Information Security Review
1/2013
Introduction
During the first quarter, CERT-FI processed 1,169 information security incidents and 34 significant cases of communications network disruption.
Figure 1. Incidents processed by CERT-FI in January–March 2013 Vocabulary: Haastattelu = Interview; Neuvonta = Advicement;
Palvelunestohyökkäys = Denial of Service, DoS; Haavoittuvuus tai uhka =
Vulnerability or threat; Hyökkäyksen valmistelu = Preparation of an attack; Muu tietoturvaongelma = Other information security problem; Haittaohjelma = Malware; Tietomurto = data break-in; Tietojenkalastelu = Phishing
The review discusses, among other things, information security vulnerabilities of automation systems and the cyberespionage malware case called Red October
targeting governmental organisations, whose worldwide movements were reported by Kaspersky Lab in January. The review also highlights key network attacks that have taken place abroad.
Recurring phenomena worth mentioning include Zeus and Conficker, which were the most common malware cases in Finland both in 2012 and January–March 2013. The ransomware circulating in the name of the police also shows no signs of waning. Other recurring phenomena included vulnerabilities in commonly used software, such as Java, Adobe Flash Player and web browsers.
Finnish communication networks worked well in January–March., During the first months of the year, telecoms operators reported a total of three disruptions with very far-reaching consequences that concerned consumers. The disruptions mainly focused on the services of the mobile communication network. There were no significant long-term disruptions or disruptions resulting from natural phenomena affecting several telecoms operators in the first quarter. Similarly, no new severe information security
threats emerged in the seven incident reports submitted to CERT-FI in the first
quarter. The reports mainly concerned data break-ins whose adverse effects remained minor as the events had been noticed and addressed in time.
Summary of the Annual Review 2012
The most common information security threats in 2012 were DoS attacks and malware infections. In particular, DoS attacks targeting media, software
vulnerabilities, data break-ins and ransomware infections kept CERT-FI busy. The most significant individual case of communication network disruptions concerned a disruption to the electrical network caused by heavy snow load, which caused problems in the mobile communication networks for several telecoms operators.
Information security of automation systems
Researchers at Aalto University are looking for automation systems that can be accessed through the web using the Shodan search engine in the DiSCI project, funded by TEKES. Shodan scans the internet to detect open devices, contacts the most common ports in the devices found, and saves the responses received in a database. Shodan's database can be searched for information on the reviewed systems using keywords, which may include certain TCP or UDP ports or system identifiers, such as the manufacturer's name.
Slightly under 2,000 Finnish automation systems were discovered in the study. The devices have included industrial automation systems, building management systems and web cameras. The IP addresses have been submitted to CERT-FI, which has reported the information to the parties responsible for the devices. They can remove the unprotected systems from the network or enhance their level of protection so that they cannot by unauthorized users. Most of the automation devices had been consciously connected to the internet. However, one should bear in mind that due to weak passwords and other vulnerabilities, it is easy to break into the devices.
The Shodan service can also detect vulnerable software by comparing the data with the vulnerability bulletins issued by the US-based ICS-CERT, for example. Some vulnerability researchers and hardware testers do not act in accordance with the principle of "responsible disclosure," with information on vulnerable automation software and devices being published online without the software manufacturer having the opportunity or time to release a patch to fix the software.
In addition to software vulnerabilities, open devices that are connected to the network are exposed to break-ins. In addition to a conventional browser-based management interface, the systems may have telnet administration interface whose access rights are managed using separate accounts and passwords. Various libraries in which software vulnerabilities are discovered from time to time can also be used as software components. The server software running in the system can be set to a denial of service state using the vulnerabilities, in which case restarting it may require that power be switched off and back on again in the worst-case scenario.
UPnP vulnerabilities in home entertainment
devices
Home entertainment devices that have not been updated may be vulnerable, and in the worst-case scenario, they can be used for criminal activities. CERT-FI issued a vulnerability bulletin on the matter, "UPnP vulnerability in millions of home network routers", on 30 January 2013. In particular, devices for home use (smart TVs, media players, digital TV receivers, ADSL and USB modems) often use the Universal Plug and Play protocol (UPnP). Using the protocol, a smart TV, for example, can receive call requests from other devices, such as media players, from the internet via UDP port 1900. UPnP support is enabled by default in Microsoft Windows, Mac OS X and several versions of the Linux operating system.
