The Top-10 of 2011: An “Explosive” Year in Security

By Costin Raiu, Director of Kaspersky Lab's Global Research & Analysis Team

PETALING JAYA, January 6, 2012 - If we had to summarize 2011 in a single word, I think it would have to be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to come up with a Top-10 of security stories of 2011. What I was aiming for with this list was to remember the stories that also indicated major trends or the emergence of new major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.

1. The Rise of “Hacktivism”

It’s difficult to imagine someone reading this list who has not yet heard of Anonymous, LulzSec, and maybe TeaMp0isoN. Throughout 2011 these groups together with others were actively involved in various operations against law enforcement agencies, banks, governments, security companies and major software vendors. Sometimes working together, in other cases working against each other, these groups emerged as one of the main groups of actors of 2011, through incidents such as security breaches of networks belonging to the United Nations, security intelligence firm Stratfor, FBI contractor IRC Federal, US Defense contractor ManTech, and the CIA. Interestingly, some of these incidents, such as the Stratfor hack, revealed major security problems such as the storing of CVV numbers in unencrypted format, or extremely weak passwords used by administrators.

Overall, the rise of hacktivism was one of the major trends of 2011, and no doubt it will continue in 2012 with similar incidents.
2. The HBGary Federal Hack

Although related to the first item on this list, I’d like to point this one out as a separate story. In January 2011, hackers from the Anonymous hacker collective broke into HBGary Federal’s webserver – hbgaryfederal.com – through an SQL injection attack. They were able to extract several MD5 hashes for passwords belonging to the company CEO, Aaron Barr, and COO, Ted Vera. Unfortunately, both used passwords that were very simple: six lowercase letters and two numbers. These passwords allowed the attackers to get access to the company’s research documents and tens of thousands of mails stored on Google Apps. I believe this story is relevant because it demonstrates an interesting situation – the use of weak passwords together with old software systems plus use of the cloud can turn into a security nightmare. If the CEO and COO had used strong passwords, none of this would likely have happened. Or, if they’d had multi-factor authentication enabled on Google Apps, the attackers wouldn’t have been able to access the superuser account and copy all the company e-mails. It’s important to point out that even if better security measures had been in place, we can’t rule out the possibility that the ever-persistent hackers wouldn’t have found another way in. Persistence and determination, combined with plenty of time, gives the attackers the upper hand.

3. The Advanced Persistent Threat

Although many security experts despise this term, it has made its way into the media and rocketed to super- popularity with incidents such as the RSA security breach or the imposingly entitled incidents such as operations Night Dragon, Lurid and Shady Rat. Interestingly, many of these operations were not too advanced at all. On the other hand, there were many cases in which zero-day exploits were used, such as in the RSA breach. In this case, the attackers took advantage of CVE-2011-0609 – a vulnerability in Adobe Flash Player – to run malicious code on the target machine. Another interesting zero-day was CVE-2011- 2462, a vulnerability in Adobe Reader, which was used in targeted attacks against U.S. Defense contractor ManTech. Several things stand out in these attacks: Many cases involved zero-day vulnerabilities in Adobe software; many of these attacks were directed at U.S. targets, notably companies working with the U.S. military or government; the Lurid attack was interesting because it mainly targeted countries in Eastern Europe such as Russia or CIS countries. These attacks confirm the emergence of powerful nation-state actors and the establishment of cyber-espionage as common practice. Additionally, many of these attacks seemed to be interconnected and have major global ramifications. For instance, the RSA breach was notable because the attackers stole the database of SecurID tokens, which was later used in another high- profile attack.

4. The Comodo and DigiNotar Incidents

On March 15, 2011 one of the affiliates of Comodo, a company known for its security software and SSL digital certificates, was hacked. The attacker quickly used the existing infrastructure to generate nine fake digital certificates for web sites such as mail.google.com, login.yahoo.com, addons.mozilla.com and login.skype.com. During the analysis of the incident Comodo was able to identify the attacker as operating from the IP address 212.95.136.18 - in Tehran, Iran. But in terms of size this was nothing compared to the DigiNotar breach. On June 17, 2011 hackers began poking around the DigiNotar servers, and over the next five days managed to get access to their infrastructure and generate over 300 fraudulent certificates. The hacker left a message in the form of a digital certificate containing a message in the Persian language: “Great hacker, I will crack all encryption, I break your head!” To make the link with Iran more solid, days later the fake certificates were used in a man-in-the-middle attack against over 100,000 Gmail users from Iran. The attacks against Comodo and DigiNotar have highlighted that that there’s already been a loss of trust in the certificate authorities (CA). In the future CA compromises may become more widespread. Besides, it is likely that more digitally signed malware will appear.

