This conclusion comes from the Q1-2013 report from the Spanish security vendor’s R&D operation, which says that, despite the numerous security incidents that have taken place so far this year, the fight against cyber-crime looks to be on the right track.

In addition, says Panda, although there is still a long way to go, international co-operation among security agencies is beginning to pay off, as criminals around the world are being brought to justice.

Luis Corrons was his usual self-effacing self when commenting on the report, and noted that the start of the year has seen some serious cyber-attacks, including the hacking of the Twitter accounts of major organisations such as the BBC and Burger King.

And, he says, one of the biggest attacks ever, targeting some of the world’s leading technology companies: Apple, Facebook, Microsoft and Twitter.

“But there have been some victories for security forces as well, including the arrest of a group of hackers accused of extortion using the infamous Police Virus,” he explained.

Cyberwar and espionage becoming more interesting

Corrons – who has been with Panda Security for 14 years and says his first contact with computers was at the age of 4 when he programmed a Sharp MZ-80K in BASIC – says that the area of cyber-war and espionage is becoming more and more interesting.

“Many countries are looking suspiciously at China regarding its suspected involvement in attacks on large organisations and public institutions around the world, and this could lead to real world consequences,” he said.

“There are those who argue for international agreements, a type of Geneva Convention, to attempt to establish limits to these activities,” he added.

All about Android

Delving into the report reveal that practically all the news surrounding malware attacks on mobile platforms involved the Google Android operating system, which has the largest share of this market.

In addition to the usual attacks, says Corrons, Q1-2013 saw a number of new techniques that deserve mention, including a strain of Android malware – hidden inside Google Play – not only infected cell phones but could also infect computers via smartphones and tablets.

According to Corrons, there are many different aspects to the fight against cyber-crime. And one which is often ignored, he says, is the need to alert companies to the importance of dedicating resources to protecting customer data.

As a timely reminder of this, Panda’s report says that the UK division of Sony Computer Entertainment was ordered to pay £250,000 pounds as a result of the theft of customer data in 2011.

Earlier this year, Panda adds that Mandiant published a damning 76-page report (APT1: Exposing One of China’s Cyber Espionage Units), explaining how Unit 61398 of the Chinese army has specialised in cyber-espionage.

That report revealed more than 3,000 pieces of evidence showing how this unit has been running since at least 2006, stealing information from no less than 141 organizations worldwide.

The Mandiant report

Corrons says that we may not truly appreciate the importance of the Mandiant report and the impact it may have in the mid to long term.

“Proving who is behind any attack is highly complex, even in normal cyber-crime cases. When it comes to cyber-espionage things are further complicated by the simple fact that whoever is behind the operation is highly qualified and are adept at covering their tracks,” he said.

“For some years now, people have turned their gaze to China whenever this type of incident occurs, yet without any real evidence that the Chinese government is behind such attacks. Now, for the first time, it has been proven that the Chinese army is actively involved in espionage on a global scale, infiltrating companies across many sectors and stealing information,” he added.

SG

As reported earlier this week, the FSB report – entitled ‘Cyber security and fraud: the impact on small businesses’ – noted that three in 10 members have been a victim of fraud, typically by a customer or client (13pc) or through ‘card not present’ fraud (10pc).

According to Richard Kirk, AlienVault’s senior vice president, it is the SMBs – and midsize businesses – that have the most difficult task when it comes defending themselves from cybercriminals who are intent on theft and reputation damage.

Guaranteed fraud every three and one third years

Kirk – who heads up the open source security specialist’s EMEA operations – if you extrapolate the figures from the report – you realise that a typical small business is almost guaranteed to be hit by a fraud – that will cost them around £4,000 – every three and one third years.

“Whilst it’s good to hear that 36pc of SMBs are installing software patches as part of their regular security practice, that means that the other 64pc are not patching their systems – and around 40pc are not updating their IT security software,” he said.

The AlienVault SVP went on to say that this is compounded by the fact that most mid-sized businesses he and his team encounter have only limited staffing resources to handle their cyber security needs.

Against a backdrop of smaller firms having fewer PCs and smaller data centre operations to defend, Kirk says that he has observed that mid-sized businesses – who have a much larger attack surface – have become a target for hackers.

“As a result, we believe that it’s not just SMBs, but mid-sized businesses as well that need to wake up to the rising level of security threats, and find ways to quickly detect and manage threats more effectively to keep the damage caused by the latest cyberthreats at bay,” he said.

Lack of budgets and personnel

Larger enterprises, Kirk explained, generally have the necessary expertise – and budgets – to go down this path, but it is small and mid-sized businesses that most often lack the budgets and personnel to select, deploy, integrate and manage the security solutions required to defend against cybercrime.

