The Changing Faces of Cyber Threats and Attacks
These are some of the latest cyber threats as compiled by Symantec
Shamoon / Distract Attacks
- The Shamoon attacks are unique – they were targeted to the energy sector in the Middle East
- There are still a number of ‘unknowns’: because so targeted there are not multiple copies so not easy to get samples, there are also multiple modules of the infection
- The virus is actually the last part of the attack, first there is a drop module that infects the system and drops the attack into multiple files then a wiper component wipes the drivers and overwrites files and a reporter component which reports back to the attacker on the machines and the files that have been wiped
- The attacks caused significant stress on the business systems like e-mail and shutting down machines, deleting files, making machines inoperable
- When compared to the likes of Stuxnet, Duqu and Flamer which were highly advanced using vulnerabilities – Shamoon is less advanced but is still able to cause serious damage
- Still unknown how it gets into the computer and it is unable to determine who is responsible
- Targeted attacks are on the rise and we foresee that this is not the end of such attacks, attack toolkits these days are cheaply available and can help even less advanced cybercriminals create their own malware / attacks. The high profile and attention that this Shamoon and other targeted attacks is getting could also contribute
Flamer
- Flamer is a highly sophisticated and targeted threat primarily targeting a few hundred organizations and individuals located in the Middle East and Eastern Europe.
- Based on Symantec’s analysis, Flamer acts as a general purpose spying tool perfectly designed for cyber espionage and stealing all types of information from compromised machines. In this respect, it’s vastly different from Stuxnet, a threat designed to attack and disable elements of the Iranian nuclear system.
- Symantec’s evidence shows that Flamer has operated for at least two years – making it a prime example of a targeted attack designed to go undetected for long periods of time.
- Among many other things, Flamer can do the following to impacted machines:
- Steal documents
- Take screenshots of users’ desktops
- Spread via USB drives
- Disable security vendor products
- Spreads via additional methods if configured to do so
- Flamer was also built with the ability to “commit suicide” and shut itself down when detected
Best Practice Recommendations from Symantec:
- Create an Internal Corporate Security Task Team to work with a trusted security vendor to mobilize a team of security specialists and perform a detailed analysis of the current risk.
- Review security operations process and infrastructure, and design and implement an industry compliant Security Operation Center.
- Integrate a breach prevention and response plan into the day-to-day operations of the security team. Run Vulnerability and Malicious Activity Assessments in addition to penetration tests to determine current weakness for external and internal exposure.
- Procure products and services for all required software and infrastructure to implement critical recommendations and deploy optimized protection to secure all business environments.
- Implement a Managed Security Service (MSS), supplemented by senior resident resources. Part of the MSS will be the implementation of a 24/7 global intelligence monitoring service.
- Ensure infrastructure security across all endpoints including mobile devices, ensure security products are up to date and avoid pirated software.
- Have a disaster recovery plan in place; it is important to have data backed up, encrypted and secure.
- Protect and educate users with identity and access control, two-factor authentication and conduct security awareness training.
Read these articles for more information:
Have I Got Newsforyou – Analysis of Flamer C&C Server
Flamer – A Recipe for Bluetoothache
Painting a Picture of W32.Flamer
Highly Sophisticated and Discreet Threat Targets the Middle East