionage campaign was found targetingSouth Korean entities, such as government and military think-tanks, supporters of Korean unification and a variety of shippingcompanies. The campaign used malware that allowed attackersto spy on victims and steal data.

While the researchers havent confirmed how victimscomputers were infected, they suspect that the attackersused spear-phishing emails that contained a Trojan dropperto download additional malware. The operation used a lot ofdifferent malicious programs and each one implemented asingle spying function. Symantec detects the malware cited inthis report as Trojan.Kisuky .
http://www.g20.org/docs/summit/summit_2013.htmlhttp://www.symantec.com/connect/blogs/g20-summit-used-bait-deliver-backdoordarkmoonhttp://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdfhttp://www.darkreading.com/end-user/new-advanced-banking-trojan-discovered-i/240160826http://www.symantec.com/connect/blogs/chemical-attack-syria-used-enticement-targeted-attackhttp://www.symantec.com/connect/blogs/chemical-attack-syria-used-enticement-targeted-attackhttp://www.washingtonpost.com/world/national-security/obama-administration-lays-groundwork-for-probable-military-strike-against-syria/2013/08/27/538d072e-0f3c-11e3-bdf6-e4fc677d94a1_story.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2012-062914-2531-99http://www.securityfocus.com/bid/58570http://www.securityfocus.com/bid/58570http://www.scmagazine.com/south-korean-think-tanks-targeted-in-kimsuky-spy-campagin/article/311287/http://www.symantec.com/security_response/writeup.jsp?docid=2013-091214-0334-99http://www.symantec.com/security_response/writeup.jsp?docid=2013-091214-0334-99http://www.scmagazine.com/south-korean-think-tanks-targeted-in-kimsuky-spy-campagin/article/311287/http://www.securityfocus.com/bid/58570http://www.securityfocus.com/bid/58570http://www.symantec.com/security_response/writeup.jsp?docid=2012-062914-2531-99http://www.washingtonpost.com/world/national-security/obama-administration-lays-groundwork-for-probable-military-strike-against-syria/2013/08/27/538d072e-0f3c-11e3-bdf6-e4fc677d94a1_story.htmlhttp://www.symantec.com/connect/blogs/chemical-attack-syria-used-enticement-targeted-attackhttp://www.symantec.com/connect/blogs/chemical-attack-syria-used-enticement-targeted-attackhttp://www.darkreading.com/end-user/new-advanced-banking-trojan-discovered-i/240160826http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdfhttp://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99http://www.symantec.com/connect/blogs/g20-summit-used-bait-deliver-backdoordarkmoonhttp://www.g20.org/docs/summit/summit_2013.html


9/35

p. 9


September 18Microsoft reported a critical vulnerability in Internet Explorerwhich could enable remote code execution on an affectedcomputer if the user visits a website containing maliciouscontent directed towards the browser. This typically happenswhen an attacker compromises the security of trusted websitesthat Internet Explorer users visit frequently, or convincessomeone to click on a link in an email, or via a social networkingsite, or in an instant message.

While the vulnerability has since been patched, Microsoftstated that all supported versions of Internet Explorer wereaffected;moreover, there were also reports of a limited numberof targeted attacks specifically directed at versions 8 and 9. Formore details about preventing this threat see the blog entry,New Internet Explorer Zero-day Found in Targeted Attacks .

September 26Security researchers reported on a small group of hackers forhire called Icefog that have potentially performed surgicalhit and run operations against several organizations acrossthe globe. The attacks used custom cyberespionage tools tocompromise Windows and Mac OS X computers, which wereused to locate and steal specific information before abandoningthe infected computer. The attackers sent spear-phishing emailsand used exploits for known vulnerabilities in their campaigns.Once the targeted computers were compromised, the attackersplaced back-doors and other data-stealing tools on them. Theycould then gather sensitive documents, email credentials andother passwords that could be used to gain access to even moredata.