This is why, he says, a growing number of these businesses are turning to the benefits of open source security solutions to better defend their systems, although they also need suitable security management technology – ideally itself based on open source – to control and provide visibility across the variety of tools essential for a strong security posture.

Given how few SMBs have the proper security controls in place to adequately protect themselves against cybercrime, Kirk adds that it is perhaps it’s not surprising that this segment of businesses are keen on the banks taking more responsibility when it comes to cybercrime defence.

The FSB report, he noted, says that 45pc SMBs cited this issue, even though the reality is that security begins at home – offloading the responsibility to the banks, says Kirk is not a long-term solution.

“SMBs have a stark choice: either they invest in suitable security technology or run the real risk  – at odds of around 3/1 annually – of cybercriminals running up a sizable bill due to fraud. This translates to three successful attacks every ten years. Those kind of odds bring home the reality that SMBs really do need to wake up and start figuring out what their options are for security-and there are easier and affordable solutions available for smaller and midsize organisations,” he said.

“As this report notes, many SMBs (31pc) would welcome a more effective police response, but the reality is that they need to help themselves in the security defence stakes, as no-one – including the government – is going to run to their rescue in the event they are hit by a cyberfraud,” he added.

IS

On May 16, says Samir Patel, a Symantec threat response engineer, URL spam volume increased by 12pc – from 84 to 96pc – since when the observed URL spam volumes have fluctuated between 95 and 99pc levels.

“That means [that] 95pc of the spam messages delivered during this period has one or more URLs in it,” he says in his latest security posting.

URL shorteners

Readers with long memories will recall that spam containing regular URLs were popular in the mid-2000s, but soon gave way to shortened URLs such Bit.ly and others when these services launched around 2008.

According to Patel, during the last few weeks, dot.RU was the most used top-level domain (TLD) seen in this latest spamming campaign, although he notes that it is interesting to note what, when a drop in dot.RU spam occurred, there was a corresponding increase dot.COM and dot.PW spam volumes.

In fact, says Patel, more than 73pc of the URL spam contained the dot.RU, dot.COM or dot.PW TLDs.

Lately, the Symantec researcher says that his team have been observing an increasing use of shortened URLs and free Web domains with the dot.RU TLD, many of which are `hit-and-run’ (aka snowshoe) style spam.

“This sudden rise in URL spam volume was [also] seen in December 2012 and January this year when holiday season spam and year-end spam was on the rise,” he notes.

IS

According to David Fišer, Grum – which at its peak was responsible for 17pc of worldwide spam – was officially killed off in July of last year.

In the July 2012 shutdown, ITSP notes, FireEye published an analysis of the botnet’s command-and-control (C&C) servers located in the Netherlands, Panama, and Russia. A week later the first servers were progressively taken offline by their respective ISPs and Grum was consigned to the Internet history books.

Unfortunately, Avast’s research team spotted the Grum botnet again in January of this year, since when it has been seen as active on the following sites:

servercafe.ru
hub.werbeayre.com
sec.newcontrrnd.com
sec.convertgame.com

Fišer says that each bot client generates its own identification number (ID) on its first run.

“The length of the ID is 32 characters. The first three correspond with a bot version and the other 29 characters are randomly generated. It is also set to the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\BITS\ID registry key, which is queried on every run,” he explained, adding that, after the bot sets its ID, it tries to connect to a C&C server.

The bot contacts the C&C server with a HTTP GET request to get the relevant data from the client’s computer: http://%server/spm/s_get_host.php?ver=%botVer

This information, says the Avast virus analyst, is used to contact one of the SMTP servers obtained from the DNS MX records from following domains, which are used for sending spam:

hotmail.com
yahoo.com
aol.com
google.com
mail.com
mail.ru
yandex.ru

After a complex series of interactions, the C&C server feeds the necessary spamming instructions – including a spam mail template, which is encrypted – to the infected machine.

COMMENT: The fact that FireEye and a number of other companies cooperated to bring Grum down last summer, yet the botnet swarm resurfaced some six months later, suggests that the cybercriminals had backed up all their files, and merely waited for a few months before resurrecting the swarm.

The big question is whether other botnets that vendors such as Microsoft have so publicly shut down have also quietly resurfaced, perhaps under a different name?

SG

like the proposed HS2 high speed rail link

The research – entitled `The State of Network Security 2013: European Edition’ and which took in responses from 130 IT professionals - found that, whilst 36pc of firms surveyed had implemented next-generation firewalls to improve security or reduce IT spend, 57pc said they were harder to manage and had increased their management workload.

