Labs initiative 20 LANDSCAPE 19 REPORT - Subex Secure

LANDSCAPEREPORT

www.safeandsecureiot.com

2019

A Subex Threat Research Labs initiative

Cyberattacks motivated by geo-political influences dominated the threat landscape

throughout 2019. Over 45 percent of attacks registered by our honeypots globally had some

correlation with bilateral tensions between countries across regions such as South Asia, the

Middle East and Central and Eastern Europe. Because of a steep increase in demand for

malware, the average price of malware registered a steep increase in the second quarter of the

year. This supply-demand imbalance is likely to continue in 2020 as the demand for malware

doesn’t seem to slow.

INTRODUCTION

www.safeandsecureiot.com Report | The Global Threat Landscape Report 2019 | 04

Key trends

Expansion of bot nets into South America

Used mobile and other handheld devices being converted into bots

Surveillance cameras remain the most attacked category of devices

Most attacked regions – NA, South Asia and the Middle East

Ransomware the most common category of malware detected

Increase in reconnaissance (listening) attacks on critical infrastructure

Data leakages on Dark Web down 4 percent indicating that stolen data is being hoarded by hackers

Rising detection of malware engineered in academic/research institutions and high tech labs

Malware prices registered a 20 percent hike on an average in the second half of the year

Detection of malware focused on smaller deployments indicates a new trend of hackers shifting attention to smaller projects that do not have the necessary levels of security


Malware R&D activity is increasing by the day. The ratio of new vs variant malware skewed towards new this year indicating new investments and funding being channeled into malware development shops. Native and stolen malware availability across forums also increased 16 percent while the prevalence of military-grade malware also registered a moderate 3 percent rise.

Attacks on sectors

0 2 4 6 8 10 12

11%

27%

03%

05%

07%

10%

08%

07%

05%

05%

Banking and finance

Smart cities

Defense

Manufacturing

Smart home devices

Others including agriculture, public safety,

transportation unspecified projects and telematics

projects not falling under the above categories

Unknown

Ukraine

Russia

Slovenia

China

Mexico

30 25 20 15 10 5 0

Top countries of origin of cyberattacks

04%

04%


Many new cities entered the list of top 50 most attacked cities across the globe. The cyberattacks show a clear shift towards attacking cities located in remote corners of various countries. Attacks on ports, airports and other facilities in such cities witnessed a steep rise in attacks. Here are the top 10 cities that were attacked most often in 2020:

Cities drawing most cyberattacks

Focus on stealth, automation and rapid deployment Degree of malware stealth was always a prized feature for malware developers. In 2019, hackers also sought to make malware easier to share, re-engineer and deploy. Developers and hackers are using a number of automated methods to create variants of malware for faster sale and deployment. In some of the malware studied by us, variants were created using segments drawn from existing malware. Such malware were analogous and near similar in texture and structure making it easier to classify them into families based on morphological aspects.

New York New Delhi LondonAtlanta Kiev

Singapore Dubai Seoul

Average time to transfer data to C&C servers (lab\virtual environment)

Credentials\proprietary\IP based\confidential 2-5 hours post injection of data

Network analytics info 9 hours or more

Normal/routine traffic 9 hours or more

NATURE OF DATA AVERAGE OBSERVED TRANSFER WINDOW/FREQUENCY OF COMMUNICATION WITH C&C

Houston

Malware sample size for the test: 4000 Target sectors: manufacturing, telcos, defence, shipping and utilities

On the stealth front, malware developers continue to release malware that relies on multiple techniques to evade detection. The main aim of developers and hackers seems to be reconnaissance primarily to collect data on networks, security layers and monitoring systems, perimeter security tactics and downtime schedules. Such monitoring is also carried out to study the patterns of data flow and the nature of data as well. During our VM/sandbox testing, we found that credentials, financial or even IP (Intellectual Property) related information was transferred to command and control servers faster than other information. Malware seems to be sensing the content of data by comparing keywords or even syntaxes to derive information priority.

Lagos


Malware trends

Map - global distribution of variants and new malware

In terms of malware diversity, the year was a remarkable one. In the first quarter of the year, we saw plenty of variants being released globally. But from the second quarter onwards, developers unleashed many new malware targeted at sectors such as critical infrastructure and manufacturing.

