Major

Ready for me to go old school? How about SQL Slammer-level old school? More than 13 years after it was first found scurrying around the internet, the SQL Slammer worm can still be found propagating in the wild, albeit minimally, according to IBM Managed Security Services (MSS) data.

But why does such an old threat keep making the rounds more than a decade after its discovery? Some older threats never die because they’re easy to exploit. There’s always the chance that a vulnerable system can be compromised by tested and true bugs.

Shellshock Surge

While SQL Slammer is a dated threat that only affected Microsoft SQL server 2000, we have much more serious and widespread threats following in its footsteps.

Last Saturday marked the two-year anniversary of one of the most infamous bugs of 2014, Shellshock. A recent surge in attacks observed by IBM Managed Security Services suggested the threat is still prevalent.

From Zero Day to Present Day

A 20-year-old vulnerability (CVE-2014-6271) in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems, sparked the mobilization of attacks known as Shellshock beginning in late September 2014. This first vulnerability gave way to the disclosure of several additional vulnerabilities affecting the UNIX Shell within a short period (CVE-2014-7186 and CVE-2014-7187), at which point many realized that this was a threat to be reckoned with.

Right at the onset, we observed a significant increase in focused attacks leveraging these vulnerabilities — over 2,000 security events within 24 hours of the Shellshock bug disclosure. To get an idea of the magnitude of this activity, there were just over 7,500 Shellshock security events for the entire month of August 2016, according to IBM MSS data.

When a zero-day vulnerability surfaces, especially a high-profile one that can affect many systems, the corresponding exploit is usually disclosed promptly. With Shellshock, an exploit targeting the first vulnerability was publicly disclosed a mere 28 hours after the zero-day vulnerability emerged.

As news of this vulnerability and its ease of exploitation spread, the number of attackers opting to leverage and exploit it increased tremendously. Attacks came in waves from different source IPs and originating countries, rising in quantity every hour.

Shocking Numbers

As though in anticipation of its anniversary, Shellshock attack activity recently surged to levels not seen since 2015. As of Sept. 22, the month of September accounted for more than 26 percent of the total activity recorded in 2016.

A little over 70 percent of the attack traffic originated in the U.S., whereas another 18 percent comes from Australia. Top targets of these attacks, according to IBM MSS data, include organizations located in U.S. (26 percent), Japan (18 percent), India (16 percent) and Brazil (11 percent).

Shellshock anniversary

Retrospective Perspective

Before Shellshock had us scrambling to patch our systems in 2014, we were running for the hills because of another vulnerability. Heartbleed, which affected OpenSSL, a popular open-source protocol, was all over the news.

Heartbleed enabled attackers to remotely exploit a vulnerability to read system memory contents without needing to log on and authenticate a valid identity to a remote server. Successful exploitation could allow attackers to retrieve private keys, passwords or other sensitive information from servers they were not authorized to access.

Shellshock 2

Although a formidable threat when it first surfaced — IBM MSS data revealed over 1.8 million Heartbleed-based attacks by the end of the first month — Heartbleed failed to exhibit the same staying power as its system-crippling cousin, Shellshock.

As shown in the figure above, in the past year, Heartbleed activity indeed paled in comparison to Shellshock, failing to reach even 15 percent of the total number of Shellshock attacks. Even as Shellshock attacks nosedived in November 2015 and continued to wane as we entered 2016, it still managed to maintain its stamina, averaging nearly 7,900 attacks per month throughout 2016.

Who Is Still Riding the Shellshock Wave?

Per IBM MSS data, as of mid-September, the U.S. is the leading country from which Shellshock attacks originate, making up 71 percent of the total in 2016. Approximately 1,800 unique source IPs based in the U.S. were responsible for these attacks. China is in a distant second, making up 8 percent of the Shellshock attacks, followed by Australia and Italy at 6 percent and 3 percent, respectively.

Shellshock 3

Who Is Still Suffering From Shellshock?

The U.S. is also the leading country in terms of organizations targeted by Shellshock, making up 46 percent of the total in 2016. Although Japan was at the top when the threat first materialized, it ranks second in 2016, making up 24 percent of the total on a global scale.

Shellshock 4

In terms of industries most targeted, the information and communication sector, including telecommunications companies as well as those that provide computer programming and consulting services, topped the list in 2016. They sustained over 46 percent of the Shellshock attacks. This makes sense since many major organizations in this space run Linux-based systems in their IT infrastructure and environments.