Unlike many other advanced persistent threats (APTs), whichcompromise computers for months in order to continuously

steal data, the Icefog attackers seemed more interestedin carrying out quick, surgical strikes to gather specificinformation. Symantec detects the threats used in this campaignas Backdoor.Hormesu .
http://blogs.technet.com/b/msrc/archive/2013/09/17/microsoft-releases-security-advisory-2887505.aspxhttp://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-found-targeted-attackshttp://www.theregister.co.uk/2013/09/26/icefog_hit_and_run_apt_japan_south_korea/http://www.theregister.co.uk/2013/09/26/icefog_hit_and_run_apt_japan_south_korea/http://www.symantec.com/security_response/writeup.jsp?docid=2011-102616-4356-99http://www.symantec.com/security_response/writeup.jsp?docid=2011-102616-4356-99http://www.theregister.co.uk/2013/09/26/icefog_hit_and_run_apt_japan_south_korea/http://www.theregister.co.uk/2013/09/26/icefog_hit_and_run_apt_japan_south_korea/http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-found-targeted-attackshttp://blogs.technet.com/b/msrc/archive/2013/09/17/microsoft-releases-security-advisory-2887505.aspx


10/35

p. 10


T A R

G E T E D A T T A

C K

S


11/35

p. 11


Targeted Attacks in 2013

So far in 2013 few new attack techniques have been seen in therealm of targeted attacks. Instead weve seen a shoring up ofattack methods. Since the techniques used in the last couple ofyears still continue to reap rewards, attackers probably see littlereason to change them. Rather weve seen efforts to refine theirstrategies.

For instance, in past watering hole attacks an attackerwould compromise a legitimate website that thetarget is known to use and then lie in wait for them tovisit it. Attackers continue to use such techniques thisyear, but are lying in wait on multiple sites in order to

compromise more diverse set of targets. While eachof these sites may be used to snare a different targetprofile, they all redirect to the same exploit. This allows theattackers to leverage one vulnerability in multiple campaigns, oreasily swap out exploits, cutting down on overall administrationfor the attackers.

Weve also seen an increase in more aggressive spear-phishingattacks. In these cases the attacker sends an email and thenfollows up with a phone call directly to the target, such as theFrancophoned attack from this summer. The attacker mayimpersonate a high ranking employee, and request that the targetopen an attachment immediately. This assertive method of attack

Targeted Attacks per DaySource: Symantec

2013 2013 TREND (Projected)2011 2012

T A R

G E

T E D

A T T A

C K

S

0

25

50

75

100

125

150

175

200

225

250

DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN

Anatomy of Latest Watering HolesSource: Symantec

ExploitLocation

TargetVisits Website

CompromisedWebsites
http://www.symantec.com/connect/blogs/francophoned-sophisticated-social-engineering-attackhttp://www.symantec.com/connect/blogs/francophoned-sophisticated-social-engineering-attack


12/35

p. 12


has been reported more oftenin 2013 than in previousyears.

With these refinedtechniques, attackers may betaking more time to ensurean attack is successful. Ouroverall attack numbers

appear to support this.For instance, the averagenumber of attacks per day isdown 41 percent in the firstnine months of 2013 whencompared to the same periodlast year. Our projectionsfor the rest of the year showattacks per day dropping inthe last quarter of 2013 ifthis trend were to continue.However, this is still a 13

percent increase over the averages during the same period in

2011, showing targeted attacks are still trending upwards over alonger period of time.

While these numbers show the sheer volume of targeted attacks,it doesnt tell us much about when new attack campaigns arekicked off. To look at this, we filtered out multiple attacksagainst the same company to see when organizations firstlogged an attack during 2013. These first attacks appear to betrending up month on month in 2013. Of particular note is thatthe month of May saw a significant increase in the numberof new attacks. Using this as a marker for kicking off targetedattack campaigns, and looking back at our attacks per daynumbers, this increase is followed with an uptick in volume of

daily targeted attacks during the summer months of this year.In terms of targets, it appears that manufacturing is no longerthe leading industry on the receiving end of targeted attacks,having dropped from 24 percent of attacks in 2012 to 8.7percent so far in 2013. Taking its place near the top of ourcharts are service-related industries, both professional (22%)and non-traditional (15%). 1

Why have service-related industries risen this year? Much ofthis could be related to supply chain attacks, where attackerslook for the easiest point of entry and work their way up the

First Attacks Logged by MonthSource: Symantec

0

100

200

300

400

500

600

700

800

900

1000

1100

1200

SAJJMAMFJAN

2013

Top 10 Industries AttackedSource: Symantec

Industry Percent

Services - Professional 22.2%

Public Administration 19.2%

Services - Non-Traditional 14.8%

Finance, Insurance & Real Estate 13.0%

Transportation, Communications, Electric, & Gas 9.1%

Manufacturing 8.7%

Wholesale 4.2%

Logistics 2.1%

Retail 1.0%

Mining 1.0% 1 The Professional category includes services such as Legal, Accounting, Health, andEducation. Non-Traditional includes Hospitality, Recreational, and Repair services.