Delving into the report reveals that 77pc of respondents reported a network or application outage from an out-of-process change, with 20pc of respondents having a data breach as a result.

In addition, 63pc of respondents flagged internal threats – accidental or malicious – as their biggest security concern.

Low take-up of cloud security

Interestingly, researchers found that under 15pc of respondents said that the majority of their organisation’s security controls were in the cloud, with larger organisations less likely to have cloud-based security.

This was even lower than the 20pc of US organisations found to have deployed cloud-based security systems, the firm notes.

“Organisations are struggling to manage increasingly complex networks – both from a security and operational perspective,” said Paul Clark, AlgoSec’s Regional Director for the UK, Ireland, South Africa & Middle East.

“Based on the survey results, it’s clear that the biggest challenges for InfoSec and IT teams come with manual processes and poor visibility, which continue to expose organisations to the risk of outages and security breaches, often caused by their own employees and processes,” he added.

Clark went on to say that, event those firms that have adopted next-generation firewalls report that increased security comes at the price of more changes, more policies to manage and more complexity.

“However, moving away from manual processes and toward automated, centralised management of processes and policies will help organisations to fully realise the potential of NGFWs to improve overall security and reduce costs.”

A rising threat from within

Almost two-thirds of respondents rated insider threats – whether from accidental data leakage or malicious employees – as the greatest security risk.

The same proportion, says the report, expressed concern that allowing employees to BYOD increased the risk of breaches.

On the subject of cloud computing, Algosec says that the cloud is out there, but most organisations remain reluctant to count on it too heavily for security.

“The biggest challenges for IT security, network operations and risk plus compliance teams are lack of visibility, manual processes, and poor change management,” says the report.

“In this environment, out-of-process changes are fraught with risk, with outages and security breaches among the most serious-and disturbingly common-possible negative outcomes,” it adds.

The AlgoSec European report notes that changing application rules to boost productivity – or otherwise improve operations – actually has the opposite effect for many organizations as those changes also inadvertently cause outages, impaired performance and security breaches.

The greatest threats

The greatest threats for organisations are also increasingly from within: employees accidentally causing a data breach or security problem, malicious insiders, and unsecured or non-compliant employee devices.

The bottom line? Next-generation firewalls are gaining acceptance, but organisations are challenged with the complexity of managing NGFWs alongside traditional firewalls.

“As adoption grows and organisations increase their experience and maturity with these devices, the management burden should decrease and cost efficiencies should be achieved. Organizations adopt NGFWs for two primary reasons: to improve security and reduce costs. Moving away from manual processes and toward automated, centralised management of processes and policies will position IT organizations to fully realise the potential of NGFWs to do both,” the report concludes.

SG

As reported previously, Bitcoins are a form of electronic currency that was developed back in 2009 by a Japanese developer called Satoshi Nakamoto.

As an electronic currency, Bitcoin is unusual in several respects, as it is a decentralised digital currency that is based on an open-source peer-to-peer Internet protocol.

This means that a Bitcoin – or 100th parts of a Bitcoin – can be exchanged between holders without direct reference to a centralised system, as is the case with Paypal funds, for example.

Just to make life interesting, interested parties can create new Bitcoins by solving highly complex and computationally complex mathematical problems.

Currently, a maximum of 25 new Bitcoins are generated every 10 minutes – this will be halved to 12.5 Bitcoins in 2017 and then halved again every 4 years after until a hard limit of 21 million Bitcoins is reached during the year 2140.

Unless, of course, you have access to an invisible Bitcoin miner…

Cybercriminal advantage

Security researcher Dancho Danchev says that this latest advanced and customisable invisible Bitcoin miner has been designed for cybercriminals to take advantage of.

Danchev adds that some of the features of the miner include auto-starting capabilities, polymorphism, usage of 15 pre-defined Bitcoin pools, the ability to kill competing Bitcoin miners, complete pseudo-randomisation of multiple variables, as well as support for Socks proxy servers – all of which allow the cybercriminals behind it to add additional layers of anonymity to their campaigns.

And all this is for $19.99.

Danchev says that, due to its commercial availability on the international cybercrime-friendly marketplace, he expect that this invisible Bitcoin miner will gain market share.

This expansion, he adds, in combination with its distinct set of features – in particular the Bitcoin miner killing feature – will inevitably result in systematic abuse on behalf of its customers.

COMMENT: Call me picky, but when I use an electronic payment mechanism, I want to have confidence that the currency I use – dollars, pounds, zloty – will be worth broadly the same next week as this.

