How was Microsoft Windows exploited in 2014?

Today, we published our research about Windows exploitation in 2014. This report contains interesting information about vulnerabilities in Microsoft Windows and Office patched over the course of the year, drive-by download attacks and mitigation techniques.

The report includes the following information.

  • Vulnerabilities discovered and patched in Microsoft Windows and Office.
  • Statistics about patched vulnerabilities and how they compare with 2013’s statistics.
  • Detailed descriptions of actual exploitation vectors.
  • Vulnerabilities that were exploited in the wild, including a specific table showing ASLR bypass vulnerabilities.
  • Exploitation methods and mitigation techniques for Microsoft’s Internet Explorer web browser (IE).

Last year we saw many exploits that were used for drive-by download attacks. Such attacks are used for silently installing malware. Our report contains detailed information about the nature of drive-by download attacks and how Internet Explorer was improved by Microsoft so that such attacks were mitigated by default.

In the first figure below you can see that Microsoft fixed most of the vulnerabilities in Internet Explorer. Almost all of them belong to the Remote Code Execution type, that is, they can be used to implement drive-by download attacks. This figure includes information about vulnerabilities in Internet Explorer, the Windows GUI subsystem driver, kernel mode drivers, .NET Framework, Windows user mode components and Office.

windows exploitation 1

We can see that a great number of vulnerabilities in the web-browser Internet Explorer have been closed in 2014. Almost all of these vulnerabilities were of the “Remote Code Execution” (RCE) type. This meant that an attacker could execute code remotely in a vulnerable environment, with the help of a specially-crafted web page. Such a web pages could contain special code, called an exploit, to trigger a specific vulnerability. Usually attackers use such exploits for silently installing malware when they detect a vulnerable Windows version. This attack is an example of a drive-by download and this is why we highlighted such exploitations as a major trend in attacks on Internet Explorer, as shown in the Figure below:

windows exploitation 2
Our report includes a specific section describing mitigation techniques that were introduced by Microsoft in the last year. This section covers Windows, Internet Explorer and the EMET tool. Such security features address several types of attack surface. For example, a feature introduced for IE called Out-of-date ActiveX control blocking is useful for blocking all exploits based on vulnerabilities in old versions of Oracle’s Java plugin.

We also look at Local Privilege Escalation (LPE) attacks that are used by attackers for bypassing the browser’s sandbox or to run unauthorized code introduced by malware in kernel mode. In the last year Microsoft addressed a much smaller number of vulnerabilities for win32k.sys than it did in 2013. Unfortunately, today this driver is a major source of such vulnerabilities and often used by attackers.

Cybercrime Trends & Predictions for 2015

Every December the ESET researchers put together their predictions for cybercrime attacks for the coming year. Last year, the emphasis was on internet privacy, a new assault on Androids, and a new wave of hi-tech malware; most of these issues have indeed appeared in blog posts during 2014. Today we offer a summary of the most important trends for 2015.

Targeted attacks

If there is one lesson we have learned in recent years, it is that targeted attacks are a rising trend, and next year won’t be an exception. Most commonly known as Advanced Persistent Threats (APTs), their main differences from traditional cyber-attacks are target selection, plus silence and duration of attack. First of all, in most of these attacks there is a selected target, as opposed to traditional attacks that use any available corporate targets for their purposes. Secondly, these kinds of attacks try to stay unnoticed for longer periods of time. In this context, it is important to note that the attack vector is often targeted social engineering techniques or 0-day exploits.

According to APTnotes repository (a site that collects APT attacks from various publicly-available documents and notes, sorted by year) these kinds of attacks have grown over the past several years from 3 identified attacks in 2010 to 53 known attacks in 2014 and probably many others as yet undiscovered. During 2014 we have published some examples of these attacks, like the new BlackEnergy campaign or the Windigo Operation.

graph-apt-10
According a report from the United States Identity Theft Resource Center there have been 720 major data breaches during 2014, with 304 of them affecting the health industry (42.2%):

DataBreaches
These stats are based on well-known public attacks, so it is reasonable to think that the statistics showing a growing trend is real; the true number, however, is probably bigger, taking into account attacks that never reach the public record because of confidentiality reasons.