If packets formatted in a certain way are sent to the device, the software of the
device can be crashed or malicious code run on the device. This way, the attacker can gain control of the device or change its settings.
Unprotected, home devices are vulnerable and as unsafe as a computer without any comprehensive information security software. Therefore, it is safest to assume that the vulnerability affects one's own device and act accordingly. Protecting against the vulnerability can be difficult for a home user and require studying the operation of the device. Primarily, there is reason to ensure that UPnP is not accessible from the
internet. The setting can be found in the management user interface of most devices. CERT-FI has been informed that the UPnP service of certain devices does not switch off even though it appears as if it has in the management interface.
If there is no special need for UPnP, it is recommended to switch it completely off. If there is a firewall between the device using UPnP and the internet, connections to UDP port 1900 should be prevented completely with it. The vulnerability can only be fixed by updating the software of the device to a patched version. This, too, usually takes place via the same management interface. Patches may not even be available for older devices. Information on software updates and fixing the vulnerability should be searched for from the device manufacturer's own support site.
Malware attacks
Malware attacks targeting governmental organisations
Observations of malware infections with a pre-defined target have been increasing in recent years. Early in the year, the Russian information security company Kaspersky Lab published reports related to two malware threats, disclosing malware campaigns targeted at governmental organisations and research facilities, for example. The Red October spyware (Rocra) was reported in January and Miniduke malware in February. Means of spreading
The main purpose of the malware has been to steal files from the computers and smartphones connected to the computers of the target organisation. Both malware threats have been spread via e-mail attachment files. Red October used Word and
Excel files, Miniduke used PDF files. The files contained malicious code that utilised known software vulnerabilities.
Identifying a malware infection
CERT-FI has published information on the software vulnerabilities utilised in the attacks for both malware threats in the Information Security Now! articles. Details of the command and control servers used by both Red October and Miniduke have been published. In addition, the reports by Kaspersky Lab include examples of e-mail messages and attached files that have been used for spreading the malware to detect infection attempts. Based on these details, it is possible to detect malware infections in organisations that suspect that their information systems have been compromised. Distribution of malware
According to Kaspersky's reports, Red October infections have been detected in a total of over 300 individual cases in dozens of countries, including Finland. Close to 60 Miniduke infections have been found in a total of 23 countries, however not in Finland. Miniduke observations have mainly been made in Eastern Europe, whereas Red
October infections have been detected all around the world. Observations in Finland
CERT-FI contacted Kaspersky in January and requested information on the infection in Finland mentioned in the Red October report. The company did provide information suggesting that a computer behind a Finnish subscriber line had been infected with the malware. At the same time, it turned out that this case was not associated with Finnish governmental organisations.
Malware attacks in South Korea
South Korea was subjected to a malware attack in early March. The attack targeted several banks and television stations. The attack had no impact on Finland.
DoS attacks
DoS attacks in the Czech Republic
Significant online news services were exposed to DoS attacks in the Czech Republic in early March. In December 2012, Finnish media companies were also targeted by DoS attacks.
DoS attacks against Spamhaus
Finnish unprotected DNS servers were utilised in an extensive DoS attack targeting a US-based service provider towards the end of March. The attack misused open DNS resolvers. With these, the attacker was able to multiply the traffic volume of the attack. Over one hundred Finnish IP addresses were detected in the attack traffic. CERT-FI has been in contact with Finnish telecoms operators so that their utilisation in the DoS attack could be prevented. The attack against Spamhaus ended on 27 March.
The use of falsified addresses could be prevented by all internet operators
implementing filtering according to BCP38 (Best Current Practices document 38 and its replacement version 84, RFC 2827 and 3704), allowing traffic outside the
operator's network only with IP source addresses belonging to itself or its customer networks. Unfortunately, not nearly all foreign operators use such filtering. It is difficult to use Finnish networks in DoS attacks based on false source addresses as operators prevent traffic relayed with falsified sender addresses in the customer
subscriptions in accordance with regulations 13 (available in Finnish and Swedish) and 28 issued by the Finnish Communications Regulatory Authority (FICORA).
