What We`ve Seen in Q2 2015

What We’ve Seen in Q2 2015 Malicious and unwanted email traffic has remained steady during the second quarter of 2015, having accounted for over 81 percent of all traffic as seen by AppRiver filters. The second quarter of 2015 has given us even more accounts of large scale breaches, not just retailers, but by password management companies and large government agencies. According to the Ponemon Institute’s 2015 Global Cost of Data Breach Study, the average cost of each one of these breaches has reached record levels of $3.8 million. Cyber criminals show no sign of slowing down as these attacks against single high value targets have proven much more lucrative than attacks against many individual targets, not to mention it often takes less effort on their part. We have also seen the continued spread of malware that utilizes effective techniques to part their victims from their money. Ransomware continues to encrypt data and malicious, though seemingly benign, office documents carry hidden macros that steal everything in sight. This threet month report will discuss the above issues as we have seen them in the second quarter. In addition, we will share metrics as seen by AppRiver’s SecureTide™ and SecureSurf™ filters from our nodes throughout the world. We will point out recent trends in email and Web spam and malware campaigns and share some insight about what we can expect in the second half of the year. Events Office of Personnel Management Data Breach The biggest newsworthy breach in the second quarter of 2015 has been the data breach involving the Office of Personnel Management (OPM). The OPM is responsible for keeping records of current and former government workers, as well as process things like payroll and performing background checks. The estimated amount of people affected is around 18 million. While we have seen much higher breach counts of data, this breach is particularly disturbing given the information taken and the fact that it consists of all government employees. Included in the personal data stolen are financial histories, foreign trips taken, current and past residences, names of neighbors/friends/coworkers/roommates/relatives, and social security numbers. Since the OPM handles sensitive information, like doing background checks on people filing for security clearances, they are privy to all of that information during an investigation for approval. While this breach could have a lot of information that may be public (like addresses or previous places of work), much of it could be secrets individuals revealed in confidence while getting clearance. This could be a treasure of data for anyone looking to contact and phish information about individuals involved in the breach, or worse, to blackmail them into doing something illegal. So far, there is no definitive proof of who orchestrated this breach, but the government is saying it was linked to a hacking group based in China. Of course, China has denied any such claims. The US also says there is evidence linking the OPM intrusion to one earlier in the year that involved the large insurance provider Anthem. Most people have an expectation that when their data stored with a business, it is going to be secure, even more so when it is stored with the government. Unfortunately, this was a very large government breach that has now had millions of personnel records stolen from it, which has upset millions of victims. A class action lawsuit has been filed against the OPM by those affected. A key point to see in the filed lawsuit is that since 2007, the OPM has been informed by its Office of Inspector General that there were serious problems in their cybersecurity, and allegedly the OPM failed to take any action on those issues. If this is indeed the case, this very well shows why no company should ignore security risks to systems, especially for years. Even if it is a flaw or hole that someone may think will never be found, it is likely it will indeed eventually be discovered and exploited. Malicious Macros The malware family known as Dridex, which is a banking Trojan that utilizes email to spread, has been very busy so far this year. Dridex is an evolution from its fellow family member Cridex which mainly lived online, waiting for victims to surf past a website that it inhabits in order to achieve infections. Apparently, Dridex got sick of all of that waiting around and decided to email itself out to the world. Dridex has been very fond of one specific technique that has proven very successful—the use of user activated macros within Microsoft Word and Microsoft Excel documents. By default, macros are disabled in Microsoft products since Microsoft has recognized the inherent danger of utilizing said functionality. However, a great number of offices still utilize these to allow documents to link to each other or to launch automated processes. Almost since the genesis of these macros, the bad guys saw an easy opportunity. They have victims run their attack code for them (without their knowledge) by attaching the code to actual office documents. When the offending attachment is opened, the recipient is prompted to enable this functionality which will allow the malicious code to run, downloading the payload from a remote server. Even though this technique requires a few more steps to actually infect its targets, it seems a good amount of people have no qualms about seeing it through to fruition as Dridex shows