Throughout the year, variants of malware such as Mirai that had wrecked havoc in the past were detected by us across the globe. Most of the variants detected by us were reengineered to trick cyber defense systems with minor variations in basic constitution.

2019 was indeed a dynamic year. This year saw the entry of variants with predatory properties. Such levels of malware aggression were quite rare but are now becoming more common and this is a cause of worry for security managers and CISOs everywhere. This trend also indicates impatience as hackers now want to monetize their attacks rapidly and are also competing aggressively with other hackers to attack networks and systems faster. 2019 also saw developers investing in techniques designed to prevent reverse engineering and de-bugging in order to prevent threat researchers from conducting detailed analysis and helping avoid detection thereby increasing persistence. Other than stealth and easy and rapid deployment, persistence was another key factor that malware developers were after.


Key traits in malware detected around the world (sample size 4000 unique malware)

Persistence High 77 Low 23

North America, Western Europe and SE Asia

Manufacturing and critical infrastructure projects

High levels of stealth 62 Global Defence, connected vehicles and manufacturing

Faster deployment 53 Global Almost all verticals

Crypto mining 19 All except Latin America Smart cities and manufacturing

High network mobility plus Lateral movement

33 Global Manufacturing, smart cities, Defence, telecom

Trait Trait detection rates (in percentage)

Geographicdistribution or focus Verticals targeted

Malware sourcesMalware authors are constantly seeking newer channels for selling malware. In the past, Darkweb was the primary source of trading malware. Today however, malware can be procured from forums across the web. Malware market, hitherto a network of entities, agents, forums, websites and even blogs where malware can be bought or sold have morphed into one-stop shops where malware is sold, hackers and developers and even consultants hired. Profit motive is the key driver. Customer support is provided for malware and even botnets. Malware is often sold with exploit kits (that combine multiple vulnerabilities). Thus turning malware into a platform to exploit multiple devices, projects and combinations thereof.

In case of state backed actors, there are many nations out there that do not have surveillance, espionage and disruption capabilities in cyberspace. By procuring malware and guidance services from such shops, these actors can up their game. This also works for various cyber crime organizations as well those who wish to gain such capabilities without investing resources. Malware shops\markets also keep pace with changing defence tactics deployed by hackers. In 2019, we saw many exploit kits changing versions within a short period of time (as less as a fortnight in some cases). The new kits had new vulnerabilities (minus old and ineffective ones) making them more potent.


At our research lab, we were able to segregate malware based on observed traits, deep content inspection, multi-layer inspection and analysis and code slicing. Using dual sand boxing and some of our proprietary techniques, we were also able to do a behavior analysis and stealth evaluation. This year saw the release of a huge cache of malware developed in academic or research labs. We are not certain if this was done intentionally or the malware were stolen.

Top Ports attacked

From the rise in attacks, it can be gauged that the number of botnets across the globe could have registered a significant rise. There were reports of a significant addition of surveillance camera’s and used mobile and handheld devices to the botnets. Eastern Europe accounted for almost 30 percent of the botnet traffic followed by Central and Latin America and South East Asia. Most of these botnets were pumping malware laden traffic into networks and data streams outside their region (except in case of the Middle East where some unconfirmed botnets were attacking servers in the region itself).

Botnet expansion

23 -Telnet

445 - SMB

22 SSH

1433 MSSQL

3306 MySQL

80 - HTTP

7547 - CWMP

25 - SMTP

20 FTP

Others

300

225

217

191

176

155

97

44

39

12

PORT ATTACKS IN MILLION

0 5 10 15 20 25 30 35 40

Unknown

Academic\research labs

Military-grade

Mixed

Procured via malware forums

Dark web

Malware origin

Percentage detected within samples tested

15%

07%

03%

19%

20%

36%


Revenue leakage sources attributed directly to cyberattacks Based on the pattern of attacks and malware we have seen, these are the ways in which organizations are being made to bleed revenue.

So while the cybersecurity budgets are rising, there is a school of thought that believes that most of these Dollars go into restoring systems and/or post-facto measures.

