TrendLabsSM 2013 Annual Security Roundup

Good old-fashioned stick-ʼem-up bank heists have seemingly been pushed to the curb by digital heists in 2013. Cybercriminals who used sophisticated techniques to get hold of credit card numbers, bank accounts, and even personally identifiable information (PII) in a matter of minutes have taken the place of traditional thieves. Information is, after all, the new currency. And with it on hand, cybercriminals can hold victims at their mercy, which should make us all realize that we stand to lose more than we think.

We saw old threats “refined” throughout 2013. The number of online banking malware infections, for one, increased as the year progressed, even in countries they did not previously target. October 2013 also proved troublesome for users, as the number of ransomware infections increased and as ransomware took an even more crippling form—CryptoLocker. These and other refinements over the past year echo what we predicted would happen—cybercriminals would improve existing tools instead of create new ones.

On the mobile security front, we witnessed the mobile malware and high-risk app volume surpass the 1-million mark as early as September 2013. The current volume has, in fact, reached roughly 1.4 million, with 1 million new malicious and high-risk apps found in 2013 alone.

Media coverage on targeted attacks may have decreased in 2013 but we continued to find targeted attack campaigns all over the world. We found attacks target various countries, including Brazil, France, and Germany.

In the vulnerability space, Oracle’s end of support for Java™ 6 led to the rise of even more problems, which highlighted risks involved with not upgrading or continuing to use unsupported software versions.

Taken together, while assaults against personal data have already been occurring for quite some time, they did not reach the public consciousness as much as they did in 2013. Going after personal information proved to be a resounding theme last year, highlighted by debates on Edward-Snowden-fueled revelations about state monitoring on citizens. 2013 may have, in fact, prompted everyone to ask one of the most important questions in today’s “digital age”—How can we keep our information safe? For most, the answer can be one of two things—disclose less or find products that can us protect ourselves.

DOWNLOAD PDF




Trend Micro Incorporated, a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years of experience, we deliver top-ranked client, server, and cloud-based security that fits our customers’ and partners’ needs; stops new threats faster; and protects data in physical, virtualized, and cloud environments. Powered by the Trend Micro™ Smart Protection Network™ infrastructure, our industry-leading cloud-computing security technology, products and services stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.co.uk.



Copyright © 2014 Trend Micro Incorporated.
All rights reserved.

12

Cashing in on Digital Information

TrendLabsSM 2013 Annual Security Roundup

We all greatly value information. We make sure to protect sensitive information related to our personal and professional lives. The need to keep information safe is inherent to maintain peace of mind. These days though, technology—a concept as equally pervasive—has seemingly exposed information, leaving everyone beset, not knowing whether to choose between keeping information safe or using the latest technology.

But should using advanced technology really mean risking theft of sensitive information?

Take a look at just how cybercriminals scaled walls to expose and steal sensitive information for money in 2013:

  • Around 1 million new high-risk and malicious Android™ apps, some of which targeted personally identifiable and unencrypted mobile data, were found in 2013 alone.
  • Government agencies remained threat actors’ most favored target. But threat actors likewise engaged in corporate espionage targeting industries like energy, financial, military, telecommunications, and others.
  • Reports of state-level monitoring raised public awareness regarding privacy issues.
  • PS4™, Xbox® One, Haiyan, and Halloween were among top social engineering lures bad guys used to gain victims’ trust and, eventually, their personal data.

Read on to see how notable security issues shattered the safety of keeping data online amid debates on revelations of state-level monitoring.

DOWNLOAD PDF

Ransomware attacks intensified; cybercriminals cashed in via more volatile attacks

Malware attacks that went straight for victims’ money intensified in 2013.

A more potent version of ransomware, for instance, emerged in the form of CryptoLocker. Apart from locking victims’ computers like other ransomware or police Trojans did, CryptoLocker also encrypted victims’ files so they can’t just delete the malware to solve the problem. CryptoLocker also forced victims to pay US$300 for a private key to safely redeem their files. The bad guys behind the attacks even accepted payments in various cryptocurrencies.

Research also highlighted the Deep Web as a favored underground hub. It continued to ensure anonymity for cybercriminals, which made it harder for the authorities to catch them.

Refined tools and tactics, just like we predicted, allowed cybercriminals to gain access to personal information for a chance to make even more money.


Ransomware improved over time, costing victims not just worry over losing file access but also their hard-earned money.

Online banking malware volume doubled in just a year

The online banking malware volume doubled in the span of just one year. From nearly half a million in 2012, the number rose to nearly a million by the end of 2013.

The rise in online banking malware infections continued to be a worldwide trend. The United States, Brazil, and Japan topped the list of victims in every quarter of 2013.

The rise in infection volume could be attributed to factors like a matching increase in mobile and online banking adoption, faster Internet access, and unsafe Web surfing habits.

The rise in volume and sophistication of online banking malware goes to show that cybercriminals invest more in threats that gather information to get more money.

