Dulanja Liyanage WSO2, Platform Security Team

@dulanja

Recent Trends and Attacks in Cyberspace

http://www.meetup.com/Colombo-White-Hat-Security/

https://www.facebook.com/colombowhitehat

https://twitter.com/ColomboWhiteHat

2016 RETROSPECT

Biggest and Worst Breaches!The Hollywood Presbyterian Medical Center

Sector: HealthcareSummary: Done via a Ransomware. This affected facility's urgent scans, lab work, pharmaceutical needs, and documentation couldn't be processed. System was down for more than 1 week, and they paid $17,000 as the ransom.

San Francisco Municipal Transportation Agency

Sector: Public TransportSummary: Done via a Ransomware. This affected 2,000 computer systems, and 30GB of data was stolen. This resulted in passengers getting free rides for two days. The demanded ransom of $73,000 is seemingly not paid.

Bangladesh Bank

Sector: FinancialSummary: A Business Process Compromise (BPC). Transferred $81 million from Federal Reserve Bank of NY to accounts in Sri Lanka and Philippines by using a SWIFT credentials of an operator.

Leoni AG

Sector: ManufacturingSummary: A Business Email Compromise (BEC): Attacker spoofed an email to CFO of Romania’s factory to look like it’s from a top executive of that company, and was tricked into transferring €40 million to an unknown bank account.

Dyn DNS

Sector: Technology ServicesSummary: A DDoS via IoT. Affected major websites and millions of users across the East Coast including sites like Twitter, Reddit, Netflix, Spotify and many more. An estimated 100,000 IoT devices were compromised and used as bots via Mirai Malware.

Ukraine Power Grid

Sector: EnergySummary: Using a malware hackers accessed the SCADA (Supervisory Control and Data Acquisition) networks through hijacked VPNs, and controlled the power grid from there. Power outages lasted an estimated 3 hours and impacted around 250,000 customers.

Yahoo

Sector: Technology ServicesSummary: 500 million user accounts hacked in 2014. More than 1 billion accounts in 2013. 2014 attack via forged cookies (by stealing and analyzing Yahoo’s proprietary code). 2013 one is unknown.

Democratic National Committee (USA) hack

Sector: PoliticalSummary: A collection of over 20,000 emails from the DNC, was leaked and published by WikiLeaks. This severed the relationships which Russia on the believe it affected the US Presidential Elections.

U.S. Department of Justice

Sector: Public SectorSummary: Hackers released data on 10,000 Department of Homeland Security employees and 20,000 FBI employees. Information stolen included names, titles, phone numbers, and e-mail addresses.

Snapchat

Sector: Technology ServicesSummary: Personal information of 700 current and former Snapchat employees were stolen by using a phishing scam to trick an employee into e-mailing them the private data. This was done by attackers posing as Snapchat chief executive Evan Spiegel. These information included Social Security numbers, and wage/payroll data.

Verizon Enterprise Solutions

Sector: Technology ServicesSummary: Hackers stole the information of about 1.5 million customers. The data was later found for sale in an underground cybercrime forum.

Philippine Commission on Elections

Sector: Public ServicesSummary: According to Infosecurity Magazine it “could rank as the worst government data breach anywhere.” Personal information of 55 million people - i.e. all the voters of Philippines - were compromised by Anonymous; The database was published online a few days later.

LinkedIn

Sector: Technology ServicesSummary: 117 million email and password combinations stolen in 2012 were published online.

Dropbox

Sector: Technology ServicesSummary: 68 million Dropbox users had their credentials compromised in a 2012 breach and revealed in 2016.

AdultFriendFinder.com

Sector: Entertainment Summary: Personal information - including e-mail addresses, passwords, VIP member status, browser info, last IP address to log in, and purchases - of 412 million users were stolen and published in online criminal marketplaces.

‘This is mostly due to a shift in research focus (e.g. towards IoT devices)’

State of web app vulnerabilities

Source: http://blog.imperva.com/2016/12/the-state-of-web-applications-vulnerabilities-in-2016.html

'XSS Flaws Decline, DoS Becomes More Common'

Source: http://blog.imperva.com/2016/12/the-state-of-web-applications-vulnerabilities-in-2016.html

Trends

Top Trends - Ransomware

This is a type of malware that is once infected will make your machine/files unusable unless you pay a “ransom” to the attacker and get a decryption key. A cryptocurrency like BitCoin is used in such transactions.

Image Source: https://blog.kaspersky.com/locky-ransomware/11667/

Top Trends - DDoS via IoT

Image Source: https://pixabay.com/en/octopus-tentacles-five-eyes-dhs-1220817/

Rapidly increasing insecure IoT devices - with their default passwords and etc - have created the perfect platform to do Distribute Denial of Service Attacks. Though serious attacks have been already carried out using them, IoT vendors still don’t follow a security oriented approach when designing their devices. And they are quite slow in taking initiatives to patch the vulnerable ones.

Top Trends - Business Email Compromise (BEC)

Image Source: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/business-email-compromise-bec-schemes

This is a type of attack carried on organizations in which the attacker pose as a senior executive (e.g. CEO) by spoofing an email (by taking control of that executives inbox, or by creating a misleading address).

Lot of effort would be taken by the scammer to make the email look authentic. This would involve gaining knowledge on the company's policies, processors and information on the individuals.

Top Trends - Business Process Compromise (BPC)

This is similar to BEC, but rather than using emails, attacker would hack into the organization's system and manipulate various business processes for his/her advantage.

E.g. redirecting a partner payment to himself.

Image Source: https://businessfirstfamily.com/5-business-process-improvement-principles-for-success/

Lessons Learned

● Maintain Strong Password policies and use multi-factor authentication

● Make sure software/firmware patches are regularly applied

● Have a multi-layered defense system using network segmentation, Intrusion Prevention/Detection systems and other Defense-in-Depth strategies. Take use of Machine Learning.

● Be upto date with security threats and prevention mechanisms

● Build a security oriented culture within the organization

References

“A Rundown of the Biggest Cybersecurity Incidents of 2016”https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/a-rundown-of-the-biggest-cybersecurity-incidents-of-2016

“The Biggest Data Breaches in 2016, So Far”https://www.identityforce.com/blog/2016-data-breaches

“Yahoo Says 1 Billion User Accounts Were Hacked”http://www.nytimes.com/2016/12/14/technology/yahoo-hack.html

“The State of Web Applications’ Vulnerabilities in 2016”http://blog.imperva.com/2016/12/the-state-of-web-applications-vulnerabilities-in-2016.html

“Looking Back, Moving Forward: Cybersecurity Resolutions for 2017” http://www.trendmicro.com/vinfo/us/security/news/online-privacy/looking-back-moving-forward-cybersecurity-resolutions-for-2017

“8 Security Predictions for 2017”http://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2017

Thank you!