Payment systems in the spotlight

In parallel with the growing use of online payment systems, the cybercrime interest in attacking them grows too. At this point, it is already obvious that cybercriminals will continue putting efforts into payment systems as more money circulates on the web. In 2014 alone, we have seen attacks like the one that affected some Dogevault users in May, when some users reported withdrawals just before the site was taken down. Apparently, the funds were in another wallet that contains more than a hundred million Dogecoins, an online currency.

On the other hand, traditional point of sale systems are still widely used and malware authors are well aware of that. In mid-2014 we published a blog post about the worm Win32/BrutPOS that tries to brute-force its way into PoS machines by trying a variety of (overused) passwords in order to log in via Remote Desktop Protocol (RDP).

There are other malware families for POS like JacksPos or Dexter, which could be responsible for big attacks such as Target (data on 40 million cards exposed), or The Home Depot, where 56 million cards were exposed during more than five months of attack (it started in April but was not discovered until almost September, when the company announced the leak).

It is interesting to note that since the BlackPOS source code was leaked in 2012, it will probably facilitate the creation of new variants of this threat that will increase over the next few years.

Bitcoins, ransomware and malware

In line with the previous trend, malware developers will continue putting efforts into online currency and payments systems during 2015.

For example, in the largest known operation of its type to date, a hacker reportedly harvested over $600,000 in digital currency earlier this year using a network of compromised machines. Through infected NAS devices the attacker created a folder named “PWNED” where a program called CPUMiner is stored that can be used to mine Bitcoins and also Dogecoins. Interesting note: this kind of attack creates new money instead of stealing it from compromised users, a brand new way of stealing.

Similarly, the SecureMac site also reported in February a Bitcoin miner that affects Mac OS users. The attacks spreads as a Bitcoin App, a legitimate app recompiled to contain a Trojan.

Finally, ransomware will be a key strategy for malware developers and it will be a more relevant threat in coming years. During 2014, we have seen big companies hit by ransomware (like Yahoo, Match and AOL). In July, ESET researchers published their Android/Simplocker analysis, revealing the first Android file-encrypting TOR-enabled ransomware. In December, in a panel discussion at Georgetown Law called “Cybercrime 2020: The Future of Online Crime and Investigations” it was said that “ransomware is the future of consumer cybercrime”.

Internet of Things -> Attacks on Things

Whole new categories of digital device are getting connected to the Internet, from domestic appliances to home security and climate control, and this trend has been dubbed the Internet of Things or IoT. The trend will accelerate in 2015 but sadly we see no reason why these things won’t become a target for cybercrime. During this year we have seen some evidence of this emerging trend, like attacks on cars shown at Defcon conference using ECU devices or the Tesla car that was hacked to open doors while in motion, as discovered by Nitesh Dhanjani. Attacks and proofs of concept were shown attacking several SMART TVs, Boxee TV devices, biometric systems on smartphones, routers and also Google glasses!

It has to be said that some reporting on IoT hacking has exaggerated the scale of the problem. We mentioned this trend last because, while it probably won’t be a massive problem next year, it is an emerging space for cyber crime. We expect it will take a few more years until it is widely targeted. Nevertheless, this will be a trend, not for its quantity but for its uniqueness and innovation.

Conclusion

These are only the most important topics we have identified as big trends for 2015 in the world of malware and cyber-attacks. There are other current trends like mobile attacks that will continue to rise and much more information to be shared from us.

Six tips to help prevent identity theft online

Private data such as addresses and other personal details can be just as valuable to cybercriminals intent on identity theft as valid credit card details can be to thieves  – if not more so.

Knowing the name, address history and ID numbers of someone with good credit allows a thief to steal not just once – but many times.