The thought of people generating their own extra coinage on a controlled basis may be part of the fun on using Bitcoins, but if cybercriminals are essentially forging the coinage as they wish, the seeds of that currency’s destruction are then sewn.

This is essentially what happened with the Reichsmark in Germany – during 1921 to 1923 when German citizens used wheelbarrows to carry their hyper-inflating currency with them.

SG

According to Brian Krebs of the KrebsOnSecurity newswire, the saga started on the morning of May 1st when fraudsters started siphoning cash from the North Carolina-based company in chunks of under $5,000 and under $10,000 – via the US ACH (automated clearing house) networks – to a variety of money mule accounts.

These `small’ amounts appear to have been to stay under the radar of any fraud detection system – Krebs says that, had the company or its bank detected the unauthorised activity sooner, the loss would have been far less.

“But both parties failed to notice the attackers coming and going for five days before being notified by a reporter,” he says in latest security posting, adding that the fraudsters repeated their siphoning process five more times and relaying funds to more than 60 money mules.

Some of these mules, Krebs goes on to day, were recruited by an Eastern European crime gang he likes to call the `Backoffice Group.’

“This same group has been involved in nearly every other cyberheist I have written about over the past four years, including last month’s $1.03 million theft from a non-profit hospital in Washington state,” he explained.

The security researcher quotes the president of the fuel company as evaluating his options for recouping some of the loss, especially since he only had 15 members of staff who are paid by ACH payroll transactions every two weeks.

At most, notes Krebs, the firm’s usual payroll batch is around $30,000 – “but in just five days, the thieves managed to steal more than a year’s worth of employee salaries.”

What also complicates the issue, ITSP notes, is that the bank concerned changed its security process a month before the cyberheist, upgrading some elements of the login process, but also allowing logins from more than one terminal.

SG

According to researchers Kylie Wilhoit and Nart Villeneuve with the security vendor, the SafeNet spear phishing campaign has resulted in several thousand infected machines spanning government agencies, technology firms, media outlets a number of academic institutions.

ITSP notes that the name of the campaign – SafeNet – is not in any way linked to the cloud security vendor of the same name: Safenet Inc.

The exact purpose of the cyber-espionage campaign, however, remains unknown at this stage, they say, and only around 70 or so IP addresses appear to communicate with the cybercriminal command-and-control servers each day.

The researchers say that the distribution method used by the SafeNet campaign involves spear-phishing emails that contain a malicious attachment exploiting a well-known Microsoft Office vulnerability (CVE-2012-0158).

“During our investigation of the C&C servers associated with this campaign we discovered archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks,” says the researchers in their latest security posting.

Professional software from China

Whilst determining the intent – and identity – of the attackers remains difficult, the Trend researchers have worked out that the campaign is carefully targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China.

“However, the relationship between the malware developers and the campaign operators themselves remains unclear,” they say.

The researchers have authored a white paper that goes into some depth on the attack methodology – which appears to be multi-staged, ITSP notes.

According to the paper – entitled `Safe, a Targeted Threat’ – whilst most of the operator interactions the researchers saw were from China and Hong Kong, they also saw the use of VPNs and proxy tools – including Tor – which contributed to the geographic diversity of the operators’ IP addresses.

Ongoing cyber-espionage campaigns, they noted, have been successfully infiltrating targets worldwide, many of which have been active for years.

However, they say, the amount of public exposure, especially of noisier and larger campaigns, has been increasing.

“Perhaps due to their success, these campaigns’ operators intensified their operations, causing them to be increasingly visible. But smaller campaigns are beginning to emerge; these use small clusters of C&C servers and new malware as well as attack fewer targets,” says the paper.

“Whilst determining the intent and identity of the attackers often remains difficult to ascertain, we determined that the Safe campaign is targeted and uses malware developed by a professional software engineer that may be connected to the cybercriminal underground in China,” it adds.

This individual, the white paper goes on to say, studied at a prominent technical university in the same country and appears to have access to an Internet services company’s source code repository.

Conclusions

The researchers conclude that, as the tools used in targeted attacks are exposed, attackers may look for new custom malware to circumvent defences.

As a result, they say, attackers may increasingly look to the cybercriminal underground for new malicious tools instead of developing their own tools for exclusive use.

“These developments highlight the increasing need for ongoing investigation and monitoring of such threats,” the paper says.

And whilst indicators that can be directly incorporated into defensive operations remain important, in-depth qualitative analysis of particular campaigns can provide critical insights into attackers’ operations.

VPD

According to Raul Siles, who is also founder and senior security analyst with Taddong – the Spanish security research consultancy – Google Android, Apple iOS, BlackBerry, and Windows Mobile devices have the potential for WiFi exploitation by skilled cyber-attackers.