5. Duqu

In June 2010, researcher Sergey Ulasen from the Belarusian company VirusBlokada discovered an intriguing piece of malware that appeared to use stolen certificates to sign its drivers and a zero-day exploit that used .lnk files for replication in a typical Autorun fashion. This malware became world famous under the name Stuxnet, a computer worm containing a very special payload aimed directly at Iran’s nuclear program. Stuxnet hijacked Siemens PLCs at Iran’s Natanz plant and reprogrammed them in a very specific way, indicating one single objective: sabotaging the uranium enrichment process at Natanz. Back then, when I saw the code that reprogrammed the PLCs responsible for controlling the 64,000-RPM centrifuges, I thought to myself that it’s impossible to write something like that without having access to the original schematics and source code. But how could attackers have obtained something as sensitive as the custom code that controls the billion dollar facility? One possible answer lies within the Duqu Trojan. Created by the same people that were responsible for Stuxnet, Duqu was discovered in August 2011 by the Hungarian research lab CrySyS. Originally, it wasn’t known how Duqu infected its targets. Later, malicious Microsoft Word documents exploiting the vulnerability known as CVE-2011-3402 were discovered as a means of Duqu’s penetration. The purpose of Duqu is quite different to Stuxnet. This Trojan is actually a sophisticated attack toolkit, which can be used to breach a system and then systematically siphon information out of it. New modules can be uploaded and run on the fly, without a file system footprint. The highly modular architecture, together with the small number of victims around the world, made Duqu undetectable for years. The first trace of Duqu-related activity we were able to find actually dates back to August 2007. In all the incidents we have analyzed the attackers used an infrastructure of hacked servers to move the data – sometimes hundreds of megabytes – out of the victims’ PCs .

Duqu and Stuxnet represent the state of the art in cyber warfare and hint that we are entering an era of cold cyber war, where superpowers fight each other unconstrained by the limitations of real-world war.


6. The Sony PlayStation Network Hack

On April 19, 2011, Sony learned that its PlayStation Network (PSN) had been hacked. At first the company was reluctant to explain what had happened and claimed that the service, which was suspended on April 20, would be back up in a few days. It wasn’t until April 26 that the company acknowledged that personal information had been stolen, which potentially included credit card numbers. Three days later, reports appeared that seemed to indicate that 2.2 million credit card numbers were being offered for sale on hacker forums. By May 1, the PSN was still unavailable, which left many users not only having had their credit cards stolen but also frustrated at not being able to play the games they’d already paid for. Then in October 2011, the PSN was again making the headlines with 93,000 compromised accounts that had to be locked down by Sony to prevent further misuse. The Sony PSN hack was a major story in 2011 because it indicates, among other things, that in the cloud era, Personally Identifiable Information is conveniently available in one place, accessed over fast Internet links, ready to be stolen in case of any misconfigurations or security issues. In 2011, 77 million usernames and 2.2 million credit cards came to be considered normal “booty” in the cloud era.

7. Fighting Cybercrime and Botnet Takedowns

While the attackers in the PSN incident are still unidentified, 2011 was a definitively bad year for the many cybercriminals who got caught and arrested by law enforcement authorities around the world. The ZeuS gang arrests, the DNSChanger gang takedown, and the Rustock, Coreflood and Kelihos/Hilux botnet takedowns were just a few examples. These indicate an emerging trend: Bringing down a cyber-criminal gang goes a long way towards hampering criminal activity around the world, sending a message to the remaining gangs that this is no longer a risk-free undertaking. One particular case I’d like to mention is the Kelihos takedown, which was performed by Kaspersky Lab in cooperation with Microsoft’s Digital Crimes Unit. Here, Kaspersky Lab initiated a sinkhole operation for the botnet, counting many tens of thousands of infected users per day. And here’s where the big debate starts: Knowing the bot update process, Kaspersky Lab or a law enforcement agency could effectively push a program to all the infected users, notifying them thereof in the process, or even cleaning their machines automatically. In a poll ran on the Securelist website, a whopping 83% voted that Kaspersky Lab should “push a cleanup tool that removes the infections,” despite this being illegal in most countries. For obvious reasons, we haven’t done so, but it outlines the vast limitations of today’s legal system when it comes to fighting cybercrime in an effective manner.