13/35

p. 13


Attacks by Size of Targeted OrganizationSource: Symantec

Company Size Percent

1-250 24.1%

251-500 11.8%

501-1000 10.8%

1001-1500 2.9%

1501-2500 9.5%

2500+ 40.8%

First Attacks Logged by SizeSource: Symantec


1-250 48.3%

251-500 11.4%

501-1000 9.4%

1001-1500 5.1%

1501-2500 5.6%

2500+ 20.3%

File Extensions of AttachmentsSource: Symantec

File Extension Percent

.exe 35.7%

.scr 24.2%

.doc 9.6%

.pdf 7.0%

.class 5.1%

.dmp 3.6%

.dll 2.4%

.xls 1.7%

.pif 1.4%

.jar 0.8%

chain. Attackers will often direct their efforts to the areasthat they see as having the laxest security. The shift frommanufacturing to service as an attack target could be due tothese industries being seen as an easier avenue into a supplychain.

Moreover, most of the manufacturing companies being targetedin 2012 were in the Defense or Engineering industries. Increased

awareness and tighter security countermeasures mean thecriminals have to adapt, and this is perhaps what we have seenin 2013 so far.

In terms of the size of organizations, it appears as though theswing from targeting large enterprises to smaller organizationshas continued this year. So organizations with over 2500+employees is down approximately 9 percentage points, from 50percent in 2012, to 41 percent so far this year. SMBs continue

to make up the largest percent of smaller organizations,though there appears to be a shift into the 251-500 and 501-1000 ranges, which have increase 7 and 8 percentage pointsrespectively.

If we look at the first attacks over the year, similar to how we didattacks per day, we see a definite shift towards targeting smallerbusinesses. In fact the 1-250 employee range comprises over 48percent of all unique attacks so far this year.

In terms of email-based targeted attacks, executables still topthe list of attachment types. While it seems at face value thatdocument formats, like .pdf and .doc files, would have a largermeasure of success from a social engineering standpoint. It

turns out that that isnt necessarily the case, since roughly64 percent of attachments are executables. In fact, weve seenspecific cases where attackers have sent .pdf files that gounopened within the target organization. However, in a follow-up targeted email that included a run-of-the-mill .exe file, thefile was opened and the payload executed.

These attachment types continue to roll in with the same, time-tested subject matter as well: invoices, calls for research papers,resumes, etc. It appears that so long as these methods continueto trick the targets, attackers see no reason to change theirtechniques.


14/35

p. 14


Q&A on Hidden Lynx

Earlier this year, details of a hack against security vendor Bit9emerged . Hackers had gained access to the companys digital code-signing certificates, and succeeded in signing their malware withit. This signed malware was then distributed in targeted attackcampaigns.

The roots of this attack, and the group behind it, go back much further. Symantec Security Response looked closely at the attackand those behind it, and recently published a whitepaper detailingthe activities of a hacking group , dubbed Hidden Lynx.

Stephen Doherty, a Senior Threat Intelligence Analyst and one ofthe primary investigators, lead the investigation into Hidden Lynx.

I sat down and talked with him about who this hacking group is,how theyre structured, and just how brazen theyve become.

Who are the Hidden Lynx group?

Hidden Lynx is a group weve been tracking for the lastnumber of years. The group itself is a targeted attack groupwho is based in China. They have been involved in attackssince at least 2009, including the high-profile attacks involvingBit9. We think its a professional organization, with lots ofexperience, using cutting edge techniques. They do a pay-per-order service, where a client will contact the group and askthem to pursue some specific information that is of use tothem.

How do they compare to your typical hacking group?

They are more capable than the typical groups you mightsee in many targeted attacks. They managed to get onto[Bit9s] machines and sign their malicious Trojans with Bit9certificates. This happened around the same time as a numberof zero days were distributing these Trojans, so we thought itwas a worthwhile exercise to go and have a look at exactly whatthese guys were doing, who they target, and why they targetcertain industries, in order to build up an overall picture of theircapabilities.

