The most significant developments in enterprise ICT risk this week were security bulletins and patches from Microsoft, Adobe, as well as Mozilla, and Google Chrome browsers. Enterprise infrastructure components from Cisco and McAfee were updated to address a handful of post-Heartbleed vulnerabilities in OpenSSL. Threat intel collections include: Arbor reported the Etumbot APT. RSA believes Pandemiya is a contender to replace Zeus. FireEye updated on the “Clandestine Fox” threat actor. Trend Micro followed-up last week’s report on VAWTRAK, an up-and-coming financial fraud Trojan getting traction in Japan, with a report this week of routines in VAWTRAK to abuse software restriction policies. PF Chang’s is dealing with a data breach. DoS attacks struck Evernote, Feedly, and FIFA World Cup sites. In related reports, Incapsula mitigated a multi-vector DDoS on an unidentified online gaming site.
Unless you’ve sworn off the Internet for the past five days, you’re probably already familiar with this week’s top InfoSec headline. Just in case you did decide to ditch Twitter for a few days, allow us to bring you up to speed. The UK’s National Crime Agency, Europol, FBI and several security firms carried out a joint operation to disrupt the Gameover Zeus botnet and CryptoLocker ransomware. And it seems to have been successful too, at least for the time being. Hopefully the game stays over (sorry, everyone else was doing it). Other notable malware developments include Arbor’s report on the newly discovered Soraya malware and FireEye’s report on new targeted attacks connected to the Molerats campaign. The OpenSSL Foundation issued a security advisory to patch six vulnerabilities, including one that leaves OpenSSL open to man-in-the-middle attacks. Microsoft announced it will release seven bulletins as part of June’s Patch Tuesday update. This week’s facepalm moment comes via the U.S. Secret Service, which is attempting to find software capable of detecting sarcasm on social media in order to rule out potential threats. Even if such magical software existed the amount of snark on Twitter would crash it in two seconds.
I just realized the other day that we never announced the release of the 2014 DBIR from our blog. Truth be told, we’ve been neglecting the blog in many ways lately (which we will remedy), but it seems a step beyond neglect not to mention our flagship publication.
So here it is – “The 2014 DBIR is out!”
We’re pretty happy with how this one turned out. I’m thrilled with the massive increase in the number of organizations contributing to the report. The more, the merrier, in my opinion. I hope you recognize and appreciate their efforts; talking about data sharing is always easier than actually doing it. They did it, and we’re all better off for it.
I also really enjoyed how much the maturity of our data analysis and visualization improved over the course of the past year. When I first saw an early version of the dataviz represented on the cover last fall, I knew a) it was the main message of this year’s report, and b) it had to be the cover. I won’t say it wasn’t hard work and stressful at time (ok; a lot of times), but it was fun and gratifying to see this DBIR come together.
One thing we really aimed at this year was increasing the reports usefulness as a decision support aid for all types of organizations. Figure 19 is the foundation of that goal, showing how the frequency of incident patterns differs substantially across industries. Since the release of the report, I’ve had a few questions about that figure, the most common one being “how does it look for just data breaches?” Well, ask and ye shall receive. Here’s Figure 19b which illustrates the Frequency of incident classification patterns per victim industry, FILTERED FOR DATA BREACHES ONLY.
Feedback from readers helped us to shape the approach of the 2014 DBIR, and we’d very much appreciate your thoughts on how we can continue to improve our research. Where do we go from here? Should we go on from here (@vzdbir has talked about retiring to a tropical island, but you know how he gets)? Ways to interact are listed in the report, so hit us up on the medium of your choice.
When the InfoSec risk affecting the most people in a week is abuse of their “where’s my iPhone/iPad” app in an extortion attempt, that might indicate it’s been a pretty good week for Verizon Enterprise clients. Another widespread impact: TrueCrypt full-disk-encryption, and other uses, has stopped development and told users to migrate to other solutions. Enterprise impact is probably not as large as for the personal computers of many of the readers of this blog. We collect intel on data breaches caused by lost or stolen data storage devices almost constantly, so TrueCrypt’s obsolescence takes a great tool off the menu to mitigate that risk. FireEye and iSight Partners provided fresh intelligence on cyber conflict issues with, “Strategic Analysis: As Russia-Ukraine Conflict Continues, Malware Activity Rises,” and “NEWSCASTER – An Iranian Threat Inside Social Media.” PriceWaterhouseCoopers and the Association of Certified Fraud Examiners published their annual reports. No Targets, no eBays and Europol shut down a Bulgarian carder operation; a pretty good week for enterprise information risk (knocks on wood.)
News that the U.S. Department of Justice charged five Chinese People’s Liberation Army personnel for hacking American companies on Monday was soon overshadowed by the announcement of a major breach at eBay. As many as 145 million eBay users may have had their personal information compromised after hackers used stolen employee credentials to gain access to a customer database. The company’s handling of the incident might be a good case study on how NOT to handle a data breach. There’s a tempest in a teapot brewing around a recently disclosed use-after-free vulnerability in Internet Explorer 8. There are no reports of exploit code in the wild or ongoing attacks but the attention surrounding the disclosure has led Microsoft to announce it’s working on a patch and it will be released when it’s ready. There were several notable developments on the malware front this week. Damballa reported on the rise of Kovter ransomware, Cisco blogged about exploits for Microsoft Silverlight being added to the Angler exploit kit and Trend Micro and Kaspersky both reported that the upcoming World Cup is as popular a social lure as ever in malware and scam campaigns. And in results that should surprise no one, the Ponemon Institute and Experian published a study that found data breaches have a negative impact on brand reputation.
