At the end of last year Kaspersky Lab published “The Top 10 Security Stories of 2011”, an article that summarized 2011 in one word: “explosive”.
Based on the events and the actors who defined the top security stories of 2011, the security company made a number of predictions regarding 2012:
- The continued rise of hacktivist groups.
- The growth of Advanced Persistent Threat (APT) incidents
- The dawn of cyber-warfare and more powerful nation states jostling for dominance through cyber-espionage campaigns.
- Attacks on software and gaming developers such as Adobe, Microsoft, Oracle and Sony.
- More aggressive actions from law enforcement agencies against traditional cybercriminals.
- An explosion of Android threats.
- Attacks on Apple’s Mac OS X platform.
Kaspersky Lab took a look at the top 10 security incidents that shaped 2012, and assessed how they fared in their predictions.
1. Flashback hits Mac OS X
Although the Mac OS X Trojan Flashback/Flashfake appeared in late 2011, it wasn’t until April 2012 that it became really popular. And when we say really popular, we mean really popular. Based on our statistics, we estimate that Flashback infected over 700,000 Macs, easily the biggest known MacOS X infection to date. How was this possible? Two main factors: a Java vulnerability CVE-2012-0507 and the general sense of apathy among the Mac faithful when it comes to security issues.
Flashback continues to be relevant because it demolished the myth of invulnerability surrounding the Mac and because it confirmed that massive outbreaks can indeed affect non-Windows platforms. Back in 2011, we predicted that we would see more Mac malware attacks. We just never expected it would be this dramatic.
2. Flame and Gauss: nation-state cyber-espionage campaigns
In mid-April 2012, a series of cyber-attacks destroyed computer systems at several oil platforms in the Middle East. The malware responsible for the attacks, named “Wiper”, was never found – although several pointers indicated a resemblance to Duqu and Stuxnet. During the investigation, we stumbled upon a huge cyber-espionage campaign now known as Flame.
Flame is arguably one of the most sophisticated pieces of malware ever created. When fully deployed onto a system, it has more than 20 MB of modules which perform a wide array of functions such as audio interception, bluetooth device scanning, document theft and the making of screenshots from the infected machine. The most impressive part was the use of a fake Microsoft certificate to perform a man-in-the-middle attack against Windows Updates, which allowed it to infect fully patched Windows 7 PCs at the blink of an eye. The complexity of this operation left no doubt that this was backed by a nation-state. Actually, a strong connection to Stuxnet was discovered by Kaspersky researchers, which indicate the Flame developers worked together with Stuxnet developers, perhaps during the same operation.
Flame is important because it showed that highly complex malware can exist undetected for many years. It is estimated that the Flame project could be at least five years old. It also redefined the whole idea of “zero-days”, through its “God mode” man-in-the-middle propagation technique.
Of course, when Flame was discovered, people wondered how many other campaigns like this were being mounted. And it wasn’t long before others surfaced. The discovery of Gauss, another highly sophisticated Trojan that was widely deployed in the Middle East, added a new dimension to nation-state cyber campaigns. Gauss is remarkable for a variety of things, some of which remain a mystery to this day. The use of a custom font named “Palida Narrow” or its encrypted payload which targets a computer disconnected from the Internet are among the many unknowns. It is also the first government-sponsored banking Trojan with the ability to hijack online banking credentials from victims, primarily in Lebanon.
With Flame and Gauss, a new dimension was injected into the Middle East battleground: cyber-war and cyber-warfare. It appears there is a strong cyber component to the existing geopolitical tensions – perhaps bigger than anyone expected.
3. The explosion of Android threats
During 2011, we witnessed an explosion in the number of malicious threats targeting the Android platform. We predicted that the number of threats for Android will continue to grow at an alarming rate. The chart below clearly confirms this:
The number of samples we received continued to grow and peaked in June 2012, when we identified almost 7,000 malicious Android programs. Overall, in 2012, we identified more than 35,000 malicious Android programs, which is about six times more than in 2011. That’s also about five times more than all the malicious Android samples we’ve received since 2005 altogether!