What is shocking is how freely many people hand out data which forms the building blocks of identity theft.

A Microsoft survey of 10,000 consumers in 2014 found that the worldwide annual cost of identity theft and phishing could be as high as $5 billion – and the cost of repairing damage to people’s reputation online could be even higher: up to $6 billion, with the 10,000 consumers polled by Microsoft losing  an average of $632.

The survey found that out of more than 10,000 consumers surveyed, 15% said that they had been a victim of phishing, losing an average of $158, a further 13% said their professional reputation had been compromised, costing on average $535 to repair, and 9% said they had suffered identity theft at an average cost of $218.

Thankfully, there are steps you can take both to check that your data is not already available in ‘the wild’ – but also to lock it down so that cybercriminals will (hopefully) ignore you in favour of easier targets.

1. Identity theft: know the warning signs

Signs that your identity details are being used for fraud include letters from your bank appearing to drop in frequency (identity thieves frequently change your banking address so that letters don’t reach you), and letters from financial institutions you don’t recognise.

Keep track on the dates that you normally receive bills and call your institution if you don’t. And always read anything from financial institutions you DON’T recognise.

It’s very easy to dismiss such letters as junk mail – but if you receive a letter from a loan company or credit card company, it’s worth reading to check that someone is not taking loans in your name.

2. If you are posting sensitive information, post it

mail a letter

If you are applying for a credit card, or sending a tax return, you’re sending enough information for a cybercriminal to make money from identity theft.

Don’t send it via a mailbox where it could be stolen (i.e via an employer’s internal mail system). Go directly to a post office, and put it into the box yourself.

3. Even if you have been banking online for years, change the password

change your password

Your bank and credit card company passwords are among the most important ones you have when it comes to protecting yourself against identity theft – but if you’ve been using the same service for years, it’s easy to keep using the same old, weak password.

Change it. For an ESET guide to making passwords as strong as possible, click here.

If your site forces you to change your password periodically, do so using strong passwords.

Users often respond to such requests by adding the required special characters to the end of passwords, or adding numbers there instead. If your password leaks, this is among the first things a password cracker will try.

ESET Senior Research Fellow David Harley says, “This also applies where the site requires you to change your password periodically but allows you to do so by appending a number. Password cracking 101.”

4. If someone calls you, it’s THEIR job to prove who they are

phone scams

Common identity theft scams often rely on you handing over the information willingly – in response to a call or email from your bank or another institution.

In these situations, remember that banks do not usually operate this way. It’s your right to hang up if you are suspicious that a call is an identity theft scam.

Most importantly of all, it is THEIR job to prove that they are calling from a bank, not your job to prove who you are. Emergency fraud alerts from a bank will not require you to hand over personally identifying informatio – that’s a clear sign that the fraud has yet to happen, and you are facilitating it.

5. Safeguard personal information in your home

safeguard information in your home

Many of us will invite tradesmen and cleaners into our homes without a second thought, and check only for outright thefts of cash or jewellery – despite the fact that personally identifying information can be just as valuable if not more so.

If you invite people you do not know into your home, make sure that documents such as tax returns, credit card details and government identity certificates are kept under lock and key.

If your home has been burgled, be alert for identity theft frauds following steps one and two above.

6. Be wary of Facebook quizzes

Be wary of Facebook quizzes

It pays to be wary of oversharing on social networks generally – but anyone security conscious should also pay attention to the sort of content they click on.

Some people thought that Facebook quizzes might have peaked when Slate made the spoof, ‘What kind of Buzzfeed quiz are you?’ But some of these quizzes are not just boring – they’re risky.

As ESET Senior Research Fellow David Harley notes here, some of these quizzes appear to harvest data which might be extremely useful for criminals – and some quiz companies have previously been caught selling data to advertisers such as drug companies from health-related quizzes.

The same applies double to any raffle, money-off offer or freebie offered through Facebook – if you find yourself handing out the same data you’d enter when applying for a credit card, do not hit Enter.

