Internet Attack Trend Internet Attack Trend and Defenseand Defense

SC LeungSenior Consultant

Page 2

Agenda

Trend of the information security threat …

How we become victims …

How to mitigate risks …

Security Threat LandscapeSecurity Threat Landscape

Page 4

Attacks targeting at Our Vulnerabilities

Insecure Configuration defaults– e.g. AutoRuns in USB, CDROM …

– default password or settings

All software have security holes– Opportunity Window between

discovery of security hole and availability of Patch

People can be cheated– “Social Engineering” techniques

– How can you gain trust from others == How can hacker gain trust from you

System and System and ApplicationsApplications HumanHuman

Page 5

victim victim

Botnet (roBot Network) is the major threat

Bot Herder

bot bot bot

C&C

Command & Command & Control CentreControl Centre

BotsBots

attacks

Your computers!

Page 6

Maturity of the Underground Economy

Sell products (credentials malware and tools) Hosting - spam or

phishing hosting CaaS (cybercrime as

a service) - hired gun

Commercialization Professionalization

Manageability of Infrastructure Botnets Specialization,

Outsourcing, and Globalization of HR Chained exploits

Risk Management

Invisibility Security

• authentication, encryption

Survivability• e.g. Conficker

sophisticationsophistication

Page 7

Malware 2.0

Evade DetectionEvade Detection Command & ControlCommand & Control

PropagationForming a BotnetManageUpdateSurvive the adverse

Malware today causes victim PC becoming part of botnetMalware today causes victim PC becoming part of botnet

Page 8

Malware 2.0

Encryption or Obfuscation

Morphing

Uses Search Engine to evade detection

• Malware URL visible only when referred by search engine

• Done by configuring “.htaccess” file of web server Sample content of “.htaccess”

file under hacker’s control

Page 9

Malware Propagation channels

ExecutablesExecutables Document Document MalwareMalware WebsiteWebsite

Page 10

Malware Propagation channels

Fake security software Fake video player

codec

ExecutablesExecutables Document Malware Website

Page 11

Malware Propagation channels

Executables Document Document MalwareMalware

Embedded malware in PDF or Office files Zeus botnet served

PDF malware (Apr-2010)

Website

Page 12

Malware Propagation channels

Executables Document Malware WebsiteWebsite

Legitimate and trusted websites compromised Used to redirect user

to malicious websites (via injected invisible iframes) Most significantWeb admin incapable

to detect and mitigate the risks

Page 13

Malware Propagation via websites

Mass infection of Wordpress blogs hosted by Network Solutions (Apr 2010)– Use insecure web application configuration

Page 14

Malware Propagation via websites

PHPNuke.org web site hacked (7 May 2010)– Serving several exploits

Page 15

Malware Propagation Channels

Hackers exploit Social Network Services to convince victims

Hacker uses Search Engine Optimization techniques to escalate malicious website ranking in search results

Executables Document Malware Website

Social Engineering & Black Hat SEOSocial Engineering & Black Hat SEO

Page 16

Targeted Attacks

Executables Document Malware Website

Social Engineering & Black Hat SEO

Targeted AttacksTargeted Attacks

Targeted, crafted email to corporations and government

Page 17

Social network

Id TheftId Theft

Data LeakageData Leakage

Social EngineeringSocial Engineering

Page 18

Targeted Attack continues

Chained exploit

Advanced Persist Threats– Governments, critical infrastructure, private companies

Page 19

Chained Exploit Case Study: Client Side attacks via Social Network Sites

Surge in Facebook MalwareTRUST:

– Use social engineering trick, spoofing user’s friend and sending a message with an URL pertaining to be a movie

– URL brings user to a fake YouTube site

Page 20

Chained Exploit Case Study: Client Side attacks via Social Network Sites

Suggesting to install a codec in order to view the movie

Install the codec to view the movie

Page 21

Malicious servers redirect victims to the Exploit Server which serves as a central delivery

Redirection of attacks to central exploit server

Source: http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm

Page 22

Low Detection Rate- Submitting the malware to VirusTotal.com

Only small portion of scanners can identify the malware

Page 23

Attacks Following Money

Targeting traditional online banking, online gameObtaining credential for

later use or for salevia keyloggers

PhishingPhishing Banking TrojansBanking Trojans

Targeting new online banking services, esp.two factor authenticationPerforming transaction

on the spotvia advanced banking

trojans, using involved man-in-the browser techniques

Page 24

Data Leakage

Insecure default settingsMalware embedded in

P2P software– e.g. Foxy software

P2P File SharingP2P File Sharing Social NetworkingSocial NetworkingServicesServices

Insecure default privacy settingsLeak out of personal

information by friendsLack of control 3rd party

apps on SNSMalware on SNS

Page 25

Mobile Computing

Attacks exist for different mobile platforms

2009-11 Attack jailbreak iPhones’sSSH backdoor

MobileSpy logs GPS location, call logs, sms log. Versions available for Android, Blackberry, iPhone, Windows Mobile, Symbian

Store personal & sensitive data

Some banks (UK Lloyd TSB) start to use as the client tool NextGen data/voice integration

Insecure habits– Short URLs is common

– Click links in email is common

– Saved passwords is common

Security protection less mature than in PC

Consequence of AttackConsequence of Attack

Page 27

Consequences of Security Exposure

Machines fall into control by Hackers

Theft of Credentials financial loss

Hacker launch local attacks to the whole network

Bandwidth and Performance downgrade

Legal liability liable for hacking activities within your premise

Mitigation Strategies Mitigation Strategies RevisitedRevisited

Page 29

What do we do?

– Good example of Conficker Working Group

collecting information of hacker behaviour

International International CollaborationCollaboration Cyber Drill ExerciseCyber Drill Exercise

Proactive DiscoveryProactive Discoveryof Incidentsof Incidents

Intelligence and Intelligence and ResearchResearch

– finding compromised web site and malware hosting

Page 30

What can you do – infrastructure?

Install Antivirus & Update

Install Personal Firewall

Close all security holes– Close Insecure default settings: Autorun, …– Patch software

Set Strong Password

Scan your system periodically

Additional measures

At Firewall, block all incoming traffic to servers except known services

Separate SAMS, ITED and public servers in zones

Set up Security Policy– Ban unauthorized servers in your

network

PersonalPersonal CompanyCompany

Page 31

Awareness Education and Training

Awareness– Understand emerging attacks like SNS,

mobile

– Beware of Social Engineering

Follow Guidelines

Train your staff

Set up Incident Response Procedure

Page 32

HKCERT Guidelines

"Autorun virus" Removal Procedure

SQL Injection Defense Guideline

Data Protection Guideline

Guideline for Safety Using Wireless LAN

SME Information Security Guideline

Guideline for Prevention of Spyware and other Potentially Unwanted Software

http://www.hkcert.org/english/sguide_faq/home.html

Point of ContactPoint of Contact

Phone : +852 8105 6060 Fax : +852 8105 9760 Email : hkcert@hkcert.org URL : http://www.hkcert.org/