Who are the primary targets that they appear to be going after?

They tend to go after both private industry and governmentalorganizations in the wealthiest and most technologicallyadvanced countries. Their range of targets is wide, whichsuggests that there are lots of requests for different types ofinformation.

In terms of industries, they tend to go after quite specificorganizations within the financial industry. Theyll target assetmanagement agencies or companies that would be involved ininvestment banking, like mergers and acquisitions.

What is the goal of the attacks carried out by the Hidden Lynxgroup?

The overall goals are quite varied. At the moment theyrefocusing on Japan and South Korea . The large campaignmentioned in the paper was VOHO, which was focused in the US,so their targets shift quite regularly. This could be a case of notbringing too much focus to the group: if they continue to attackin certain locations, it can bring a lot of heat on them. Theymight move around for that reason, or it could be just a casewhere that campaign was run. They got the required informationand now theyve moved to another country to get information

there. So their overall goals are probably financially motivated,but the goals of an attack will change based on what informationtheyre after.

What are their primary attack methods?

Theyre cutting edge in what they do. They have access to thelatest exploits. Weve seen them using spear phishing attacks,and VOHO was a large watering hole campaign. To get into quitehard to reach places they have used supply chain attacks.

Theyve also been observed attacking vulnerable applicationson public-facing servers that a company might have. Thats howthey got into Bit9: they located a public-facing server and usedSQL-injection attacks to install a Trojan. From there they wereable to obtain passwords and move through the network, wherethey eventually gained access to their code-signing certificateand signed some of their malware. This is quite a large win ontheir behalf. Just having the audacity to go in and gain access likethis, most attackers wouldnt even consider it.

We think [Hidden Lynx]is a professionalorganization, with lots of

experience, using cuttingedge techniques.
http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdfhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdfhttp://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-found-targeted-attackshttp://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-found-targeted-attackshttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdfhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdfhttp://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/


15/35

p. 15


In your paper you mention that the Hidden Lynx group hascarried out one of the largest and most successful watering-hole attacks to date. What makes these watering hole attacksdifferent than those weve seen in the past?

The VOHO attacks are the most significant in terms of size. RSAhad examined the access logs from the webserver and saw thatthe payload was delivered to 4,000 machines, which is typicallymuch higher than a normal watering hole attack.

They compromised ten legitimate websites to redirect to thisexploit that they were hosting. Each of these watering holes hadslightly different expected visitors to each site. They rerouted

all these watering hole websites to one exploit. In many caseswatering holes typically just infect one legitimate website andwait for the unsuspecting user to visit, where as this one wasmuch larger in scale.

You mention two distinct threats, Trojan.Naid and Backdoor.Moudoor , used and maintained by what appear to be twoseparate attack teams within the Hidden Lynx group. What arethe differences between these two teams and why do you think

the group would be organized in such a way?To begin with Naid has been around since 2009. That dates allthe way back to when we saw the attacks involving Aurora, andthats been used right up to today. Then you have Moudoor,which is a more recent Trojan, which first surfaced in 2011.

We see Moudoor in larger-scale infections. We believe this isoperated by a team who is larger in size. Theyll infect a lotmore varied targets and have a much higher distribution rate.Naid is seen in much more limited use, and we think that this is

their Trojan that they reserve for special operationsif theyrefinding a specific target difficult to penetrate, they typically sendin Trojan.Naid. This is why we think there is a more elite teamwithin the Hidden Lynx group that operates this Trojan.

There appear to be ties between the Hidden Lynx group andOperation Aurora. What are these connections, and is theHidden Lynx group the latest iteration of a long runninghacking campaign?

Hidden Lynx is definitely a long-running hacking campaign.The more familiar Trojan with Aurora was Trojan.Hydraq , butwe believe Naid was also participating in this attack. When the

command and control domains and the organizations targetedwere examined, its very likely that both these Trojans were usedin this attack. So we think Hydraq would have been the initialbackdoor that was downloaded onto the machine via the exploit,and then Trojan.Naid was then subsequently installed on theinfected machines.

Does this mean Naid is unique to this attack group?