Leave the page, close your browser, and walk away.

Even IT Pros guilty of risky selfies on their mobiles

ESET study reveals many IT professionals are guilty of storing indecent material on their mobile phones, which would leave them embarrassed if lost

It appears that Jennifer Lawrence is not the only one with problematic photos on her mobile device. According to a new survey from ESET, 39 percent of the UK’s leading IT professionals have also confessed that if they were to lose their phone, some of the photos and information they have stored on the device could compromise them.

The survey, which was carried out at IPEXPO in October and studied the attitudes of 500 IT professionals, also revealed that 46 percent of respondents admitted that if they were to lose their phone with work information on it, and it was subsequently hacked, it could jeopardise or compromise their company. But that’s not all. A worrying 15 percent of respondents said they are not confident that the photos they take on their phone are not being streamed to other members of their family. Let’s just hope that they are not taking pictures of anything too sinister, or they could find themselves in the same position as Cameron Diaz was in her latest movie ‘Sex Tape’.

The recent news around celebrity phones being hacked and their images being stolen and posted online should act as a warning. Mobile phones are a very attractive target for cybercriminals as they hold so much information. Phone users should be very cautious with what content they have stored on their device.

Other concerning findings from the study revealed that despite most respondents admitting to storing compromising data on their mobile, 22 percent do not have a facility to remote wipe their device.

ESET’s security experts recommend: “A remote wipe facility is really your only piece of insurance against a lost phone. It essentially means that if you lose your mobile phone, you could log into a PC and remotely delete all the data stored on the device. This means that anyone who finds the phone will not be able to access any of your personal information. If you choose to store data on your phone which has the potential to compromise you, if it ended up in the wrong hands, you should deploy a security solution which offers a remote wipe facility.”

In order to help protect data on mobile devices, ESET recommends the following steps:

  • Use a password on your phone at all times
  • Restrict how long you keep emails for on your phone – don’t store things unnecessarily for more than a couple of days
  • Restrict the amount of information you keep on your phone
  • Delete any photos you don’t need and download them frequently to your own computer, where you can store them safely
  • Be mindful of where you are streaming your photos
  • Make sure you do back-ups frequently and check that they are actually being backed up and working
  • Try wherever possible to have remote lock and remote wipe available for your mobile phone. Lock the device if it’s lost, then wipe it if needed. Always bear in mind it’s unlikely you will get your phone back after it’s lost

Interview: Windigo victim speaks out on the ‘stealth’ malware that attacked his global company

Operation Windigo was one of the biggest operations against a criminal gang of this year – led by ESET with help from law enforcement and scientists from around the world, including Europe’s CERN (the organization behind the Large Hadron Collider). It highlighted a new, dangerous threat, where criminals target UNIX servers to redirect victims – and successfully took over thousands of servers and sites around the world.

Pierre-Marc Bureau, Security Intelligence Program Manager says, “The malicious gang is using these servers to send spam, redirect web traffic to malicious content, and steal more server credentials to widen their operation.” At its height, Windigo sent 35 million spam messages a day and redirected 500,000 web users to malicious sites. A detailed analysis of the malware and techniques used, and the ongoing battle against Windigo, can be found here, written by Bureau. ESET researcher Oliver Bilodeau chronicles the ongoing battle against Windigo here.

The victims often never knew they were infected. Even today ESET blocks thousands of redirects from infected servers – and this arduous research has thrown light on a new, sinister face of cybercrime.

ESET researchers have helped many companies identify and neutralize the infection, and this effort goes on today. Francois Gagnon, whose company was targeted, reveals what happened when this novel, emerging threat took hold of his large company.

Bureau says, “ESET has invested months of efforts to analyze, understand, and document Operation Windigo. At the peak of analysis activity, six researchers worked on the investigation.  We are very proud of the current results and we continue to monitor the situation. All servers have not been cleaned and the malicious gang behind the operation is still in control of significant resources. There is still a lot of work to do!” Veteran security researcher, writer and We Live Security contributor Graham Cluley says that at one point half a million PCs were attacked a day. Most victims remained unaware.

