Year 2015: And so what was it like?

We take a look at what happened in cybersecurity throughout 2015.

2015 is fading away and Christmas is now just ten days away. Securelist shared its Top Security Stories rating last week, and we have our own list to share, though it’s a bit different. Instead of picking a handful of top stories, we took a look at cybersecurity in 2015 in general. So, 2015 was the year when…

…APTs threw the Jolly Roger

Early this year, Carbanak was announced, the first ever purely criminal APT campaign which cost banks worldwide a formidable sum – around $1 billion, according to early estimates.

The full story is available here.

This was a rather sophisticated campaign targeting banks. Attackers used an array of tools, including the manual recon. Spearphishing letters were used to deploy Carberp-based backdoors into the victims’ systems, then attackers started looking for relevant PCs they could use to get to the points where money could be actually extracted. ATMs were then instructed remotely to dispense cash without any interaction with the ATM itself, with the cash then collected by “mules”. Otherwise the SWIFT network was used to transfer money out of the organization and into criminals’ accounts.

The campaign is apparently still active as of the end of 2015: new versions of Carbanak-associated malware were detected as late as in September.
APTs were mostly associated with nation states previously, so that Securelist’s own Targeted Cyberattacks Logbook pictures them as battleships. With Carbanak proving to be just about thievery with nothing but cash-loving criminals behind it, it’s really like a ship under the black flag.

…Spies went after smaller players

Grabit was another head-turner this year: the first cyberespionage campaign targeting SMBs. Attackers were predicted to switch to “softer targets” previously. On the surface: every large enterprise has a large array of lesser suppliers, and while mainstay has possibly impenetrable cyberdefenses, satellites are not necessarily that well-protected. So the strategically-important data may be extracted indirectly, possibly with even less effort than in a case of a direct attack.

wide

More details are available here.

…Two APT actors vampired each other

A pretty story publicized mainly by Securelist: While studying Naikon, one of the most active APT groups in Asia, Kaspersky Lab researchers stumbled upon yet another threat actor. Its codename – Hellsing – is derived from the famous Japanese manga about vampire-battling organization employing a (somewhat) redeemed vampire.

The funny thing is that Hellsing has been attacking Naikon. That’s, however, where the fun ends, as both APT campaigns are serious business. Read more about them here.

vampire

A Russian-speaking APT group, Turla, was discovered hiding its C&C servers in space. Or, to be more specific, it used satellite communications to hide tracks and infect its victims.

They’d been hiding well, but not well enough not to be discovered. The original stories are available here and here, both are really worth reading.

Years ago it seemed that Stuxnet was the first real cyberweapon that opened Pandora’s box. Now it’s clear it wasn’t the first.

In February, Kaspersky Lab announced discovery of Equation APT, a massive, decades-long cyberespionage framework. Some of its C&Cs have been registered as early as 1996, although the main one dates back to August 2001.

Its main weapon – Fanny worm – was first reported in 2008; it used the same zeroday exploits Stuxnet used two years later. Kaspersky Lab experts stated that Equation had been interacting with other powerful groups such as Flame and Stuxnet. It is possible that Equation is actually the “mothership” of multiple APTs – if not a direct ancestor of theirs.

…Windows 10 arrived

While still trying to get rid of antique Windows XP, Microsoft served out its new OS, giving it away for free to the users of Windows 7 and 8.1.

Arriving in late July, Windows 10 brought in a number of security improvements as well as (the quite usual) controversy, especially regarding its users’ data and control over it. There is a thing or two to be worried about – Windows 10 really needs a thoughtful approach to retain control over sensitive data.

An apparition from Windows

An apparition from Windows

On the brighter (perhaps) side, Microsoft adopted a more rigorous than ever approach to delivering the updates: the Home and Pro editions are automatically receiving all non-critical updates as they are released without the possibility of declining them, in addition to automatic driver updates. Pro versions are able to defer updates for a limited time, but not ignore them completely.

Microsoft was also quick to drop a behemoth patch for the flaws discovered by early adopters. The patch arrived just a day after the official Windows 10 release date, which certainly generated lots of buzz… but would it be better without this update?

…The cars finally got hacked remotely

It was much feared before, and finally became a grim reality: car’s onboard systems were hacked so badly that the brakes, transmission, steering and dashboard functions could be “edited” from across the country – via WiFi.

As shown by two seasoned car-hackers – Charlie Miller and Chris Valasek – Chrysler’s Jeep Cherokee onboard infotainment system is _not_ isolated from the critical dashboard functions, so that attackers can get a hold on the latter. It is an elementary sort of mistake, which shows that the venerable automaker seems to have saved big on very basic information security expertise.

Here’s the story in full.

jeep
…Major ransomware campaigns and botnets were taken down (mostly)

While new threats get discovered all the time, law enforcement agencies together with private sector cybersecurity companies are tracking the perpetrators, and from time to time taking down the botnets and getting the crooks jailed.

In the first half of 2015, Simda botnet was taken off the board, with 14 C&C servers in the Netherlands, USA, Luxembourg, Poland, and Russia taken down at once. Preliminary analysis of some of the sinkholed server logs revealed a list of 190 countries affected by the Simda botnet.

It stayed below the radar for a disturbingly long period, too long for a large botnet – an invisible elephant, as it is.

elephant

It also has been a “distribution platform” for other malware, which made it even more dangerous.

In September, a couple of young Dutch individuals were arrested on suspicion of involvement in CoinVault ransomware attacks. The same individuals had been developing yet another ransomware – BitCryptor. Both ransomware campaigns have now, essentially, stopped.

In Autumn, a botnet behind Dridex – a sophisticated banking malware stealing credentials of online bank accounts worldwide – mostly went dark after police in Cyprus apprehended a Moldovan individual suspected in creation of this botnet.

The full story is available here.

A large ransomware campaign linked to a notorious Angler exploit kit had been dismantled, bringing the kit’s activity down 50%. Unfortunately, not entirely, as it seems to be alive as of now, serving CryptoWall to its victims.

Criminals go to great lengths to keep their tools of the trade afloat, so it will take time to bring Angler down completely.

…FBI told to pay the ransom

It was a not-so-mild scandal when a high-ranking FBI representative acknowledged his agency often recommended that ransomware victims pay the ransom if the data was critically important and there were no backups.

As “disquieting” as it was, this message was actually very fair: some strains of ransomware are uncrackable as of now, since they use strong encryption algorithms. So, unless the FBI or some other LEA apprehend the Crypto-something authors and pry the decryption keys from them, there’s no way to decrypt the affected files. Even a supercomputer will take eons to crack RSA 2048 bit key of CryptoWall 3, for instance.

main

The only way here is to have all appropriate precautions in place – mainly backing up files regularly in the unpowered data storage.

The full story is available here.

…Many predictions came true

In late 2014, Securelist published predictions for how the world of cyber threats may evolve in 2015. Four of the nine predictions we made were directly connected with threats to businesses, and most of the predictions proved accurate – three of the four business-related threats have already been fulfilled.

ball

Cybercriminals embraced APT tactics for targeted attacks; APT groups fragmented and diversified attacks; ATM and PoS attacks escalated indeed. The only miss is “attacks against virtual payment systems” – and it’s good when the bad predictions don’t come true. But most of them, again, did.

Will the cybersecurity situation in the world improve next year, with all of the ongoing turmoil? It’s hard to say, but what 2015 has definitely proved is that cybersecurity is the thing that’s relatable to everyone, from housekeepers and self-employed individuals to large enterprises and governments. It’s up to everyone to make the cyberworld a better place.

And Kaspersky Lab is here to help ;)

Tips