Shellshock 5

Financial services ranked second at 26 percent, followed closely by manufacturing in third at 16 percent. The finance sector began adopting Linux-based platforms over a decade ago, with early adopters including the Chicago Mercantile Exchange in 2004 and the New York Stock Exchange in 2007. The pervasiveness of the operating system in this sector makes it an attractive target.

UNIX systems, which employ the Bash shell, are also perhaps more prevalent in manufacturing versus other industries. ICS and SCADA hardware might also have a basic UNIX-like firmware running on the device that can’t be easily updated due to special constraints. That could lead to outdated vulnerable services such as SSH, OpenSSL and Apache running on critical devices.

Additionally, the large discrepancy in Shellshock activity observed in information and communications, financial services and manufacturing versus other industries may point to differences in patching practices among those verticals.

Make It Go Away

We wish we could wave a magic wand and make threats like Shellshock go away. But it’s not so simple, unfortunately. Like stains, some cyberthreats are persistently visible, and Shellshock seems bent on sticking around.

So how do you address this issue? Apply the appropriate update for your system. Failure to apply patches and fixes leaves your organization at risk of Shellshock attacks. Timely patch management is vital in organizations of any size. However, depending on the complexity of your environment, this is easier said than done.

Security intelligence and data analytics tools allow your organization to identify the greatest vulnerabilities and prioritize patching, keeping your systems patched and up to date. Virtual patch technology can provide an additional layer of protection. While vendor patches are a first line of defense, protocol analysis, which is incorporated in IBM Security Network Intrusion Prevention product offerings, can provide an additional layer to protect against these types of attacks. In fact, IBM has been helping to protect customers from Shellshock and similar attacks since 2007.

Let’s hope this upward trend is fleeting, and next year there won’t be any reason to publish an anniversary blog.

To learn more about other older attacks that are still successful, check out the white paper “Beware of Older Cyber Attacks.”

Read the White Paper to learn more about older attacks


Security Intelligence

The $ 60 billion Dell-EMC merger has been finalized and the top executives of RSA, the security division of EMC, expect little change within the company and how it serves its customers.

The Dell-EMC merger creates the world's largest privately controlled tech company, operating under the name Dell Technologies, with $ 74 billion in revenue and 140,000 employees. Amit Yoran, president of RSA, confirmed during a press call that RSA would retain brand autonomy; and, Zulfikar Ramzan, CTO of RSA, said he expects RSA to retain its ability to be agile despite being part of such a large company.

"Everything I've seen so far suggests that the way things are going to be at Dell, the way things work, it tends to be a fast moving, fluid company," Ramzan told SearchSecurity. "The model the way it is, each of the different brands within Dell has some level of autonomy so we can develop our own ecosystems. We can leverage the best of what we can get from the broader platform itself."

Overall, executives from RSA are pushing the dual ideas of "business as usual," but also "strength in numbers." RSA doesn't want customers to be worried about big changes, but also wants to stress the value it expects to add by being part of the combined Dell-EMC powerhouse.

Yoran said he thinks there is a "natural upside of having the broader ecosystem of Dell Technologies from a leverage and relationship standpoint."

"You never hear any large enterprise CIO or other executive say I'd prefer to work with more vendors on more siloed issues versus having a broader platform and more strategic partner at the table working with me on my key business drivers and issues," Yoran said. "I think we're extremely well positioned and situated and I think having that broader relationship in enterprises will be helpful."

Ramzan said the offerings between RSA and Dell have been "remarkably complementary," meaning a limited amount of overlap, but still opportunities for improvements on both sides. For example, Ramzan said Dell SecureWorks tends to be more focused on services while RSA is more of a product company.

Grant Geyer, senior vice president of product for RSA, said he believes the Dell-EMC merger will enable RSA to continue to extend its reach into customers and routes-to-market that were previously closed off, and Yoran teased some specifics.

"We're still obviously very early into discussions, but there are some capabilities around packet capture technology and network forensics that SecureWorks doesn't have in their portfolio and a lot of other MSSPs don't have in their portfolios, that we are advocating as route-to-market both through SecureWorks and though other channels as well," Yoran said. "The balance for us is to arm SecureWorks to bring capabilities to market as one potential opportunity, while we also ensure we're also providing those same capabilities out to other channel partners." 

Geyer did admit there are areas of overlap that will need to addressed.

"We're actively in conversations not only with VMWare but all members of the Dell Technologies team to ensure that we can harmonize and streamline the portfolio and eliminate as many overlaps as possible as makes sense for our customers," Geyer said, but wasn't able to provide further details.