Online banking malware went after Japanese users who weren’t considered favored targets prior to 2013.

The Blackhole Exploit Kit may have died but the spam volume normalized as alternatives appeared

Despite its popularity just a year ago, the Blackhole Exploit Kit suffered a slow death since its creator, Paunch, was arrested. Related runs disappeared by December though the spam volume also started going back to normal then.

From January to September 2013, the spam volume remained well within 6 million on average. After Paunch’s arrest, the number went down to 5.9 million last October and further to 3.9 million last November. It started to regain pace last December though to reach 4.1 million.

The Blackhole Exploit Kit’s demise was a vacuum that spammers needed to fill. Cutwail and other botnets that used to send out Blackhole-Exploit-Kit-related malware stepped up and instead sent out malware like CryptoLocker and UPATRE. Exploit kits also started to take the Blackhole Exploit Kit’s place led by Magnitude.

Blackhole-Exploit-Kit-related spam campaigns used banks and software manufacturers more than companies in other sectors.

Around 1 million malicious and high-risk Android apps were found in 2013 alone

While 2012 cemented the presence of mobile malware, 2013 laid proof to their prevalence. One million malicious and high-risk Android apps were discovered in 2013 alone, which brought the total to almost 1.4 million malware.

Cybercriminal attention to dishing out mobile threats gave way to the continuous malware volume growth and improvement. PERKEL, for instance, which targeted mobile banking users, showed off refined routines that allowed it to intercept authentication messages sent via SMS. The FAKEBANK Trojan, meanwhile, spoofed legitimate banking apps to steal financial information.

Premium service abusers (53%) were the most prevalent mobile malware found last year. Other types like adware (31%) and data stealers (19%) were also widespread in the mobile threat space.

Malicious and high-risk apps were found in both legitimate and third-party Android app stores. But iOS users also needed to be vigilant as researchers from the Georgia Institute of Technology found a way to evade the review process of the App StoreSM, as in 2011, using the behavior-hiding app, Jekkyl. The app, a Trojan, made iOS devices vulnerable to remote access and malicious behavior execution.

As more intimate and easily identifiable information continue to be kept in mobile devices, cybercriminals will develop more sophisticated routines that we’re bound to see this year.

Apple’s stricter app approval process, apart from the much smaller iOS user base, may have had a lot to do with fewer attacks against its device owners.

Android device users struggled with flaws; patching remained a concern

In the second quarter of 2013, we witnessed the “master key” vulnerability in Android affect almost all devices. Left unpatched, this vulnerability allowed cybercriminals to insert malicious code into legitimate apps already installed in devices.

The next quarter, cybercriminals abused the flaw to Trojanize a popular banking app by offering an update on third-party sites. Those who downloaded the supposed update were victimized.

Many Android devices were also infected with OBAD malware, which took advantage of an unpatched critical device administration vulnerability.

Patching vulnerabilities for many Android device users remained a concern due to the complex process that legitimate updates had to go through. Patches had to go from manufacturers to service providers before they could reach actual device users.

Android’s complicated update process could be a reason why devices that ran it remained vulnerable to many threats.

Targeted attacks went on nonstop despite low mainstream attention

“Assume compromise” was the mantra for 2012 when it came to targeted attacks. Organizations were called on to strengthen their defenses, as it was only a matter of time before they suffered breaches.

Unfortunately, attackers polished their methods in 2013 to better choose and infiltrate target networks. Some high-profile incidents gave likely targets more concrete reasons to think faster to protect their “crown jewels”:

  • Grab all media for the record. The EvilGrab campaign grabbed audio, photo, and video files, along with user credentials in one sitting. Attacks prevailed in China (36%) and Japan (18%) though other Asian and European governments were also targeted.
  • More targets, greater success. The Safe campaign compromised specific targets from the technology and media segments and the academe across more than 100 countries. It hit an average of 71 victims per day using only two sets of command-and-control (C&C) infrastructure made up of almost 12,000 unique IP addresses.

Targeted attacks always went after valuable information, which exposed institutions and corporations to monetary loss and reputation damage. We saw well-researched and highly customized attacks against a wide range of targets in 2013, most of which went unreported and so didn’t offer victims’ customers any consolation.

Attackers did not discriminate among countries in 2013. Countries in Asia, particularly Japan and Taiwan, were, however, hit the hardest.
Note: This chart shows our findings on the targeted attacks we monitored throughout 2013.

High-value targets suffered data breaches

A number of high-profile targets suffered data breaches in 2013. Note-taking app, Evernote, had to reset 50 million user passwords after attackers stole its customers’ usernames, email addresses, and passwords. Daily deals site, LivingSocial, had to reset the same number of passwords for customers whose usernames, email addresses, birthdays, and passwords were also stolen.

Damaged reputations and legal concerns were just some of the many consequences the breached organizations had to address last year. 2013 highlighted that for high-value targets, data confidentiality and privacy translated to important real-world investments.