Problems with certificate systems
In addition to technical solutions, the reliability of certificate systems is largely based on the reliability of the certificate authority's activity.
Case TURKTRUST
Google's certificate monitoring mechanism built into the Google Chrome browser detected a false certificate on Christmas Eve, 24 December 2012. The certificate had been created for addresses *.google.com, i.e. all addresses ending with google.com. The certificate had been issued by the Turkish certificate authority TURKTRUST. TURKTRUST reported that it had accidentally issued two medium-level certificates, one for *.EGO.VOG.TR addresses and the other one for the
e-islem.kktcmerkezbankasi.org address. The former of these was used to issue a certificate for *.google.com addresses. It is not known yet in which kinds of attacks the certificate has been used.
An unauthorised certificate can be utilised in espionage attacks, for example, as other browsers do not detect the page as being falsified. For example, falsified sites could have been used for gathering user IDs and passwords for Google services from users or carrying out an SSL-MitM type of attack in which encrypted data traffic can be decrypted without the user noticing it. Google and Mozilla have announced that they have omitted the certificates from their Chrome and Firefox browsers. Microsoft has also removed them from the Certificate Trust List (CTL). The update is installed automatically in all supported Windows versions.
Case Diginotar
A data break-in to the systems of the Dutch certificate authority Diginotar was discovered at the end of August 2011. The intruder had been able to create several addresses for various domains and web addresses. The intruder had probably had access to the system for months before the break-in was detected. Dutch authorities overtook the operations of Diginotar after the break-in was discovered and Diginotar thereby lost its reliability as a certificate authority. It turned out that the company had neglected information security and failed to report the event to the authorities. The company has since been declared bankrupt and it has closed down its operations.
Case Comodo
Unauthorised certificates were also previously issued as the result of a break-in to a subsidiary of the information security company Comodo in April 2011. The attacker was able to issue nine false SSL certificates using a stolen password. The SSL certificates were issued for the following seven network services: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org,
login.live.com and "global trustee". According to Comodo's release, only the certificate issued for login.yahoo.com has been verifiably misused. After the attack was
discovered, Comodo has voided all false certificates using a blacklist.
Trust is the foundation of the entire certificate system, so it is important that certificate authorities act responsibly in cases of suspected break-ins and actively communicate about attacks and their effects. In Finland, the reliability of qualified certificate service providers and strong electronic identification service providers is partly based on supervision by the authorities. In accordance with regulation 7 issued by FICORA, certification authorities providing qualified certificates and strong
electronic identification must inform FICORA, without unwarranted delay, of any significant threats or disruptions concerning the information security of the service as well as of the measures performed in order to rectify these.
Malware infections in Finnish IP addresses
CERT-FI Autoreporter is a service provided by CERT-FI since 2006 that automatically collects malware and information security infringement observations concerning Finnish networks and reports them to network administrators. In January–March, the system processed approximately 61,500 reports that included 27,400 individual IP addresses.
The statistics below present the daily malware infections processed by CERT-FI
Autoreporter. The statistics do not take into account whether the same device infected with malware occurs in the report on several consecutive days or whether these are a set of isolated cases. The number of IP addresses in the reports does not indicate the number of individual computers infected with malware directly. This is due to
changing (dynamic) IP addresses being commonly used in broadband subscriptions. In addition, it is customary for corporate networks to have several computers behind a single public IP address.
Figure 2. Autoreporter statistics Q1/2013. In the statistics, dates are in the format yyyy-mm-dd.
The peak in the statistics at the end of March was due to the large volume of malware infections used for relaying spam found among the customers of one telecoms
operator. Due to the swift reactions of the telecoms operator, the number of daily malware observations quickly decreased back to the average 600 infections.
The most common malware in January–March were ZeuS (42%) and Conficker (16%). The most common malware in 2012 were also ZeuS with a share of 35% and
Conficker with a share of 18%. The ZeuS malware steals online bank credentials when using banking services.
In 2012, over 184,000 reports were sent via Autoreporter. Based on the volumes during the first quarter, one can assume that the total number of reports will increase in 2013.
