Included in this IT Threats Report you will find an overview of threats, trends, and IT security technology data. Everything from targeted attacks, such as Advanced Persistent Threats, to mobile malware, the Threats Report compiles the latest in IT Security by summarizing key internet security information as researched and analyzed by Kaspersky Lab for the third quarter of 2013.
IT Security Threats Overview
Targeted Attacks / Advanced Persistent Threat (APT)
NetTraveler's new tricks
Kaspersky Lab researchers found a new attack vector used by NetTraveler, an advanced persistent threat that has already infected hundreds of high-profile victims in more than 40 countries. NetTraveler’s known targets include Tibetan/Uyghur activists, oil companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.
In addition to the use of spear-phishing emails, APT operators have adopted the watering hole technique (web redirections and drive-by downloads on rigged domains) to infect victims surfing the web. Kaspersky Lab intercepted and blocked a number of infection attempts from the “weststock.org” domain, which is a known site linked to previous NetTraveler attacks. These redirections appear to come from other Uyghur-related websites that were compromised and infected by the NetTraveler attackers.
Kaspersky Lab discovered "Icefog", a small yet energetic APT group that focuses on targets in South Korea and Japan and hits supply chains for Western companies. The operation started in 2011 and has increased in size and scope over the last few years. While most other APT campaigns infect victims for months or even years while attackers continuously steal data, Icefog operators process victims one by one - locating and copying only specific, targeted information.
Once the desired information has been obtained, they leave. The attackers hijack sensitive documents and company plans, email account credentials, and passwords to access various resources inside and outside the victim’s network. They look for specific filenames, which are quickly identified and transferred to the C&C. Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.
Kaspersky researchers have sink holed 13 of the 70+ domains used by the attackers. This provided statistics on the number of victims worldwide. Based on the list of IPs used to monitor and control the infrastructure, Kaspersky Lab’s experts assume some of the players behind this threat operation are based in at least three countries: China, South Korea and Japan.
In September Kaspersky Lab’s security research team published a report that analyzed an active cyber-espionage campaign primarily targeting South Korean think-tanks.
This campaign, named Kimsuky, is limited and highly targeted. According to technical analysis, the attackers were interested in 11 organizations based in South Korea and two entities in China including the Sejong Institute, the Korea Institute For Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai Merchant Marine and the Supporters of Korean Unification.
The earliest signs of Kimsuky’s activity date back to April 3, 2013, and the first Kimsuky Trojan samples appeared on May 5, 2013. The Kimsuky malware contains a dedicated malicious program designed to steal HWP files, which suggests that these documents are one of the main objectives of the group.
Author of Blackhole exploit kit arrested
The Blackhole developer known as Paunch and his alleged partners were arrested in Russia in early October. Blackhole has been arguably the most successful exploit kit of recent years. Blackhole is leased out to cybercriminals who want to spread malware via drive-by downloads, today‘s prevailing attack vector. The criminals use the malicious links leading to compromised websites to infect users' machines and the exploit kit selects working exploits, depending on the software versions of, for example Flash, Java or Adobe Reader installed on the victim machine.
New router botnet emerged
In September this year Heise reported a new botnet consisting of routers had been discovered. Routers are the backbone of every home user network, and infecting this affects every device connected to it - PCs, Macs, tablets, smartphones and even your smart-TV. The bot, named Linux/Flasher.A, extracts any login credentials transmitted from any device.
Web security and data breaches
Vodafone Germany breached
Vodafone Germany experienced a data breach in mid-September, in which two million customer data records got copied. Records contained not only names and addresses but also bank details. Vodafone assumes an inside job due to the traces and volume of breached data. A suspect was quickly identified, but a hacking group called Team_L4w confessed to the attack and claimed that one of their members used an infected USB thumb drive to infect the machine of a Vodafone employee.
Vodafone informed all affected customers via postal service. For transparency reasons, Vodafone created a web form, with which customers can check if their data is affected.
Apple Developer Area hacked
July saw Apple take down its Apple Developer portal for more than three weeks, after an intruder gained access to personal information of registered developers. The 'who' and 'how' of the hack still remains unclear, as there are several possible explanations. Shortly after the incident became public, an alleged security consultant released a video on YouTube confessing to the attack.
High Profile Domains Hijacked
At the beginning of October several high profile domains were defaced, including whatsapp.com, alexa.com, redtube.com and two prominent security companies. It seems that instead of compromising the actual webservers, the attackers, a group called KDMS, opted for hijacking the DNS or domain registrars. All compromised domains were sharing the same DNS registrar and had been recently updated at the time this case came to light.
The third quarter of 2013 was a busy time in the battle against mobile malware, as a whole set of new tricks emerged.
New developments from mobile malware writers
The past quarter was undoubtedly the quarter of mobile botnets. The cybercriminals behind the most widespread SMS Trojans are trying to add some interactivity to the way they manage their assets. This is why malware writers are now using Google Cloud Messaging (GCM) to manage their bots. The service enables them to send short messages in the JSON format to mobile devices, serving as an additional C&C for their Trojans.
Mobile Malware Threat Statistics
In Q3 2013, the number of mobile malware samples continued to grow:
The distribution of mobile malware detected in Q3 2013 by type was similar to that in Q2:
The top position is still held by backdoors, although their share has fallen by 1.3 percentage points compared to Q2 2013. SMS Trojans (30%), which have gained 2.3 percentage points since the previous quarter, are in second place. As in Q2, they are followed by Trojans (22%) and Trojan-Spy malware, which accounts for 5% of the total. Together, backdoors and SMS Trojans make up 61% of all mobile malware detected during the third quarter – this is 4.5 percentage points more than in Q2.
Information Security Statistics
All the statistics used in this report were obtained from the cloud-based Kaspersky Security Network (KSN). The statistics were collected from KSN users who consented to share their local data. Millions of users of Kaspersky Lab products in 213 countries take part in the global information exchange on malicious activity.
The statistics in this section were derived from web antivirus components which protect users when malicious code attempts to download from infected websites. Infected websites might be created by malicious users, or they could also be made up of user-contributed content (such as forums) and legitimate resources that have been hacked.
Online threat detection
In the third quarter this year, Kaspersky Lab products detected 500,284,715 attacks launched from online resources around the world.
The Top 20 detectable online threats
This rating once again demonstrates that most antivirus detections occur at the URL level. 89.2% of all web-based antivirus detections were for blacklisted malicious links (Malicious URL, 1st place).