Cryptomining/jacking

Firmware downgrade attempts (corrosion)

Port/asset scan/TCPdump (specific recon)

Persistent reconnaissance

Simple reconnaissance

DoS and variants

Privilege abuse

Brute force attacks

Integrity violation with malicious code Injection

0 5 10 15 20

Types of attacks and frequency

Network latency Resource reallocation Time spent in restoring networks and key applications

Data loss and pilferage including loss of Intellectual Property

Loss of credibility with customers and key stakeholders

Time diverted from strategic activities towards reactive cybersecurity measure

Percentage of detections

08%

08%

10%

20%

04%

15%

07%

11%

17%

North America USA is the most attacked nation in the world Regional trends

Attacks on North America registered a significant rise in the second half of 2019. Reconnaissance activity was unusually high in the first half of the year across critical infrastructure, shipping, oil and gas and transportation segments. Gas stations, manufacturing units, utilities, smart grids, storage infrastructure, bore the brunt of attacks in 2019 across the region. All forms of sophisticated malware and breach tactics were used by hackers to exploit vulnerabilities, launch attacks and listen to and steal data from networks, systems and datacenters.

Malware classes detected in the region

The United States provided a unique study in cybersecurity contrasts seen within a nation. In the United States, East coast saw more reconnaissance attacks while the West coast saw more actual attacks. Cyberattacks on US were coming in from Eastern Europe, Middle East and even Mexico.

US was the most targeted nation in the world in 2019. Registering a 29 percent increase in attacks over 2018. US also has the top 3 cities among the top 5 targeted in the region. The top 5 include New York, Houston, San Francisco, Ontario and Mexico City. Malware laden traffic was coming into the US from 3 cities in the Middle East one of which accounted for as much as 20 percent of the overall malware traffic volume.


Type of attacks

Sectors

Malware attributes

Attack window

Key cites targeted

Reconnaissance

Chiefly critical infrastructure, oil and gas

Highly persistent

Early mornings

Atlanta, Boston, Detroit, Washington DC and New York

Targeted attacks

Telcos, shipping

Less persistence but stealthier and with staggered deployment patterns

Early mornings and late evenings

San Francisco, Seattle, Los Angeles, San Diego, San Jose

PARAMETER EAST COAST WEST COAST

Crypto mining

Ransomware

Predatory

Defence-grade

Mission-based (uniquely engineered)

Modular malware

Reconnaissance

Others

11

19

3

2

7

9

37

12

CLASS PERCENTAGE DETECTION (H1, 2019)

15

20

1

2

5

8

36

13

PERCENTAGE DETECTION (H2, 2019)

7 percent of the malware detected in Europe was exclusive to this region. In terms of the features, there wasn’t too much of a difference in morphology or features between those found in various parts of the continent. Though it did seem as though an unusual number (54 percent) of new malware and new variants were uncovered in parts of Eastern Europe including those areas where IoT has still not reached the levels of adoption seen in other parts, the number of IoT specific new malware detected here was significantly higher.

Emerging sectors such as renewable energy, connected automobiles, and home-based consumer healthcare devices are segments gaining prominence from a cybersecurity perspective. Hackers are targeting both corporate and personal information with near equal intensity.

Europe Attacks on UK rise by a whopping 37 percent in 2019 Regional trends


Attacks on UK picked up in the last half of the year. There was a concerted effort made by some hacker groups in North East Asia to attack multiple sites in UK. About 7 percent of these attacks were conducted using brand new hard to detect malware. These attacks also registered the maximum use of military grade malware. Ukraine, The Netherlands, Germany and France (in that order) were the other countries in the top 5 as far as cyberattacks are concerned. Most of the cyberattacks were channeled against entities in the manufacturing, financial services, defence, renewable energy and telecom sectors. Hackers were looking for vulnerabilities, gaps in defences,

OT projects in transition to IoT, remote connected assets and smart home devices for attacking.The prevalence of high-grade malware possibly developed in state-supported labs and/or academic institutions is the highest in Europe. While in the first half of the last decade, the use of such complex malware was restricted (even some nation states didn’t posses such malware), today such malware and its variants are commonly detected across regions. What make the problem worse in Europe is the prevalence of bot nets that are distributing such malware through latent attacks on various establishments. Geo-political aspects are also contributing to the faster release of such malware than before.