Siles’ comments come a week after we spoke with Trustwave about an analysis its research team carried out at the Infosecurity Europe last month, in which they found 3,400 unique service (device) sessions probing its WiFi servers for Internet access.

The SANS trainer says that the vulnerability depend on how the network is added to the device and stems – as Trustwave found  from the process where mobile devices maintain a list of wireless networks they have previously connected to, or been manually set up to link to.

The PNL is the problem

Siles – who has more than a decade of expertise performing advanced security services and solutions in various worldwide industries – says that this network discovery process was performed by sending a generic probe request as an open broadcast plus specific requests for every network in the PNL – the Preferred Network List.

This means, he says, that devices are disclosing the full PNL in the air exposing themselves to karma-like attacks – where an attacker can identify all the networks (or access points) the mobile device is trying to connect to and impersonate them.

These fake networks – aka an evil twin attack, ITSP notes – can trick a victim’s device into connecting to the attacker’s network that then captures and manipulate its traffic to launch additional advanced attacks.

“This situation has been known since 2004; Microsoft fixed it for Windows XP in 2007 and recently in Windows Phone devices but it seems the other mobile device vendors are not as concerned,” Siles explained.

The SANS Trainer says that this `PNL disclosure’ issue still applies to the latest Android 4.x versions and was acknowledged – but not fixed – ever since the days of Android 2.x and 3.x systems.

“In some cases, there are options that can be changed to avoid this issue but on most devices when a WiFi network is added manually it presents the vulnerable behaviour and few users are aware of the security implications” he said.

More awareness needed

In view of his research, Siles says that end users, corporate administrators, and security professionals, using or managing Android, iOS or BlackBerry mobile devices should become more aware of this behaviour and ensure that all the WiFi networks available on the device PNL are treated as visible.

“I need to stress that these types of client attacks are commonly left unchecked and without consideration, the modern smartphone could become the ultimate digital ‘Trojan Horse’ allowing attacks to breach ultra-secure locations,” he said.

Interestingly, Siles believes that the lack of attention to WiFi security is not an oversight but intent by Google, Apple, and others to make device operation simpler for users.

“Unfortunately, a clever and targeted attack can use these simplifications as a staging post for more damaging assault which traditional detection capabilities would be unlikely to spot,” he noted.

SG

According to the Reuters newswire, Unit 61398 in Shanghai – a division of the People’s Liberation Army – is thought to have resumed its attacks on American companies and government agencies.

This comes, ITSP notes, after a three-month hiatus following a report from Mandiant and others, which dissected the Unit’s attack strategy.

The New York Times, meanwhile, says that Unit 61398 – a well-guarded 12-story white headquarters on the edges of Shanghai – has since became a symbol of Chinese cyberpower, and is now back in business.

Mandiant report

Citing Mandiant’s February report, the paper claims that the hackers in China “were behind scores of thefts of intellectual property and government documents over the past five years.”

It is events like these, says Lancope, that indicate the importance that cyberspace now has in government circles.

Tom Cross, the network visibility and security intelligence specialist’s director of security research, adds that the fact that state-sponsored attacks are on the rise means that IT professionals – and their managers – need to review their technology defences.

“We’re hearing more and more about state-sponsored attacks, so you can be sure that this form of technology subversion and compromises are now firmly part of the modern security threat landscape. The reality is, however, that governments and their agencies have access to the very latest attack techniques and technologies, meaning that organisations need to significantly raise the bar on their security defences,” he explained.

“As we said in our just-published report on APT attack vectors, few organisations currently view their incident responders as the front line in their defensive posture, yet it is obvious from the evolution of APTs – and, of course, state-sponsored attacks – that intelligence forms a key role when developing a security strategy to better defend your businesses’ data and allied IT assets,” he said.

The Lancope director of security research went on to say that this means that the incident response team should become a central part of the defences that organisations employ to protect their network.

The good news, he says, is that analysing what is happening on a network – including IP traffic attacking from outside AND inside the IT resource – can be completed on an automated basis using suitable technologies.

These technologies, he adds, should include virtual, mobile, identity, application and host reputation monitoring, as well as other advanced network security monitoring.

“Taking this approach to network monitoring can go a long way, we have found, to improving early threat detection and incident response capabilities for the many hundreds of government and enterprise organisations around the world. And if they can do this, then your own organisation can as well,” he said.

“While the advent of state-sponsored attacks is just another threat from a security analysis and defence point of view, its importance should not be overlooked. Lessons can be learned from these types of attacks and new strategies – as well as security trajectories – developed accordingly,” he added.

VPD