Ransomware Reveton
If the computer does not start in the normal way but a message requiring payment to unlock it appears, then ransomware is probably involved. In order to increase its credibility, the ransomware message is usually written in the name of the police. The reported reason for the lockdown is, for example, the user's alleged visit to illegal sites. Ransomware can infect users computer if the user visits adult entertainment sites, for example.
Figure 3. Screenshot of a lockdown message (source: F-Secure weblog)
In reality, the police do not operate in this way, so do not pay. There are several versions of the malware in circulation, and therefore it is close to impossible to prepare up-to-date cleaning instructions that work for all versions. If your personal competence is not sufficient, the infected computer should be cleaned up by an IT service firm.
This is a 21st century phenomenon that has caused problems to users for several years in Finland, Russia and North and South America, to name a few places. The malware is also known as Reveton. There are different versions of the ransomware for different countries and different language areas. The content of the message varies based on the country in which the malware is spread. In the United States, it is
reported that the FBI has locked down the computer, while in Argentina it is said to be done by PFA (Police Federal Argentine). Reveton and other ransomware is being
continuously developed so that their author's criminal yet profitable activity will continue for as long as possible.
In February 2013, the Spanish police arrested a group of criminals whose ransomware has also ended up in Finnish computers. The significance of the arrest will probably remain rather minor globally, as there are also other groups operating in the same way. In spite of the phenomenon being well known, CERT-FI's customer service still weekly receives contacts requesting advise on unlocking Reveton. Also, several
Information Security Now! news items have been published on the matter, and it was also discussed in CERT-FI's Annual Review 2012.
Phishing for user information
CERT-FI is regularly informed of user information phishing attempts, aiming to steal the log-in credentials to Twitter and Facebook, for example. Messages asking "Did you see this pic of you?" have been circulating in the Twitter microblog service. The
message contains an abbreviated address, and by clicking it the user arrives at a site that misleadingly looks like Twitter's own site.
The stolen credentials can be used for sending similar messages to other Twitter users. It is also possible that there will be attempts to infect the computer of a user
subsequently clicking the abbreviated address with malware. Similar attempts are relatively common in social media. Often, however, the clicks aim to guide the users towards installing a Facebook application or authorise the phishing site to use the contact details saved in the service.
Vulnerabilities in commonly used software
New vulnerabilities are found continuously in commonly used software. They can be used for infecting computers with malware. Updating the software to the newest published versions can prevent the abuse of known vulnerabilities.
Java
The vulnerabilities of Java software repeatedly make the headlines. New cases were not avoided in early 2013, either. In 2012, CERT-FI published a total of seven
vulnerability bulletins concerning Java. So far, there have already been four bulletins this year. Java vulnerabilities are used in spreading spyware, among other things. Java is an extensive hardware-independent programming language and software platform that originated in 1995. According to Oracle, the Java platform is used in approximately four billion devices, ranging from lifts to computers. Due to it being so common, Java is an effective and easy target for a hacker to detect and ultimately abuse information security vulnerabilities.
CERT-FI has recommended that Java be disabled in browsers unless its use is absolutely necessary. If using an online banking facility, for example, is impossible without Java, CERT-FI has recommended the use of two separate browsers, with only one containing the Java add-on.
Adobe Flash Player, Reader and Acrobat
Uses for the Adobe Flash Player software include playing back Youtube videos and displaying ads on websites. According to Adobe, Flash Player is installed in over 500 million devices. Updates to this software should be kept up-to-date, as their
vulnerabilities are actively utilised. In early 2013, CERT-FI has issued four vulnerability bulletins on Flash Player and two on Adobe Reader and Acrobat.
The figures are considerable, as CERT-FI issued nine Flash Player bulletins and three Reader and Acrobat bulletins in 2012. Uses for the Adobe Flash Player software include playing back Youtube videos and displaying ads on websites. According to Adobe, Flash Player is installed in over 500 million devices. Updates to this software should be kept up-to-date, as their vulnerabilities are actively utilised.
In early 2013, CERT-FI has issued four vulnerability bulletins on Flash Player and two on Adobe Reader and Acrobat. The figures are considerable, as CERT-FI issued nine Flash Player bulletins and three Reader and Acrobat bulletins in 2012.