Most attacked countries

0 5 10 15 20

Luxemburg

France

United Kingdom

Ukraine

The Netherlands

Germany

07%

07%

07%

08%

09%

20%

There must be a reason why these nations are seeing such a huge release of new malware. One reason could be propagation of Denial of Service for hire operators who are publishing monthly lists of compromised devices. According to data accessed by our threat researchers, such service providers were also offering high end servers from cloud service providers.

The region as a whole was relatively quiet in the first half of the year but the malware numbers increased significantly in the second half. Smart homes were a preferred segment for hackers in the region in 2019. Rising attacks on these deployments have also been reported by other geographies. The attacks on smart home devices registered a whopping 29 percent increase. Prevalence of less than adequate security practices, device vulnerabilities, tampered devices and hackers working to add more devices to their bot farms have all contributed to this increase. If the defenders change their tactics and add layers of security, it is quite possible that the number of attacks might register a temporary dip as hackers turn their attention to other less guarded segments.

New playgrounds?


Asia-Pacific Regional trends

Attacks on various sectors in Asia-Pacific

Lithuania

Ukraine

Croatia

Czech Republic

Slovakia

9 percent

22 percent

13 percent

7 percent

3 percent

COUNTRY DETECTION OF NEW MALWARE AND NEW VARIANTS OF EXISTING MALWARE AS A PERCENT OF THOSE DETECTED IN EUROPE

0 5 10 15 20 25

Banking and finance

Smart homes

Transportation

Manufacturing

Defense

Others including agriculture, public safety, unspecified projects and telematics

projects not falling under the above categories 02%

02%

13%

24%

13%

11%

Percentage detection


Malware reported

Common ones include variants of Mirai, Torii, Gafgyt/Lizkebab, Silex, Dingbat, Captainxolo, Shamoon, Trident, Actcraft, Mayhem, Wicked, OMG Mirai, ADB.Miner, DoubleDoor, Hide ‘N Seek and many genetically new malware reported by other geographies. Our research indicates that many of these have been sourced from malware shops on the darknet and on social malware forums. Some of the variants of common malware represented a level three variation which means they were modified at least three times before being deployed to evade detection. Over 8000 modular malware forms were also reported indicating increasing sophistication of attacks.

IP Obfuscation

Some of the samples we can across were doing port scans to detect exposed connected devices. The most common devices targeted were IP cameras. One of the samples we isolated was having access to a repository of default credentials for launching brute force attacks. The inbound attacks had a common

characteristic which is IP obfuscation. We have observed patterns of IP spoofing with a clear intent to hide the geography of origin of the command and control network behind these attacks. The clear preference for manufacturing and other complex IoT deployments among these botnets is one of the reasons behind this assumption.

Persistence We have seen malware that has been lurking in some projects since mid-last quarter. The level of persistence varies between sectors and in some instances depending on the time of the year and the scale of the project as well. The least number of days of persistence has been seen in case of PoC projects while attacks on industrial IoT persist for the maximum length of days.

Length of persistence also depends on the response mechanisms being tested as also a need to evade detection. Highest levels of persistence were seen in the smart cities sector while agriculture reported the lowest at less than 100 days.

India Regional trends

Became the most targeted country in the world during the second quarter of 2019. Throughout the year India was in the top 5 especially after March, 2019. Throughout the year the country attracted attacks of relatively high quality (as compared to other regions and last year). Critical infrastructure was attacked the most followed by sectors such as banking, defense and manufacturing.


The above graph shows how cyberattacks in India bear a direct correlation to geo-political events happening in India’s neighborhood. Each of the days where a rise in cyberattacks was registered, followed border skirmishes or geo-poltical tensions in the region.

Sectoral attacks and percentage

Critical infrastructure attacks

Banking and finance

Smart cities

Defense

Manufacturing

Smart home devices

Others including agriculture, public safety,transportation unspecified projects and telematics

projects not falling under the above categories

0 5 10 15 20

05%

05%

21%

09%

07%

07%

06%

Attack on routers and surveillance cameras

A variant of Mirai malware detected by us in India and its immediate vicinty was attacking an array of CPU architectures, including ARM, ARM64, x86, x64 and MIPS. This malware was primarily targeting unidentified vulnerabilities in common devices such as routers and video surveillance cameras. The attack on such a huge range of device architecture can be explained by the modus operandi adopted by the malware post-infection. The malware instead of calling out specific bot payloads, instead calls out all the payloads available so that it can target multiple architectures in one attack.