Yes, we dont believe Naid is available to any other attack groups.Its a very specific Trojan. We dont see widespread distribution,so this is another reason we believe that it was this group thatparticipated in the Aurora attacks.

Now that the Hidden Lynx groups tactics are out in the open,what do you think the next steps will be for these attackers?

The obvious thing would be similar to what happened withAurora: Hydraq disappeared within a matter of months and they just persisted with different Trojans. We expect the same thingto happen. Theyll swap the Trojans that they use, but theyllcontinue to attack in the same manner.

Were already looking into Trojans that look like theyre beingused by this group at this time. We certainly know of one:Backdoor.Fexel . It shares some infrastructure that was usedduring the Hidden Lynx campaign and is using the most recentzero-day , obviously post-publication of the paper.

In your experience, do you think well be seeing more or less ofthis group as time goes on?

I think well see at least as much, considering their experienceand their capabilities. There are lots and lots of attack groupsthat come from China, but this would be one of the stand-outgroups. I think for that fact theyre not going to go away any timesoon. Even with some of the major focus on the group, theyrestill attacking to this day.

Theyre not going to goaway any time soon.Even with some of themajor focus on thegroup, theyre stillattacking to this day.
http://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99http://www.symantec.com/security_response/writeup.jsp?docid=2012-100817-2451-99http://www.symantec.com/security_response/writeup.jsp?docid=2012-100817-2451-99http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99http://www.symantec.com/security_response/writeup.jsp?docid=2013-092314-4620-99http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-found-targeted-attackshttp://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-found-targeted-attackshttp://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-found-targeted-attackshttp://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-found-targeted-attackshttp://www.symantec.com/security_response/writeup.jsp?docid=2013-092314-4620-99http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99http://www.symantec.com/security_response/writeup.jsp?docid=2012-100817-2451-99http://www.symantec.com/security_response/writeup.jsp?docid=2012-100817-2451-99http://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99


16/35

p. 16


S O C I A L ME D I A


17/35

p. 17


Social Media

At a Glance

82 percent of all socialmedia attacks so far in2013 have been fakeofferings. This is up from56 percent in 2012.

Fake Plug-ins are thesecond-most commontype of social mediaattacks at 7.3 percent, upfrom fifth place in 2012,at 5 percent.

Fake Apps have risenoverall in 2013, nowmaking up 1.9 percent ofsocial media attacks. In2012, this category wasranked sixth.

MethodologyFake Offering. These scams invite social network users to join a fake event or group with

incentives such as free gift cards. Joining often requires the user to share credentials withthe attacker or send a text to a premium rate number.

Fake Plug-in Scams. Users are tricked into downloading fake browser extensions on theirmachines. Rogue browser extensions can pose like legitimate extensions but when installedcan steal sensitive information from the infected machine.

Likejacking. Using fake Like buttons, attackers trick users into clicking website buttonsthat install malware and may post updates on a users newsfeed, spreading the attack.

Fake Apps. Applications provided by attackers that appear to be legitimate apps; however,they contain a malicious payload. The attackers often take legitimate apps, bundle malwarewith them, and then re-release it as a free version of the app.

Manual Sharing Scams. These rely on victims to actually do the hard work of sharing thescam by presenting them with intriguing videos, fake offers or messages that they sharewith their friends.

Top 5 Social Media Attacks, 2013Source: Symantec

Top 5 Social Media Attacks

7.3 %

4.9 %

1.9 %

1.7 %

FakeOffering

Manual Sharing

Likejacking

Fake Plug-in

Fake Apps

82 %


18/35

p. 18


D A T A B R E A C H E

S


19/35

p. 19


Data Breaches

At a Glance

September appears tocontain the least databreach activity this yearin terms of identitiesexposed. However, thisnumber may change asfurther breaches aredisclosed.

There were a number ofbreaches reported duringSeptember that occurredearlier in the year. Thisbrings the total number ofbreaches to 144 for so farin 2013.

Of the reported breachesso far in this year, the topthree types of informationexposed are a personsreal name, birth date, andgovernment ID number(e.g. Social Security).