The reason for the huge growth of Android can be explained by two factors: economic and platform related. First of all, the Android platform itself has become incredibly popular, becoming the most widespread OS for new phones, with over 70% market share. Secondly, the open nature of the operating system, the ease with which apps can be created and the wide variety of (unofficial) application markets have combined to shine a negative spotlight on the security posture of the Android platform.
Looking forward, there is no doubt this trend will continue, just like it did with Windows malware many years ago. We are therefore expecting 2013 to be filled with targeted attacks against Android users, zero-days and data leaks.
4. The LinkedIn, Last.fm, Dropbox and Gamigo password leaks
On 5 June 2012, LinkedIn, one of the world’s biggest social networks for business users was hacked by unknown assailants and the password hashes of more than 6.4 million people leaked onto the Internet. Through the use of fast GPU cards, security researchers recovered an amazing 85% of the original passwords. Several factors made this possible. First of all, LinkedIn stored the passwords as SHA1 hashes. Although better than the very popular MD5, modern GPU cards can crack SHA1 hashes at incredible speeds. For instance, a $400 Radeon 7970 can check close to 2 billion SHA1 password/hashes per second. This, combined with modern cryptographic attacks such as the usage of Markov chains to optimize brute force search or mask attacks, taught web developers some new lessons about storing encrypted passwords.
When DropBox announced that it was hacked and user account details were leaked, it was yet another confirmation that hackers were targeting valuable data (especially user credentials) at popular web services. In 2012, we saw similar attacks at Last.fm and Gamigo, where more than 8 million passwords were leaked to the public.
To get an idea of how big a problem this is, during the InfoSecSouthwest 2012 conference, Korelogic released an archive containing about 146 million password hashes, which was put together from multiple hacking incidents. Of these, 122 million were already cracked.
These attacks show that in the age of the ‘cloud’, when information about millions of accounts is available in one server, over speedy internet links, the concept of data leaks takes on new dimensions. We explored this last year during the Sony Playstation Network hack; there is perhaps no surprise such huge leaks and hacks continued in 2012.
5. The Adobe certificates theft and the omnipresent APT
During 2011, we saw several high profile attacks against certificate authorities. In June, DigiNotar, a Dutch company, was hacked out of business, while a Comodo affiliate was tricked into issuing digital certificates in March. The discovery of Duqu in September 2011 was also related to a Certificate Authority hack.
On 27 September 2012, Adobe announced the discovery of two malicious programs that were signed using a valid Adobe code signing certificate. Adobe’s certificates were securely stored in an HSM, a special cryptographic device which makes attacks much more complicated. Nevertheless, the attackers were able to compromise a server that was able to perform code signing requests.
This discovery belongs to the same chain of extremely targeted attacks performed by sophisticated threat actors commonly described as APT.
The fact that a high profile company like Adobe was compromised in this way redefines the boundaries and possibilities that are becoming available for these high-level attackers.
6. The DNSChanger shutdown
When the culprits behind the DNSChanger malware were arrested in November 2011 during the “Ghost Click” operation, the identity-theft infrastructure was taken over by the FBI.
The FBI agreed to keep the servers online until 9 July 2012, so the victims could have time to disinfect their systems. Several doomsday scenarios aside, the date passed without too much trouble. This would not have been possible without the time and resources invested into the project by the FBI, as well as other law enforcement agencies, private companies and governments around the world. It was a large scale action that showed that success against cybercrime can be achieved through open cooperation and information sharing.
7. The Ma(h)di incident
During late 2011 and the first half of 2012, an ongoing campaign to infiltrate computer systems throughout the Middle East targeted individuals across Iran, Israel, Afghanistan and others scattered across the globe. In partnership with Seculert, we thoroughly investigated this operation and named it “Madi”, based on certain strings and handles used by the attackers.