8. The Rise of Android Malware

In August 2010, we identified the first Trojan for the Android platform – Trojan- SMS.AndroidOS.FakePlayer.a, which masqueraded as a media player app. In less than a year, Android malware quickly exploded and became the most popular mobile malware category. This trend became obvious in Q3 2011, in which we discovered over 40% of all the mobile malware we saw in 2011. Finally, we hit critical mass in November 2011 when we uncovered over 1000 malicious samples for Android, which is almost as many as all the mobile malware we have discovered in the past six years! The huge popularity of Android malware can be attributed to several things - most notably the wild growth of Android itself. Secondly, the documentation freely available regarding the Android platform makes the creation of malware for Android quite easy. Finally, there are many who blame Google Market for its weak screening process, which makes it straightforward for cybercriminals to upload malicious programs. While there are only two known malicious programs for iPhone, we are now approaching 2000 Android Trojans already in our collection.

9. The CarrierIQ Incident

CarrierIQ is a small privately-owned company, founded in 2005, and operating out of Mountain View, California. According to their website, CarrierIQ software is deployed on over 140 million devices around the world. Although the declared purpose of CarrierIQ is to collect “diagnostic” information from mobile terminals, security researcher Trevor Eckhart demonstrated how the extent of the information CarrierIQ collects goes beyond the declared simple “diagnostic” purpose, including things such as keylogging and monitoring URLs opened on a mobile device. CarrierIQ is built within a typical Command and Control architecture where system administrators can establish the kind of information that is collected from phones and which information is sent “home.” While it is obvious that CarrierIQ does collect a lot of information from your mobile phone, it doesn’t necessarily mean it is evil, or so we are advised to think by its creators, or companies such as HTC, which support its usage. Being a U.S.-based company, CarrierIQ could be forced to disclose much of the collected information to US law enforcement, if presented with a warrant. This legal loophole could effectively turn it into a government spy and monitoring tool. Whether this may indeed be the case or not, many users have decided that it’s best to get rid of CarrierIQ from their phones. Unfortunately, it isn’t a simple process and is different for iPhones, Android phones and BlackBerrys. In the case of Android, you may have to root your phone in order to get rid of it. Alternatively, many users have decided to flash custom Android firmware instead, such as Cyanogenmod.

The CarrierIQ incident shows that we are totally unaware of what exactly is running on our mobile devices, or the level of control which the mobile operator has over your hardware.

10. MacOS Malware

While I realize that I’m putting myself into the line of fire by even just mentioning Mac OS X malware, I think it’s an important story from 2011 which shouldn’t be overlooked. Products called MacDefender, MacSecurity, MacProtector or MacGuard, which are rogue AV products for Mac OS, appeared in May 2011 and quickly became popular. Distributed through black-hat SEO techniques in Google searches, these programs rely on social engineering to get the user to download, install, and then pay for the “full” version. Most who decide to pay $40 for the supposedly full version later discover that they actually paid $140, and sometimes they paid several times over. The crossing over of PC threats (rogue AV programs being one of the most popular malware categories for PCs) to Macs is an important trend of 2011. In addition to Mac OS rogue AVs, the DNSChanger family of Trojans deserves special mention as well. First identified around 2007, these small Trojans conduct a very simple and straightforward system compromise by changing the DNS settings to point to the criminals’ private DNS servers, before uninstalling themselves. Hence, you may get infected with a DNSChanger, have your DNS settings changed, and think you’re fine because there’s no malware actually on your computer; however, in reality what the criminals do is abuse the DNS communication to make you visit fake websites and perform click fraud and man-in-the-middle attacks. Luckily, in November 2011, the FBI arrested the six Estonian nationals who made up the gang behind the DNSChanger malware. According to FBI data, in the past four years they infected over four million computers in more than 100 countries and generated approximately $14 million in illegal profit. These incidents show that malware for Mac OS is as real as malware for PCs, and that even modern security practices fail against carefully elaborated social engineering techniques. It is without doubt that we will see both platforms continue to be abused in the future.

To summarize, these ten stories are just a tiny speck in the galaxy of 2011 security incidents. The reason I selected them is because they point to the major actors of 2011 who will no doubt continue to play a major role in the cyber- security blockbuster which is around the corner. These are the hacktivist groups, the security companies, the advanced persistent threat in the form of superpowers fighting each other through cyber-espionage, the major software and gaming developers such as Adobe, Microsoft, Oracle and Sony, law enforcement agencies, traditional cybercriminals, Google - via the Android operating system, and Apple - thanks to its Mac OS X platform. The relations among these can be complicated, full of drama, contain many super-secret details, and be as mysterious and darkly dreaming as Showtime’s Dexter. One thing is for sure – these same stars will be playing in all the major 2012 security blockbuster movies.