Timeline of Data Breaches, 2013Source: Symantec

N U M B E R

O F I N

C I D E N T

S

IDENTITIESBREACH

ED(MILLIONS)

INCIDENTSIDENTITIES BREACHED

0

5

10

15

20

25

30

35

40

45

50

55

60

SAJJMAMFJAN

2013

DNOS

0

8

16

24

32

40

48

Top 5 Data Breaches by Type of Information ExposedSource: Symantec

41%

42%

34%

31%

66%Real Names

Gov ID numbers (Soc Sec)

Birth Dates

Home Address

Medical Records

Information Exposed in Breaches

% OF ALL BREACHES

MethodologyThis data is procured from the Norton Cybercrime Index (CCI).The Norton CCI is a statistical model that measures the levelsof threats, including malicious software, fraud, identity theft,spam, phishing, and social engineering daily. The data breachsection of the Norton CCI is derived from data breaches thathave been reported by legitimate media sources and haveexposed personal information.

In some cases a data breach is not publicly reported during thesame month the incident occurred, or an adjustment is made inthe number of identities reportedly exposed. In these cases, thedata in the Norton CCI is updated. This causes fluctuations inthe numbers reported for previous months when a new report isreleased.

Norton Cybercrime Indexhttp://us.norton.com/protect-yourself


20/35

p. 20


M O B I L E


21/35

p. 21


Mobile

At a Glance

So far in 2013, 37 percentof mobile malware tracksusers, up from 15 percentin 2012.

Traditional threats,such as back doors anddownloaders are presentin a fifth of all mobilemalware threats.

Risks that collect data,

the most common riskin 2012, is down 12percentage points to 20percent of risks.

Seven new mobilemalware families werediscovered in September,along with 249 newvariants. 20%

37%

7%

14%

26%

20%

Track UserRisks that spy on the individual using thedevice, collecting SMS messages orphone call logs, tracking GPS coordinates,recording phone calls, or gatheringpictures and video taken with the device.

Traditional ThreatsThreats that carry out traditionalmalware functions, such as backdoors and downloaders.

Adware/AnnoyanceMobile risks that display advertising orgenerally perform actions to disruptthe user.

Send ContentThese risks will send text messagesto premium SMS numbers, ultimatelyappearing on the bill of the devicesowner. Other risks can be used to sendspam messages.

Change SettingsThese types of risks attempt to elevateprivileges or simply modify varioussettings within the operating system.

Collect DataThis includes the collection of bothdevice- and user-specific data, such asdevice information, configuration data,or banking details.

Mobile Malware by TypeSource: Symantec


22/35

p. 22


Cumulative Mobile Android MalwareSource: Symantec

VARIANTSFAMILIES

40

80

120

160

200

240

280

320

360

400

SAJJMAMFJAN

2013

DNOS

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

F A M I L I E

S

( C U M U L A T I V E

)

V A R I A N T S

( C U M U L A T I V E

)


23/35

p. 23


V U L N E R

A B I L I T I E S


24/35


25/35

p. 25


S P A M

,P H I S H I N

G , & MA L WA R E


26/35

p. 26


At a Glance

The global spam rateincreased 1.2 percentagepoints in September to66.4 percent, up from 65.2percent in August.

Pharmaceuticals werethe most commonlytargeted industry, knockingEducation from the topspot this month.

The top-level domain (TLD)for Russia, .ru, has toppedthe list of malicious TLDsin September. The TLD forPoland, which previouslyheld the top spot, hasdropped from the charts.

Sex/Dating spam continuesto be the most commoncategory, at 88.5 percent.Job-related spam comes insecond at 6.5 percent.