Francois Gagnon, owner of a business whose servers in France and Canada fell victim for weeks, explains how a large business can fall prey – and not notice.

Were you aware that this sort of attack was possible?

Like most businesses of our size, we knew criminals ‘sniffed around’, but had never been subject of a serious attack. To begin with, we didn’t realize what it was. But this did not feel like something really offensive. It was running in the background pretty silently. No crash or anything happened. I think that’s why it had infected so many servers before people started to react.

Did the nature of the attack surprise you?

One of the first things you learn in any form of hi-tech business is that anything is possible. But we knew from the start that Windigo was something different. It was subtle. No one stole our database – the first we heard was that suspicious behavior like random redirections in some websites were mentioned by some customers.

When did you realize that something very bad was happening?

We discovered that some of our servers were on Email Blacklists – used to pick out spammers. We knew that our system had sent spam. Our customers also mentioned that some of our sites – we have 2,000 – were randomly redirecting customers. It was customer complaints that helped us realize something was badly wrong. Some suspicious behaviors like random redirections in some websites were mentioned by some customers as well.

Just how ‘stealthy’ is this infection – how long did it take you to realize you were a victim?

I suppose we have been infected a few weeks before we realized what was going on.We pushed our investigation further and realized that most servers had been infected after we had opened tickets with cPanel. Their servers were infected and they infected our servers using SSH connections to us.

How did you react? Did you fear your business was under threat?

We rapidly went from not worrying to the worst worry of all – that it was an advanced threat, targeted specifically at us. We run a dozen servers and 2,000 sites. At the beginning we thought that it could be a targeted attack, but we quickly understood that many other businesses were running through the same issues. Plenty of people were talking about those strange behaviors on many forums.

Did you work closely with researchers on this – when did you realize that there were so many other victims?

We were quickly contacted by ESET and were told about how big this infection was and quickly started to work very closely with the research team. We cleaned infected servers but kept some intact for ESET’s investigation. Marc-Etienne of ESET offered advice – clean the server and reinstall. It’s a harsh cure, but we did it. We have now cleaned almost all of our infected servers and re-installed. We worked closely with ESET’s team, and some servers were used to help the researchers understand the infection. We have now-reinstalled most of them.

Why were you targeted?

That is easy. We have a lot of servers, and many customers in France and Canada.

Why do you think your business was targeted?

Simply because we have many servers, and many customers in France and Canada. Thanks to the quick action of ESET, our company’s reputation was not damaged – we listened to our customers and acted. We did not suffer severe financial loss, either.

What are your feelings towards the gang behind this – and the companies still suffering?

This attack is big. Many web hosting companies were infected and didn’t even know what it was. They were told by cPanel to reinstall – and that was it. That was all the help we got. We were lucky. We worked closely with ESET, who helped put it right, and I hope we helped in turn with the Windigo project.

What is the status of your company now?

We are fully operational. We have always been cautious and took seriously any strange or suspicious behavior. If the government took these kind of attacks more seriously and invested more money to help companies such as ESET it may prevent some attacks.

At his request, We Live Security used a fake name for our interviewee. The gang behind Windigo is still at large and reprisals are a possibility.

ESET will not end Windows XP products support

windows-xp-54321-623x420

After 8th April 2014, Microsoft will no longer provide system updates for Windows XP.
ESET will support the Microsoft Windows XP versions of ESET products at least until the end of April 2017.

Q: What exactly happens on April 8, 2014? Will Windows XP stop working?
A: On April 8, 2014, Microsoft will release its final security updates for Windows XP, and stop providing support and fixes for it. The operating system will still function the same way it has, and all old updates and fixes will still be available. Regular system updates are used to repair exploits and patch existing security vulnerabilities.

Q: Will ESET products and virus definitions on Windows XP still be updated?