Inbound cyberattacks IoT deployments in India received the maximum number of attacks from a few geographies in Central Europe and Central and South America. These attacks were originating from a few botnets


Regional highlights

that we detected in the region. The IP range clearly indicated a very high level of compromise. It can be stated with a high level of confidence that a few IoT projects have been compromised in these geographies (or are being leased out to hacker groups). These bot farms are being controlled by hackers sitting in countries in close proximity to India and there are signs that these are coordinated attacks with a high level of geo-political motivation. We have observed patterns of IP spoofing with a clear intend to hide the geography of origin of the command and control network behind these attacks. The clear preference for defence deployments among these botnets is one of the reasons behind this assumption.

Sale of used devices such as routers and video/web cameras that are compromised or have been tampered with could be another cause for the existence of a huge number of botnets globally.

Isolated cyberattacks on railways and shipping infrastructure using highly customized malware

All 25 cities monitored by us registered an increase in malware laden traffic

Hackers are focusing on retaining control over devices hacked for the longest period of time

India focused botnet activity Regional businesses of all sizes brought under overwhelming pressure by hackers

Overall the number of cyberattacks increased by 34 percent over 2018. This was the largest increase registered by any country. India was the second most attacked geography in 2019

Detection of many uniquely designed malware targeting the country

Malware volume as a percent of overall data traffic has increased

Middle East and Africa Regional trends


The last year saw a significant rise in cyberattacks on various states in the Middle East. UAE, Saudi Arabia, Oman, Jordan, and Turkey attracted the greatest number of in-bound cyberattacks. The attacks seemed to be tied in with the geopolitical stresses emerging in the region and the surge in cyberattacks are often timed with or coincide with specific episodes.

Last year, we were able to isolate high-grade strains of malware and study the tactics being deployed to breach networks, launch DoS or other attacks and leak data within the region. Some malware detected by us was developed specifically for targeting IoT and OT deployments in the region as such malware was not reported from any other geography. The reconnaissance patterns shown by malware also settles into a unique pattern that reflects the areas of interest for hackers as also a means to do a deep study on systems, defense layers and strategies and speed of response. High investments in digitization across manufacturing, oil and gas, smart cities and other projects have opened newer attack surfaces thereby widening the threat frontier. Hackers are also evolving newer variants of malware that can exploit weaknesses created by human curiosity. We were able to uncover malware that was modifying its deployment strategy after studying the vehicle it was planted on (USB drive, network, hacked website, etc.). There was also a strain of malware that was mutating in real-time, temporarily shedding batches of codes to reduce its footprint within the network without compromising its potency in the long run. These trends point to a need to improve our defenses to not just keep hackers and disruptive groups at bay. The sophistication of malware clearly indicates a worrying trend. The entire eco-system of threats and actors behind them have access to high levels of malware research

and development as also more than adequate budgets (which means many attacks are already monetized and that income is being ploughed back into developing improved malware).

Patrolling

Malware deployed only for reconnaissance (or patrolling as we call it) purposes also showed a significant spike this year (from 111459 to 215678). Periods of hyper-reconnaissance (heightened listening activity) stayed more or less constant at an average of 3.3 days each month. In industrial IIOT and OT environments the number of days reporting recce activity went up to 7 while in other deployments such as transportation and agriculture it was found to be as less as 26 hours.

Understanding the context The increasing attacks on IIoT and IoT deployments in the Middle East could be co-related to various factors. The number of enterprise IoT users is growing by leaps and bounds in the region. In some instances, hackers are using multiple routes to surpass firewalls and other basic defense mechanisms to attack core installations. In one instance, we saw a breach in a building management system leading to a sensitive IoT deployment being exposed. In this instance, malware was injected via multiple routes including security alarm control panels, intrusion detection units, smoke and fire alarm control units, access control systems and mass notification systems.

