Cyber Threat Trends in Taiwan

2015 Taiwan National Computer Emergency Response Team0

Cyber Threat Trends in Taiwan

Henry Yu

TWNCERT


Outline

● Introduction of NICST

● Even More Aggressive E-Mail Info Collections

● Even More Wilder Contractor Invasions

● Mobile Scam

● Conclusion


Introduction of NICST

● National Information & Communication Security Taskforce

(NICST), established since January 2001, is a Cabinet-Level

taskforce

–Convened by Vice Premier, Executive Yuan

–Steering Committee comprised of central government CISOs/Municipality

CISOs/Deputy Director of NSB/Experts

–Secretariat by Office of Information and Communication Security (OICS),

Executive Yuan

–8 major working groups for cyber security related tasks execution and

coordination among agencies

–One service center (Information and Communication Security Technology

Center, ICST) plays the role of National CSIRT (TWNCERT)


Even More Aggressive E-Mail Info

Collections


Even More Aggressive E-Mail Info Collection

● Hackers use various methods to collect e-mail addresses,

steal accounts and passwords, and then use stolen e-mail

accounts to collect even more e-mail addresses, steal more

accounts and passwords, and ……

–Hackers collect e-mails from government agencies, academic units,

government contractors, private sectors and many individuals…

–As time passed, hackers have collected enormous amount of e-mail

accounts.


Case – Social Engineering

Victim #1Hacker

Brute ForcePassword

Attack

Victims

Social Engineering

• Phishing E-mail

• Malicious Attachment

Victim #2

• Phishing Website

(GOOGLE LOGIN PAGE)

Login GOOGLE Accounts

Steal GOOGLE

accounts & passwords

• Over 20 victims

• Roughly 118 phishing e-mails

3

2

1

4

Over port 1024/6666RDP


● The hacker sent 118 phishing e-mails via the stepping stone, mainly

impersonated famous politicians to lure people to hit the malicious

link, and stole their Gmail accounts and passwords

Stepping stone investigation

信件主旨數量

馬瑋國邀請您加入到他的討論圈"事務性研討會"，並希望成為你的 Google+ 朋友,接受他的申請？

19

馬瑋國在Google+ 上提到了你。 11

馬瑋國邀請您加入到他的討論圈"內參資料更新事"，並希望成為你的 Google+ 朋友,接受他的申請？

6

金溥聰在Google+ 上提到了你。 4

Hits the link of phishing website, the hacker can

get victims’ Gmail accounts and passwords


● Total 60 recipients, mostly are government officials’

business and private e-mail accounts

Victims mostly are government officials

Domain Amount Agencies

gov.tw 24 …

org.tw 2 …

gmail.com 27Including government officials’

private e-mail accounts…

yahoo.com.tw 7Including government officials’

private e-mail accounts…


● The hacker used phishing website to steal victims’ e-mail account

and passwords, read through contents in the account, then used the

account to send the malicious mails to victims’ contact lists

Use stolen account to send malicious mails again

Original

Fake


Phishing e-mails

● A government agency’s secretary received the social

engineering e-mail and reported to us, we analyzed the

header of the mail and try to find the source

● The header showed that the mail sender IP is 122.x.x.x,

registered in Hong Kong, the hacker used PHPMailer to

send fake Google website link, try to lure the victims to hit

the link


Fake…

● The link took victims to the fake Google Cloud screen…


More Fake…

● Fake Google Cloud login screen…


Real Fake…

● Input any combination of accounts and passwords, the page will take victims to the

download page to download real file

● Test in different time will result in different file downloaded, which means this

page is still active, the hacker continues to update the page to trick different

victims


Even More Wilder Contractor

Invasions


● As more and more government agencies have done great

jobs on cyber security defenses, the hackers are starting to

focus their efforts on government contractors

● Compare to government agencies, government contractors

usually have weaker defenses, lower restrictions, and lesser

security awareness

● The contractors’ security is becoming a critical issue in

Taiwan as well as the whole world

Even More Wilder Contractor Invasions


● The Hacker invaded a information system development

company, and stole many files and documentation from the

storage servers

● There were 43 government agencies, 12 academic

organizations and 16 private sector companies’

information were being stolen

–Including clients’ Notice of Invitation to Bid related information,

case documentation and all the source codes being developed in

these cases

Case #1 – Contractor invasion


● A government agency was hacked, and many sensitive

documentation were leaked out

–20 government project plans, and 27 budget plans documentation

were being stolen

● After investigation, we found out the invasion was from its

information contractor

–the agency gave its information service contractor remote access

privileges in order for them to do the maintenance services

remotely

Case #2 – Invasion via contractors (1/2)


● The hacker hacked the contractor first, then used remote

access to get into the agency’s servers (Web Server, AD

Server, Official Document Exchange System, and Mail

Server), then got into all personal computers to steal

information

Case #2 – Invasion via contractors (2/2)

The Hacker The Contractor

ODES

PC

Agency Intranet


Mobile Scam


Mobile Scam Background

● Taiwan National Police

Agency set up an Anti-Fraud

Hotline (165) and Web Portal

for awareness raising,

suspicious activity impeach

and case report of all kinds of

fraud since 2004

– 165 observed fraud cases through

SMS of mobile device increase

rapidly since Oct. 2013

– And fraud cases through Messaging

Apps surged since Feb. 2014


● From February to May 2014, mobile scam through

messaging APPs had quickly reached a peak in Taiwan

● The most common messaging APP used in Taiwan is

LINE, scammers are using various methods to social

engineering victims, and gaining profits

Mobile Scam through Messaging APP


Various LINE Scam Methods

E-mail Others

Invade

Account & Pass

Line Friends

Send out scam messages

Mal. APP

Links

Device hacked

* Steal personal info

* Use info to do Micro

Payment scam

* Ask for personal info

* Ask to receive auth.

code

Micro Payment

Scam

Ask to buy

game

points

victims provide

game point info

Exchange game

points to cash

Ask to dial

0809031088

Establish and

activate Ruten

seller account

Facebook,

Google+, etc.

資料來源：內政部警政署刑事警察局


Countermeasures

● TWNCERT has cooperated with National Communication

Commission and National Police Agency through G-ISAC:

– We announced all known scam methods to all members; asked anti-virus companies to

analyze all malicious APP; blocked, reported and handled all malicious IPs traffics

through appropriate authorities

– We asked mobile users don’t install any APP which is not from official Apple or Google

stores, and set the security option to not allow unknown source installation

– We also ask mobile users to harden LINE’s security options: blocking messages which are

not from known friends; don’t allow people to add you as friends automatically; don’t

make LINE ID public; if only use LINE on one device, don’t allow logins from PC or

other devices

– We ask people to cancel ISP micro payment option, and make ISPs to change the micro

payment enabled by default policy to disable by default and requires citizen have to go to

ISP counter and apply micro payment option in person


Conclusions

● The social engineering has been a long time problem… as more and more people

get on to the Internet, the situation has gone even worse

– TWNCERT continues to promote the social engineering awareness to the government

agencies

Government cyber security seminars twice a year

Provide social engineering drill platform for agencies to perform self drills

● The security threat from contractors are keep on raising

– Currently Taiwan government is developing Government Contractor Cyber Security

Requirement Standard, and now also require contractors to monitor own cyber events

and report when incident occurs

● Mobile scams are getting popular

– TWNCERT has cooperated with National Communication Commission and law

enforcement agencies through G-ISAC, exchange all scam information quickly

– We successfully quieted down all mobile scams in Taiwan within four months

Cyber Threat Trends in Taiwan

Internet

Transcript of Cyber Threat Trends in Taiwan