no real signs of slowing down. This is also a sign that their technique is working. The themes of these malicious emails vary, but are the emails themselves are usually rather short in content, while underneath the hood, the malicious codes lie in waiting. Sometimes, this code can be seen in plaintext when analyzing the malicious attachments, but often the bad guys will obfuscate the code in order to hide its true intentions. Decimal and Base64 encoding have been a favorite of theirs, as can be seen in the example below. This code from a Dridex campaign this year was used to hide a much shorter VBS command once it was decoded: As can be seen in the example above, this concealed macro was designed to download the malicious payloads “dfsdfff.exe” and “ddls.gif” from the IP 91.215.138.84. As is also usual, the IP that hosts the payloads will change on a campaign by campaign basis and will only stay responsive for a short period of time before moving on to the next. It is highly recommended to avoid enabling macros in your office software as this is often the only security barrier in the way of the attackers and victims. Amazon Themed Malware Targets Crypto Currencies During June, we witnessed an attack posing as legitimate Amazon purchase confirmations again attempting to leverage the use of macros in Word documents to infect their victims. This malware would attempt to steal account credentials for a lengthy list of FTP and multiple file storage programs as well as various passwords from infected machines, such as those for MS Outlook and installed browsers such as Firefox, IE, Opera and Chrome. In addition to these, however, it would then begin pilfering the target machine for just about every type of Crypto currency in existence. Including: This behavior (stealing Crypto currency) is something we have been seeing with more frequency lately. The anonymous nature and lack of regulation in the Crypto currency market make it more akin to stealing actual cash than to committing wire fraud by raiding someone’s online bank accounts. But in this case, the cybercriminals are fine with that too. LastPass Master Passwords Pilfered On June 15, 2015, the secure password management company LastPass started informing users of a data breach. The breach of LastPass data is concerning to most people since security and passwords are the company’s cornerstone. Some of the data stolen during the breach included email addresses of users, password reminders, and authentication hashes. While this is very concerning data, possibly the worst part to hear for users was that their master password hashes had been taken. LastPass did assure users that their password vaults were not taken (the vault contains all of the stored passwords that were saved by the user), but as any LastPass user knows, having the master password means you could gain access to everything. Fortunately, LastPass actually uses a strong protection of the master passwords by using “a random salt and 100,000 rounds of server-­‐side PBKDF2-­‐SHA256, in addition to the rounds performed client-­‐side.” While this is a nice thing to be reassured by, it was still recommended everyone change their master passwords and look in to using two-­‐factor authentication. CryptoWall Hides in Vector Images Ransomware has made a brand new name for itself since the latter half of 2013, thanks to new techniques utilized by the Crypto-­‐style families of malware that have become very aggressive recently. It all began with Cryptolocker and its spinoffs, CryptoWall and CryptoDefense, who made their first appearances around September of 2013. This family of malware, referred to as ransomware, is malicious software that demands the payment of a ransom in exchange for the return of access to the victim’s computer or files. Even though this technique has been around since the late 80s, most of them did not create such a panic as Cryptolocker has since most were easily subverted. Cryptolocker, however, employed strong encryption to scramble nearly every file on its target’s computer and made them impossible to recover without the unique private key used to encrypt them. Even if the Cryptolocker infection was successfully removed, the files would remain encrypted and unusable. This instantly made many of its victims aware of the importance of a reliable backup strategy. In May of this year, we began to see a CryptoWall variant hiding somewhere that we had not seen before, inside of vector graphics files. It began as an email campaign that contained zipped SVG files attached in the messages. SVG files are normally used for images and support some interactive features, like a graph on a webpage that displays information when the cursor hovers over an option. These SVG files, however, contained a small JavaScript entry that would open a webpage to download its payload. The IP link in the image ended up forwarding to another domain where a zip was downloaded of the actual EXE payload. However, it did not auto execute; user interaction was still needed for that. The payload this time just happened to be CryptoWall. When the file was finally executed, it created HELP_DECRYPT.TXT, HELP_DECRYPT.PNG, HELP_DECRYPT.HTML, and HELP_DECRYPT.URL files that have all been associated with CryptoWall infections. It also created a public RSA key and entered it in to the registry (the key used with encrypting the files). After giving it just a few minutes, indeed the popup about CryptoWall 3.0 