Here are some of the key trends that will shape the world of cybersecurity in 2020 • Geopolitical attacks to gain momentum across Middle-East, Europe and Central America • Social engineering practices designed to hook employees to click on links hosting malware or malicious codes to get more personal and targeted • We expect the number of attacks to rise in the May-July time period as has been the case for the last two years. • Malware prices may stabilize as demand and supply levels attain an equilibrium. More malware developed in academic and other labs will be released in 2020 adding to a supply glut. However, if demand for malware picks up mid-year, then unit prices of malware may increase • USA, India, UK, Singapore, Ukraine, UAE, Nigeria, Japan, South Korea and Spain are the countries that will experience a significant increase in cyberattacks. We are already seeing signs of that in the final months of 2019 • State and local government will be targeted more often


Forecast for 2020

SUMMARY Research Methodology

This report has been prepared from threat intelligence gathered by our honeypot network that is today operational in 62 cities across the world. These cities have at least one of these attributes:

01

02

03

04

05

06

Are landing centers for submarine cables

Are internet traffic hotspots

House multiple IoT projects with a high number of connected endpoints

House multiple connected critical infrastructure projects

Have academic and research centers focused on IoT

Have the potential to host multiple IoT projects across domains in the future

Over 3.5 million attacks a day registered across this network of individual honeypots are studied, analyzed, categorized and marked according to a threat rank index, a priority assessment framework, that we have developed within Subex. The network includes over 4000 physical and virtual devices covering over 400 device architectures and varied connectivity flavors globally. Devices are grouped based on the sectors they belong to for purposes of understanding sectoral attacks. Thus, a layered flow of threat intelligence is made possible.

Key findings are published by us every quarter to enable businesses, decision-makers, academicians, students, CISOs and others interested in cybersecurity gain a comprehensive understanding of the evolving threat environment that envelops IoT deployments and derive appropriate responses prevent, contain and dissuade such attacks.


www.subex.com

Regional offices: Dubai | IpswichFor more information write to [email protected] Sube

x Li

mite

d. 2

020.

All

right

s re

serv

ed. A

lthou

gh e

very

end

eavo

ur h

as b

een

mad

e to

ens

ure

that

the

info

rmat

ion

cont

aine

d w

ithin

this

doc

umen

t is

up to

dat

e an

d ac

cura

te, S

ubex

Lim

ited

cann

ot b

e he

ld re

spon

sibl

e fo

r any

inac

cura

cy o

r err

or in

the

info

rmat

ion

cont

aine

d w

ithin

this

doc

umen

t. 12

0220

20.

Subex (Asia Pacific) Pte. Limited

175A, Bencoolen Street, #08-03 Burlington Square, Singapore 189650

Tel: +65 6338 1218Fax: +65 6338 1216

Subex (UK) Ltd

1st Floor, Rama 17 St Ann’s Road, Harrow, Middlesex, HA1 1JU

Tel: +44 0207 8265300Fax: +44 0207 8265352

Subex, Inc

12303 Airport Way, Bldg. 1, Ste. 390, Broomfield, CO 80021

Tel : +1 303 301 6200Fax : +1 303 301 6201

Subex Limited

RMZ Ecoworld, Devarabisanahalli,Outer Ring Road, Bangalore - 560103 India

Tel: +91 80 6659 8700Fax: +91 80 6696 3333

• Subex is the market leader in products Security and Fraud Management market, with over 180+ customers in total

• Recognized as the IoT security platform of the year 2018 by Compass Intelligence

• Subex is the Number 1 provider globally of Fraud Management and Security solutions in the Telecom Space, according to a Gartner

report published in March 2016

• Subex runs the world’s most comprehensive IoT and ICS focused honeypots of over 400 architectures across 62 locations globally.

• +700 Experts in Security/Fraud and other programs with assets, skills and innovative methods to ensure results for the operator

• Publicly listed in the National Stock Exchange (India) and Bombay Stock Exchange

Seattle

Honeypot Locations

Security Operations Center

Ivory Coast

PortugalMalta

Botswana

Sydney

Ghana

Malaysia

Qatar

Toronto

Spain

KuwaitSaudi

Johannesburg

Singapore

Hong Kong

Myanmar

BangaloreDenver

Mumbai

Dubai

London

ISOC & HoneypotLocations

About Subex

Documents

Labs initiative 20 LANDSCAPE 19 REPORT - Subex Secure