Spam

Global Spam Volume Per DaySource: Symantec

10

20

30

40

50

SAJJMAMFJAN

2013

DNOS

B I L L I O N S

Top 5 Activity for Spam Destination by GeographySource: Symantec

Geography Percent

Sri Lanka 79.7%

China 72.6%

Saudi Arabia 71.9%

Hungary 71.6%

Greece 70.5%

Top 5 Activity for Spam Destination by IndustrySource: Symantec

Industry Percent

Chem/Pharm 68.5%

Education 68.4%

Manufacturing 67.3%

Marketing/Media 67.1%

Non-Profit 66.9%


27/35

p. 27


Top 10 Sources of SpamSource: Symantec

Source Percent of All Spam

United States 7.75%

Spain 6.75%

Italy 5.92%

Finland 5.69%

India 5.67%

Argentina 5.27%

Brazil 4.72%

Canada 4.15%

Iran 3.60%

Peru 3.17%

Spam URL Distribution Based on Top Level Domain Name*Source: Symantec

*Month .ru .com .biz .net

Aug 44.2% 30.9% 7.4% 5.5%

*Data lags one month

Average Spam Message Size*Source: Symantec

*Month 0Kb 5Kb 5Kb 10Kb >10Kb

Aug 33.1% 34.1% 32.9%

Jul 21.1% 28.2% 50.7%

*Data lags one month

Spam by CategorySource: Symantec

Category Percent

Sex/Dating 85.5%

Jobs 6.5%

Pharma 3.9%

Watches 2.3%

Software 1.0%

Top 5 Activity for Spam Destination by Company SizeSource: Symantec


1-250 65.9%

251-500 66.3%

501-1000 66.2%

1001-1500 66.5%

1501-2500 66.3%

2501+ 66.7%


28/35

p. 28


At a Glance

The global phishing rate is down in September, comprising one in1055.7 email messages. In August this rate was one in 625.6.

Financial themes continue to be the most frequent subject matter,with 76.8 percent of phishing scams containing this theme.

South Africa has the highest rate in September, where one in 471emails was a phishing scam.

The United States tops the list of sources of phishing emails,responsible for distributing 42 percent of phishing scams.

The Public Sector was the most targeted industry in September,with one in every 189.5 emails received in this industry being aphishing scam.

Phishing

Top 5 Activity for Phishing Des tination by GeographySource: Symantec

Geography Rate

South Africa 1 in 470.7

United Kingdom 1 in 517.3

Netherlands 1 in 672.6

Australia 1 in 725.4

Canada 1 in 914.6

Top 5 Activity for Phishing Destination by IndustrySource: Symantec

Industry Rate

Public Sector 1 in 189.5

Education 1 in 656.0

Finance 1 in 701.8

Accom/Catering 1 in 737.1

Non-Profit 1 in 877.4

Top 5 Activity for Phishing Des tination by Company SizeSource: Symantec

Company Size Rate

1-250 1 in 753.0

251-500 1 in 1,325.8

501-1000 1 in 1,886.2

1001-1500 1 in 1,100.6

1501-2500 1 in 2,168.6

2501+ 1 in 1,011.4Top 10 Sources of PhishingSource: Symantec

Source Percent

United States 41.96%

United Kingdom 17.38%

Australia 8.93%

South Africa 8.28%

Ireland 7.02%

Japan 5.00%

Germany 2.77%

Sweden 1.30%

Canada 1.09%

Hong Kong 0.83%


29/35

p. 29


43.1%

5.2%

3.6%

1.0%

47.1%Automated Toolkits

Other Unique Domains

IP Address Domains

Free Web Hosting Sites

Typosquatting

Phishing Distribution:

Phishing Distribution in SeptemberSource: Symantec

16.0%

5.2%

1.9%

0.8%

76.8%

Financial

Information Services

Retail

Computer Software

Communications

Organizations Spoofedin Phishing Attacks:

Organizations Spoofed in Phishing AttacksSource: Symantec


30/35

p. 30


Malware

1 in 50

1 in 100

1 in 150

1 in 200

1 in 250

1 in 300

1 in 350

1 in 400

1 in 450

1 in 500

SAJJMAMFJAN

2013

DNOS

Proportion of Email Traffic in Which Virus Was DetectedSource: Symantec

Top 10 Email Virus SourcesSource: Symantec

Geography Percent

United Kingdom 41.19%

Ireland 21.48%

United States 18.49%

Australia 3.11%

Netherlands 2.32%

South Africa 1.63%

France 1.46%

India 1.39%

Brazil 1.12%

Canada 1.08%

At a Glance

The global average virus rate in September was one in 383.1emails, compared to one in 340.1 in August.

The United Arab Emirates topped the list of geographies, with onein 159.2 emails containing a virus.

The United Kingdom was the largest source of virus-laden emails,making up 41.2 percent of all email-based viruses.

Small-to-medium size businesses with 1-250 employees werethe most targeted company size, where one and 340.8 emailscontained a virus.