Although Madi was relatively unsophisticated, it did succeed in compromising many different victims around the globe through social engineering and Right-To-Left-Override tactics. The Madi campaign demonstrated yet another dimension to cyber-espionage operations in the Middle East and one very important thing: low investment operations, as opposed to nation-state sponsored malware with an unlimited budget, can be quite successful.
8. The Java 0-days
In the aftermath of the previously mentioned Flashback incident, Apple took a bold step and decided to disable Java across millions of Mac OS X users. It might be worth pointing out that although a patch was available for the vulnerability exploited by Flashback since February, Apple users were exposed for a few months because of Apple’s tardiness in pushing the patch to Mac OS X users. The situation was different on Mac OS X, because while for Windows, the patches came from Oracle, on Mac OS X, the patches were delivered by Apple.
If that was not enough, in August 2012, a Java zero-day vulnerability was found to be massively used in-the-wild (CVE-2012-4681). The exploit was implemented in the wildly popular BlackHole exploit kit and quickly become the most effective of the whole set, responsible for millions of infections worldwide.
During the second quarter of 2012, we performed an analysis of vulnerable software found on users’ computers and found that more than 30% had an old and vulnerable version of Java installed. It was easily the most widespread vulnerable software installed.
In the middle of August, details appeared about a piece of highly destructive malware that was used in an attack against Saudi Aramco, one of the world’s largest oil conglomerates. According to reports, more than 30,000 computers were completely destroyed by the malware.
We analyzed the Shamoon malware and found that it contained a built-in switch which would activate the destructive process on 15 August, 8:08 UTC. Later, reports emerged of another attack of the same malware against another oil company in the Middle East.
Shamoon is important because it brought up the idea used in the Wiper malware, which is a destructive payload with the purpose of massively compromising a company’s operations. As in the case of Wiper, many details are unknown, such as how the malware infected the systems in the first place or who was behind it.
10. The DSL modems, Huawei banning and hardware hacks
In October 2012, Kaspersky researcher Fabio Assolini published the details of an attack which had been taking place in Brazil since 2011 using a single firmware vulnerability, two malicious scripts and 40 malicious DNS servers. This operation affected six hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems.
In March 2012, Brazil’s CERT team confirmed that more than 4.5 million modems were compromised in the attack and were being abused by cybercriminals for all sorts of fraudulent activity.
At the T2 conference in Finland, security researcher Felix ‘FX’ Lindner of Recurity Labs GmbH discussed the security posture and vulnerabilities discovered in the Huawei family of routers. This came in the wake of the U.S. government’s decision to investigate Huawei for espionage risks.
The case of Huawei and the DSL routers in Brazil are not random incidents. They are just indications that hardware routers can pose the same if not higher security risks as older or obscure software that is never updated. They indicate that defense has become more complex and more difficult than ever – in some cases, even impossible.
Conclusions: From Explosive to Revealing and Eye-opening
As we turn the page to 2013, we’re all wondering what’s next. As we can see from the top 10 stories above, we were very much on the ball with our predictions.
Despite the arrest of LulzSec’s Xavier Monsegur and many prominent ‘Anonymous’ hackers, the hacktivists continued their activities. The cyber-warfare/cyber-espionage campaigns grew to new dimensions with the discovery of Flame and Gauss. APT operations continued to dominate the news, with zero-days and clever attack methods being employed to hack high-profile victims. Mac OS X users were dealt a blow by Flashfake, the biggest Mac OS X epidemic to date while big companies fought against destructive malware that wrecked tens of thousands of PCs.
The powerful actors from 2011 remained the same: hacktivist groups, IT security companies, nation states fighting each other through cyber-espionage, major software and gaming developers such as Adobe, Microsoft, Oracle or Sony, law enforcement agencies and traditional cybercriminals, Google, via the Android operating system, and Apple, thanks to its Mac OS X platform.
We categorized 2011 as “explosive” and we believe the incidents in 2012 raised eyebrows and piqued the imagination. We came to understand the new dimensions in existing threats while new attacks are beginning to take shape.