Patch Tuesday yielded the most risk-relevant news for Verizon clients with eight security bulletins from Microsoft, three from Adobe and a new version of Chrome browser. Microsoft also released KB2871997, Update to Improve Credentials Protection and Management, without a security bulletin. It mitigates the infamous “Pass the Hash” attack (PTH) often used by targeted attackers for lateral exploitation of a network. But on Wednesday, Craig Freyman reported why PTH will still be a risk for most organizations. Follow-up reports dominated the other risk intelligence: Symantec extended their reporting on the Elderwood project connecting the group to several attacks using previously unknown vulnerabilities. Avast! followed up their December report on “Browser Ransomware,” including an infographic that’s useful for security awareness. Arbor Networks continued their reporting on Point of Sale malware; start with their blog entry “Into the Light of Day: Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns” to reach the PDF report.
It’s spring in the United States, and security reports are popping up like fresh blades of grass. Microsoft released volume 16 of its Security Intelligence Report, AppRiver released its Q1 2014 Global Security Report, IBM and the Ponemon Institute published their 2014 Cost of a Data Breach Study and Kaspersky published its data on spam in the first quarter of 2014. All worth the read. This coming Tuesday will be busy as Microsoft pre-announced May’s Patch Tuesday, which will see eight bulletins released to patch vulnerabilities in several of the company’s products. Adobe also issued a pre-announcement for next Tuesday; expect patches to Reader and Acrobat. Two companies that suffered data breaches within the past year announced that they got popped…again. Both Affinity Gaming and Orange announced they suffered additional data breaches recently and the Orange compromise is already the subject of a new phishing campaign. And in case you missed it, Symantec, a well-known antivirus vendor, proclaimed that antivirus was dead this week. Please forgive us if we don’t hold our breath over that one.
Props to Microsoft’s security and Internet Explorer (IE) teams for turning out a patch in less than a week after FireEye reported “Operation Clandestine Fox” was exploiting a previously unknown vulnerability in IE. And another round of props to Adobe’s PSIRT and Flash Player teams for also responding with a patch to close a vulnerability Kaspersky reported was being exploited in watering hole attacks lurking on the Syrian Justice Ministry’s web site. The Australian Financial Review reported hackers from the People’s Republic of China breached the e-mail system of the Australian Parliament in 2011 and may have persisted for a year. Wednesday, UltraDNS reported one of their customers was targeted for a DoS attack, and the collateral damage affected almost all their customers, to some extent, until they mitigated the attack. Once you’ve absorbed the Verizon DBIR, new intelligence reports this week include RSA’s updated report on cybercrime. And Trend Micro extended their series on the underground economy with a new report on the Russian underground. Brush up your speed reading because the Spring edition of Microsoft’s Security Intelligence Report is due.
It’s baaaaack. We’re pleased to announce, along with our 51 other contributors, the release of the 2014 Data Breach Investigations Report (no registration required). The format of this year’s report is a bit different from that of previous DBIRs, but we hope the changes help to provide you with even more actionable analysis. Be sure to take look and tell all your friends about it. The Verizon Cyber Intelligence Center (VCIC) continued to collect intelligence on Heartbleed this week. Our more compelling collections include Mandiant’s analysis of the vulnerability being exploited in targeted attacks, Meldium’s report on “reverse” Heartbleed and CrowdStrike’s newly released Heartbleed scanning tool. In the malware space Fortinet reported on a new version of Gameover Zeus, RSA provided insight into how to detect Gameover Zeus, Arbor released a report on a new DoS bot dubbed Eclipse and Symantec provided an update on a social engineering and malware campaign known as Operation Francophoned, which it discovered last year. Iowa State University suffered a breach at the hands of Bitcoin mining attackers, AOL Mail experienced an attack that resulted in a major spam campaign and NullCrew took responsibility for hacking 9 sites including the University of Virginia and Spokeo. Next to the DBIR, this week’s best intelligence comes via Websense’s sobering white paper on Java vulnerabilities and exploits. Did we happen to mention the 2014 DBIR came out this week?
The Heartbleed vulnerability in OpenSSL dominated all phases of the intelligence cycle again this week. Cloudflare, with some outside help, settled the question over whether the vulnerability threatens the Public Key Infrastructure components—it does. The Heartbleed Bug Health Report and Sucuri each provided some good news with metrics on how large the attack surface is, less than 5% of the Internet and attacks observed. Mashable has a superb page to help determine whether or not you should change your password for your favorite sites. Oracle released their quarterly Critical Patch Update addressing 37 vulnerabilities in Java among a total of 104 across their products. DLR, the German Space Center and digital storage company LaCie led the more significant new data breaches reported. Brian Krebs added to the intelligence on the Michaels Stores data breach, following up his report from January.