31/35

p. 31


Top 5 Activity for Malware Destination by IndustrySource: Symantec

Industry Rate

Public Sector 1 in 106.4

Recreation 1 in 116.8

Transport/Util 1 in 191.7

Accom/Catering 1 in 262.4

Education 1 in 305.5

Top 5 Activity for Malware Destination by Company SizeSource: Symantec

Company Size Rate

1-250 1 in 340.8

251-500 1 in 372.1

501-1000 1 in 547.8

1001-1500 1 in 416.1

1501-2500 1 in 691.4

2501+ 1 in 352.8

Top 5 Activity for Malware Destination by Geographic LocationSource: Symantec

Geography Rate

United Arab Emirates 1 in 159.2

United Kingdom 1 in 192.6

Austria 1 in 299.2

Netherlands 1 in 312.2

Italy 1 in 409.9


32/35

p. 32


At a Glance

Variants of W32.Ramnit accounted for 17.6 percent of all malwareblocked at the endpoint.

In comparison, 7.3 percent of all malware were variants ofW32.Sality.

Approximately 39.0 percent of the most frequently blockedmalware last month was identified and blocked using genericdetection.

Endpoint Security

Top 10 Most Frequently Blocked MalwareSource: Symantec

Malware Percent

W32.Ramnit!html 6.98%

W32.Sality.AE 6.62%

W32.Ramnit.B 5.90%

W32.Ramnit.B!inf 4.05%

W32.Almanahe.B!inf 3.67%

W32.Downadup.B 3.28%

W32.Virut.CF 2.29%

Trojan.Zbot 1.75%

Trojan.Maljava 1.39%

W32.SillyFDC 1.29%


33/35

p. 33


Policy Based FilteringSource: Symantec

Category Percent

Social Networking 48.07%

Advertisement & Popups 20.35%

Hosting Sites 4.15%

Streaming Media 3.46%

Computing & Internet 3.29%

Peer-To-Peer 2.66%

Chat 2.58%

Search 2.40%

Gambling 1.70%

Portal 1.20%

Policy Based Filtering

At a Glance

The most common trigger for policy-based filtering applied bySymantec Web Security .cloud for its business clients was for theSocial Networking category, which accounted for 48.1 percentof blocked Web activity in September.

Advertisement & Popups was the second-most common trigger,comprising 20.4 percent of blocked Web activity.


34/35

p. 34


About Symantec

Contributors

More Information

Security Response Publications: http://www.symantec.com/security_response/publications /

Internet Security Threat Report Resource Page: http://www.symantec.com/threatreport /

Symantec Security Response: http://www.symantec.com/security_response /

Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer /

Norton Cybercrime Index: http://us.norton.com/cybercrimeindex /

Special thanks to Stephen Doherty and Gavin OGorman for their contributions this month.

Symantec protects the worlds information and is a global leader in security, backup, andavailability solutions. Our innovative products and services protect people and informationin any environmentfrom the smallest mobile device to the enterprise data center to cloud-based systems. Our world-renowned expertise in protecting data, identities, and interactionsgives our customers confidence in a connected world. More information is available atwww.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia .
http://www.symantec.com/security_response/publications/index.jsphttp://www.symantec.com/threatreport/http://www.symantec.com/security_response/http://us.norton.com/security_response/threatexplorer/http://us.norton.com/cybercrimeindex/http://www.symantec.com/http://localhost/var/www/apps/conversion/tmp/scratch_3/go.symantec.com/socialmediahttp://localhost/var/www/apps/conversion/tmp/scratch_3/go.symantec.com/socialmediahttp://www.symantec.com/http://us.norton.com/cybercrimeindex/http://us.norton.com/security_response/threatexplorer/http://www.symantec.com/security_response/http://www.symantec.com/threatreport/http://www.symantec.com/security_response/publications/index.jsp


35/35

Copyright 2013 Symantec Corporation.All rights reserved. Symantec, the Symantec Logo,and the Checkmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates inthe U.S. and other countries. Other names maybe trademarks of their respective owners.

For specific country offices and contact numbers,

please visit our website.

For product information in the U.S.,

call toll-free 1 (800) 745 6054.

Symantec Corporation World Headquarters

350 Ellis Street

Mountain View, CA 94043 USA

+1 (650) 527 8000

1 (800) 721 3934

www.symantec.com

Confidence in a connected world.
http://www.symantec.com/http://www.symantec.com/

201309 Sym IntelligenceReport

Documents

Transcript of 201309 Sym IntelligenceReport