popped up with steps on how to pay. Crypto ransomware has proven many times it is effective for attackers in getting users to actually pay the ransom. The tactic is still alive and likely to continue evolving. With the attacks still being prevalent, it is a good idea to make sure you are covered with data backups that cannot be potentially accessed by the malware (it has been known to encrypt network shares and NAS units). Another interesting bit of information that we noticed while looking at the EXE that was downloaded was that it had SQL commands hard coded in it. Looking closer, they all seemed related to a potential school’s SQL database. Some of the recipients we stopped this malware for were schools, but nothing seemed out of the ordinary with the volume of recipients, which was low volume in general. While it is possible the malware had other intentions from encrypting in mind, like to wreak havoc in a SQL database, this was from a strings output so it was all plain text and the table naming conventions just seem a little too plain as well. However, someone who knows SQL table names or a school using a plain naming convention could be problematic if the malware were to attempt to attain access and do its thing. It is certainly also a tactic for malware authors to add in code that is not used or code that fluffs up functions to distract from analysis and make analyzing more complex and time consuming. While these appeared to be part of valid functions, it looks like they were not used during testing. Although, it is possible there were very specific parameters that needed to be met for this to go active and attempt SQL changes. Hacking Team Data Dump The most recent data breach to hit the headlines lately has been of the huge amount of data taken from a security firm called Hacking Team. The Milan, Italy-­‐based company is primarily focused in selling software to government and private agencies that allows them to remotely access computers and devices. Yes, they essentially created and sold spyware to governments. They had specifically designed software to allow this remote access to devices like cell phones and personal computers, as well as knowledge of zero-­‐day exploits they could use. On July 5, 2015, 400 GB of their data was released on the Internet for people to torrent, including emails, invoices, and source code. The zero-­‐day exploit leaked in the documents that Hacking Team knew about was for Adobe Flash. Since the documents leaked had detailed information on the exploit, malware authors were able to quickly take advantage of the exploit and start delivering malware like CryptoWall to browsers online. The Adobe exploit was referred to in the leaked documents as “the most beautiful flash bug in the last four years” by Hacking Team. Adobe is already scheduled to get an immediate fix out for it, but now that it is out in the wild, malware authors may be in a rush to take advantage of it before it is fixed. The actual hack of data is being claimed done by “PhineasFisher” which is the same hacker who was involved with the data breach for Gamma, another cybersecurity company that sold software to governments for spying (FinFisher). This obviously leads a person to wondering who is behind it and what motivates him. Whether it be hacktivism, money, or even a competitor, “PhineasFisher” has already announced that these two are down but there are more to go. Metrics Traffic by Region This chart represents region of origin for spam as detected by AppRiver filters. Spam originating from North America overtook Europe in 2014 and continued to expand its share in the first half of 2015. North America and Europe are now accounting for seventy-­‐eight percent of the spam traffic we see. Spam by Country This chart represents the top countries from which spam originated during 2015’s second quarter. The US remained the top point of origin for spam as it was the point of origin for nearly 2.6 billion spam and malicious emails throughout the second quarter. Spam emanating from the US has now increased for the fourth consecutive quarter. Spam Traffic This chart displays spam traffic throughout the second quarter of 2015. Spam traffic decreased slightly from the first quarter. While most days spam volumes were around 40-­‐50 million messages per day, there were several large traffic spikes where spam volume increased by 300 percent or more over the previous day. In all we quarantined roughly 4.7 billion spam messages in the second quarter. Virus Traffic This chart displays virus traffic from the second quarter of 2015. Malware distribution was steady as we quarantined 165 million messages with virus attachments. Top Email Virus Threats These are the top 20 malware threats we saw in June 2015 in order of frequency, with the most frequent appearing at the top. The virus names that begin with "X." signify rules that were written by AppRiver analysts (this does not mean that other anti-­‐virus vendors did not eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before any of them). Top Email Virus Threats • X.MrinvBasic.exe • X.HeurFXexeBSc.exe • X.BadMacAOa_b.doc • X.W32Troj.patre.zip • X.HeurFXexeBSa.exe • X.Suspw18IMp.exe • X.HeurNMQ.exe • X.BDexYR.heurB.exe • X.MSW.Mac.DLfile.100114a • X.YTBNscr.zip • X.HurGenMalNMF.zip • X.W32.Bredolab.pak • X.SuspBDimpGTP.exe • X.SuspImMal.RAb.exe •
•
•
•
•
•
X.MysVM.bdis.exe X.HeurNMK.exe X.GenMalth26YSI.zip X.W32.Ramnit.lc X.HeurNMC.exe X.MrinvBasicB.exe