Any organization that keeps data—theirs or others—are at risk of being breached.

Real-world operations faced cyber attack risks

Advances in cybercrime became more apparent in 2013 as proof-of-concept (PoC) attacks that could cripple real-world operations inched closer to home.

A network attack against South Korean institutions, including three major banks, paralyzed an estimated 30,000 computers, including ATMs. This massive cyber attack showed how post-PC threats could compromise critical systems, auto-update infrastructure could become malware delivery systems, and security products could become viable targets.

This year, we believe attackers will learn to attack critical infrastructure like industrial control systems (ICS) and radio-frequency-enabled technologies like the Automatic Identification System (AIS).

We may not have seen much of these types of threats this year, however, it is only a matter of time before bad guys try to attack these infrastructure for profit.

Adobe suffered most from data breaches though 2013 showed that no company, regardless of size, is safe from cyber attacks.

Back-to-back zero-day exploit attacks seen against old and unsupported software versions

Zero-day exploits for both Java™ and Adobe® software were seen from the onset of 2013. The U.S. Department of Homeland Security even urged users to stop Java use until after a patch was released.

Just when concerns abated, however, exploit kits came packed with vulnerabilities targeting Java 6 soon after Oracle stopped providing support for the software. Attacks ensued and by the third quarter of 2013, Oracle disclosed 31 Java 6 flaws that would never get patched. Since a large number of Java users still use this version, they have been and will remain at risk if they don’t upgrade.

We expect the same fate to await Windows® XP users after April this year when Microsoft withdraws support for the OS.

Concrete proof of the risks that come with using old and unsupported software include the following:

  • Zero-day exploits targeted Adobe Flash® and Adobe Reader® bugs. Users were tricked into downloading malicious .SWF or .PDF file attachments, respectively.
  • A zero-day exploit also targeted earlier versions of popular hosting solution, Plesk. Exploiting the bug allowed bad guys to compromise Web servers that were unlikely to be patched as they ran on Plesk versions that were no longer supported.
  • Attackers exploited a critical Ruby on Rails™ vulnerability, which rendered unpatched servers vulnerable to malicious activities like being made part of a large Internet Relay Chat (IRC) botnet.

Unfortunately, unpatched software can still be found in both consumer and enterprise computers. Using them is almost the same thing as allowing cybercriminals access to your private information.

Java software were exploited left and right, which made Oracle the owner of one of the more exploited software to date.

State monitoring raised privacy concerns

Many considered former National Security Agency (NSA) contractor Edward Snowden's government spying revelation a cavalier act but some didn’t. One thing’s for sure though, the public will be less trusting of any large, organized group with vested interests from now on.

Fear of state monitoring coupled with known risks to digital life affronted personal privacy. The Snowden incident revealed just how much information could be obtained from key organizations’ hands. In the past, we only had to worry about cybercriminals getting their hands on sensitive information. In 2013, we realized that even large and trusted institutions could do the same thing.

2013 may have, in fact, prompted everyone to ask one of the most important questions in today’s “digital age”—How can we keep our information safe? For most, the answer can be one of two things—disclose less or find products that can protect your information.

Keeping secrets safe should be everyone’s top priority.

Digital life threats via social platforms found; “business as usual” for cybercriminals

In 2013, we saw bad guys reuse effective social media attacks to wreak havoc on users’ digital lives. Twitter was used to advertise hacking tools that allowed access to others’ Facebook and Twitter accounts. Instagram users were threatened by a slew of “free follower” scams. We also saw several Facebook, Tumblr, Pinterest, and other social media scams.

Cybercriminals also took advantage of the launch of hot gadgets like PS4® and Xbox® One , natural disasters like Haiyan, widely celebrated occasions like Halloween, and others. Phishing emails continued to be a favored cybercriminal means to steal personal information like Apple IDs, which continued to be sold underground.

Improvements in attack tools and tactics will continue to threaten our digital lives. As bad guys continue to target our personal exchanges and social interactions, we need to remain vigilant, especially amid concerns over data theft and digital robbery.

In 2013, we saw bad guys reuse effective social media attacks to wreak havoc on users’ digital lives. Twitter was used to advertise hacking tools that allowed access to others’ Facebook and Twitter accounts. Instagram users were threatened by a slew of “free follower” scams. We also saw several other Facebook, Tumblr, Pinterest, and other social media scams.

Cybercriminals also took advantage of the launch of hot gadgets like PS4® and Xbox® One , natural disasters like Haiyan, widely celebrated occasions like Halloween, and others. Phishing emails continued to be a favored cybercriminal means to steal personal information like Apple IDs, which continued to be sold underground.

Improvements in attack tools and tactics will continue to threaten our digital lives. As bad guys continue to target our personal exchanges and social interactions, we need to remain vigilant, especially amid concerns over data theft and digital robbery.

As usual, cybercriminals used the most-talked-about issues, events, movies, gadgets, and natural disasters to lure as many victims as possible to their specially crafted traps.