A: Yes. At least until the end of April, 2017 ESET will maintain support for customers with ESET products installed on the Windows XP operating system and will continue to offer the following services during that period:

  • Regular virus signature updates for the latest threats
  • Consistent updates to other parts of the antivirus engine
  • ESET Customer Care support requests

Currently, ESET still supports and provides updates for endpoint products that work with Windows NT 4.0 and Windows 2000, both of which reached end of life (EOL) status in 2004 and 2010, respectively.

Q: Will all versions of Windows XP cease being supported by Microsoft after April 8, 2014?
A: No, not all. Windows XP Professional for Embedded Systems, a special version of Windows XP used in devices such as cash registers, ATMs and ticket machines, etc., will be supported until December 31, 2016. However, that date is fast approaching and if you have devices running XP Embedded you will eventually need to replace or update them.

Q: Are other Microsoft programs going to cease being supported?
A: Microsoft Office 2003 will no longer be supported after April 8, 2014. The next major end of life date is July 14, 2015, which is for Windows Server 2003. If your office has any servers left running Windows server 2003, you should be planning on updating or replacing them as well.

Q: I have to run Windows XP and cannot upgrade or replace my PC. Is there anything I can do to protect myself?
A: Make sure that your copy of Windows XP is fully patched and all your applications are on the latest versions with the latest patches as well. Please note that while your service from ESET will not change, your system could become more vulnerable to threats because it will no longer receive regular system updates from Microsoft.

We recommend that you use the latest version of your ESET product to maintain the highest degree of protection possible with the non-updated Windows XP operating system.

To maintain the highest level of security, we recommend that you upgrade your operating system or move your important data onto a computer with a more current operating system.

by Urban Schrott and Aryeh Goretsky

ESET’s Threat Trends Predictions 2014: The next battle for internet privacy, a new assault on Androids, and a new wave of hi-tech malware

Each year, ESET releases its Threat Trends Predictions report for the coming twelve months, written by our global network of security experts, and based on wide-ranging analysis of trends in cybercrime and malware. This year’s report centres on three key trends, the first and foremost being privacy – the others being threats to mobile devices, and new, hi-tech malware targeting PCs and other devices in the home. You can download the full 35 page report Trends for 2014: The Challenge of Internet Privacy (.PDF).

The reaction to Edward Snowden’s revelations concerning the activities of the US National Security Agency (NSA) demonstrates that Internet users really do care about digital privacy and security. Our report analyses how users can protect their information – but ESET experts warn that ensuring data is locked down (by the use of encryption, for instance) is merely the first step towards real security.

“The challenge to internet privacy has not meant a decrease in cases of people affected by any malicious code or other kind of computer threat,” the researchers write. “Concern about privacy is a good starting point, but it is essential for people to be aware of all aspects of Information Security. Otherwise, it is not possible to mitigate the impact of computer threats.”

Next year will also see an escalating increase in serious threats targeting Android phones and tablets – ESET detections of such malware increased more than 60% between 2012 and 2013. This trend is predicted to continue in 2014. ESET Research Laboratory points out that malware afflicting Android now uses classic PC attack methods – the discovery of vulnerabilities, then their exploitation through malicious code.

Filecoders such as the ransomware Cryptolocker have been one of this year’s most notorious attacks, one that is still spreading worldwide. More such malware is expected in 2014.Likewise, Bitcoin and other e-currencies will remain a target for cybercriminals – but gangs may cast their nets wider, and threats against devices such as smart cars, games consoles and smart TVs may loom on the horizon.

The use of DDoS as a means of protest will continue to grow, particularly by people unhappy with the surveillance activities of governments and events in the Middle East. Indeed a lot of hacking as well as DDoS for activist purposes is predicted in 2014; so, expect a lot of attacks against high profile, controversial targets, especially national and local governments and their infrastructure.

Detailed info available in ESET Ireland’s Blog post 2014 security and privacy predictions

Follow

Get every new post delivered to your Inbox.

Join 90 other followers