Web browsers
Utilising web browsers vulnerabilities makes it possible to infect the user's terminal through simply visiting the infected website. The risk of a malware infection decreases considerably if an updated browser version is used.
CERT-FI has issued 12 vulnerability releases on browsers in January–March. The releases have concerned the Google Chrome, internet Explorer, Mozilla Firefox, Safari and Opera browsers. A total of 45 vulnerability releases concerning browsers were issued in 2012.
Deviations in the public communications network
Finnish communication networks worked well in January–March, During the first months of the year, telecoms operators reported a total of three disruptions with very far-reaching consequences that concerned consumers. Similarly, no new severeinformation security threats emerged in the seven incident reports submitted to CERT-FI in the first quarter. The reports mainly concerned data break-ins whose adverse effects remained minor as the events had been noticed and addressed in time.
Notification of errors and disruptions in communication networks
During early spring, telecoms operators reported three disruptions with very extensive effects (severity A) concerning consumers to FICORA:• 9 January Disruption in Elisa's mobile network
• 5 February Disruption in DNA's landline internet connections • 28 March Disruption in data connections in Elisa's mobile network
The telecoms operators detected the disruptions quickly and significant customer effects were eliminated within approximately an hour of the start of the disruption in all cases. The telecoms operators have published bulletins to their customers on these incidents in the fault notifications of their websites and reported them appropriately to FICORA. In addition, an extensive disruption affected the functioning of the FST5 channel in Lapland, fortunately taking place at a time when there was no
programming on the channel.
Summary of communication network faults and disruptions in
2012
FICORA collected extensive information on disruptions in communication networks during 2012 for the first time in spring 2013. The survey concerned disruptions of a moderate or minor extent, typically affecting less than 1,000 customers for more than half an hour. Telecoms operators continuously report disruptions more severe than this to FICORA. The more detailed analysis of the results continues, and it will be discussed in the next quarterly review.
Based on customer notifications made so far, disruptions in mobile networks and landline broadband subscriptions result in the most work for telecoms operators.
These are also the most commonly used customer-specific services. More than one in four authenticated disruptions are reported as being repaired within six hours from the start of the disruption. In addition, more than half of the disruptions are repaired within two days of the disruption being observed. A significant share of even more severe disruptions are repaired in less than a week.
The share of disruptions lasting for more than a week last year increased as the result of the Tapani storm in late 2011. The repairs caused by the storm continued for weeks during 2012 due to the extent of the repairs and the high number of subscriber lines. Some of the connection faults were not observed and repaired until the spring and summer when people returned to their holiday homes.
Typically, underlying an individual disruption is earth construction work severing both subscriber lines as well as network cables. Other cable faults also often disrupt
customers' connections. As for network equipment, DSLAMs (Digital Subscriber Line Access Multiplexer) for landline broadband networks can be rendered unfit for use due to natural phenomena, software or hardware faults. In this case, all of the subscriber connections behind the device are interrupted.
CERT-FI incident reports
In January – March 2013, CERT-FI received a total of eight notifications regarding information security violations targeting telecoms operators, seven of which were classified under section 21 of the Act on the Protection of Privacy in Electronic Communications and therefore as justified incident reports.
CERT-FI's incident reports mainly concerned data break-ins. Individual notifications were also submitted regarding software vulnerabilities. Most of the cases had been detected in time, and therefore the adverse effects of the information security
violations remained minor. In addition to vulnerable information systems, threatening situations also emerged due to human errors such making as incorrect system
connections.
Summary of information security deviations in 2012
Telecoms operators reported 40 information security violations or information security threats of which they had become informed, which exceeded the reporting threshold in 2012. The most significant information security violations during the year included a burglary in the premises of a telecoms operator, an data break-in concerning a
telecoms operator's DNS servers and malware infection discovered in an operator's management network.
The targeting of several media companies by DoS attacks and cases where DNS servers were used for intensifying attack power were also significant matters. In addition, data break-ins targeting VoIP exchanges continued during the year and resulted in financial losses to subscriber customers and telecoms operators. FICORA issued two guidelines on the secure use of VoIP services.
Hacktivist-types of DoS attacks, which have become more common in recent years, referring to displays of civil disobedience by way of disturbing data communications and information systems were seen in the telecoms operators' own and in particular their customers' systems.