Ultimately, Ramzan said areas of focus put forth by Yoran during the RSA Conference would remain the same for RSA with identity and access management, security analytics and governance, risk and compliance (GRC).

"If you look at security analytics, it's all about monitoring and gleaning insights about different events and different situations in an organization," Ramzan said. "What GRC enables you to do is put business context on top of those events to enable organizations to decide intelligently where to place their efforts."

But RSA executives acknowledged that communicating the company's new focus and value proposition will be a challenge. Holly Rollo, chief marketing officer for RSA, said she joined the company in April because thinks it can be better about conveying its message to customers.

"[I] joined because it's probably one of the most well-known security brands in the world and probably one of the least well-understood," Rollo said during a press call, adding that she was "really really excited about helping RSA do a better job explaining its value proposition -- really tell this amazing story to the market, which honestly, I think over the last handful of years hasn't really been happening."

Next Steps

Learn more about when to use a packet capture appliance.

Find out how to evaluate MSSP security before taking the plunge.

Get info on how Dell freed up funds to make the EMC deal work.


SearchSecurity: Security Wire Daily News

The infamous Ramnit Trojan is on the prowl again, and this time it targets personal banking customers of six unnamed UK banks.

Ramnit Trojan rides again

The Trojan has not changed much since we last saw it targeting banks and e-commerce sites in Canada, Australia, the USA, and Finland in December 2015: it still uses the same encryption algorithms, and the same (but updated) data-grabbing, web-injection, and file-exfiltrating modules (the latter is after files with interesting keywords, like ‘wallet’, ‘passwords’, and bank names targeted in the configurations).

“The configuration side is where we can see that Ramnit has been preparing for the next phase, with new attack schemes built for real time web-fraud attacks targeting online banking sessions,” IBM X-Force researchers explain. “Not all attacks have to happen in real time or from the victim’s device. Ramnit’s operators can also gather credentials from infected users and use them at a later time, in account takeover fraud from other devices.”

IBM warns of the Trojan’s resurgence after X-Force researcher Ziv Eli spotted the malware’s operators have set up two new attack servers and a new command and control server.

Whether these are the same operators that developed and used Ramnit in the last six years and went into temporary hiding after, in February 2015, a coalition of European law enforcement agencies shut down C&C servers used by the RAMNIT botnet is impossible to tell.

The Trojan’s source code was never sold or shared on underground forums, and IBM researchers believe it to be either still in the hands of the original cybergang, or of another one that bought it off of them.

If past delivery techniques are used again, the Trojan will be spread via spam, malvertising and exploit kits. IBM has helpfully provided indicators of compromise for administrators to use to spot the malware.


Help Net Security

Major banks said they would install ATMs that will authenticate transactions through smart phones.
Major banks said they would install ATMs that will authenticate transactions through smart phones.

Bank of America, Wells Fargo and JPMorgan Chase have announced plans to roll out ATMs that take smartphones as well as ATM cards to authenticate transactions in an effort to reduce the likelihood of skimming and other security attacks as well as make ATM use more convenient for users. 

The new ATMs will support near field communication (NFC), tap to pay technology similar to what is used in Apple Pay and Android Pay, or codes provided through a customer's banking app, according to the Los Angeles Times.

Later this year, Chase's ATMs will first implement a code-based authentication system that uses a temporary PIN. The company is currently working on ATMs with NFC capabilities but it is unclear when they will be made available, the Times said.

A Bank of America spokesperson told SCMagazine.com via email correspondence that the firm will begin rolling out its NFC-enabled ATMs in select cities in late February followed by a broader launch mid-year.

Wells Fargo reportedly will adopt NFC technology by the end of the year.

Some security researchers think smartphones are more secure than ATM cards and can helps banks save money in the long run.

VASCO spokesperson John Gunn told SCMagazine.com in an email correspondence that the additional methods of authentication available with a smartphone, such as biometric authentication, could help make smartphones a safer alternative.

“Using smartphones for ATM transactions enhances both the security and convenience of the ATM transaction," said Gunn, who explained that ATM cards are vulnerable to skimming attacks, which have cost banks more than $ 1 billion. 

Some researchers however, feel smartphones aren't inherently safer than ATM cards.

“To hack a smartphone, one can be anywhere in the world, which exponentially increases the number of potential attackers and available skillset,” Securonix Chief Scientist Igor Baikalov said email correspondence with SCMagazine.com.

But Baikalov said that smartphone security can be boosted enough to keep the cost of breaking phones “prohibitively high” for the majority of hackers, but this might come at the cost of convenience for the user. 


Latest articles from SC Magazine News