The concern on ICS/SCADA security gained prominence due to high-profile attacks targeting these devices, most notably Flame and Stuxnet. However, we noted recent findings, which prove that the interest in ICS/SCADA devices as attack platforms is far from waning.

We’ve all read about how insecure ICS/SCADA devices are and how certain threat actors are targeting these systems. As proof, we noted numerous attempts aimed at the dummy ICS and SCADA devices we created during our initial research. The insights gathered from this were the basis of my talk during the Blackhat Europe 2013 last March, which later became the paper Who’s Really Attacking Your ICS Equipment?.

More importantly, this study gave us a look at the possible consequences that may occur once these devices are attacked successfully.

This time around, my latest research The SCADA That Cried Wolf: Who’s Really Attacking Your ICS Devices takes the issue of ICS/SCADA attacks further. While in my first paper we saw several threat actors attempt attacks on these fake ICS systems, this time we are now seeing several noteworthy trends. One of these is the increase in “targeted” attacks – i.e., attacks that appear to be looking into ICS devices more closely prior to executing the attack. During the study, we found malware targeting very specific applications, which can be considered more “targeted” as threat actors are now Trojanizing valid applications traditionally seen as “proprietary”.

Continuing in the same vein, we saw several attacks listed below that are interesting. The following graph shows the the origins of attack against our ICS honeypots.

Figure 1: Percentage of attacks per country

This new research also includes new details and architecture into the virtualized installments worldwide; to eight different countries and 12 different cities. I also cover the in-depth usage of Browser Exploitation Framework (BeEF) for use in attribution of attackers.

We expect that attack trends will continue to increase in the ICS arena, with increased motivation and aim. In addition, we expect that possible ransomware may start to affect the ICS arena, possibly holding devices hostage in return for payment (or ransom). With continued diligence and utilizing secure computing techniques, your ability to deflect and defend these attacks will help secure your organization. To know more about how to defend these devices, you may refer to my previous posting Protecting Your ICS/SCADA Environment.

The findings on this research provide great insight into the world of ICS/SCADA attacks. You may read the full report here.

As globalization drives Brazilian industries forward, it also invites threats that aim on the weaknesses of growing market economies. Financial crimes have always topped the list of cyber security issues in Brazil, but as the country’s economy grows more people are exposed to the perks and problems of the latest computing technologies.

The recent Trend Micro paper “Brazil, Cybersecurity Challenges Faced by a Fast-Growing Market Economy” reveals that the country underwent a dramatic increase in cybercrime. Brazil has one of the fastest growing Internet user bases in the world—both a blessing and a curse when it comes to cyber security. The more Brazilians are able to access the Internet, the larger the cybercriminal market base becomes. With most displaying poor Internet usage habits, the Brazilian online market becomes a harvesting spot for cybercriminals.

The report discussed how this phenomenon has already gained ground by way of unpatched systems and old malware tricks. One major indicator of this is the major presence of the Conficker/DOWNAD malware, which underscores concerns surrounding users who overlook critical basic cyber security practices. As patches needed to remove Conficker/DOWNAD have been available for more than four years now, its presence indicates widespread failure to follow best practices on software patching, including running security software and updating it.

Brazil’s cybercrime landscape is partly a result of unsafe web practices and a thriving underground market. Today, Brazil sends out the most number of spammed messages in Latin America. Almost two out of five (38%) malicious emails from the region comes from Brazil. In addition, majority (58%) of malicious URLs are also hosted in Brazil. The country is also known as an active ground for command-and-control (C&C) servers and compromised computers that take part in large data-stealing botnet operations.

Figure 1. Heat Map of Latin American spam-sending country share breakdown, based on spam-sending IPs

The underground cybercriminal operations in Brazil revolve around gaining financial and personally identifiable information (PII) for profit. Their hacker forums are rife with exchanges for credit card information, virtual private server (VPS) hosting services, phishing kits, and others. For instance, the report reveals that information from ten credit cards amount to an average of R$700.

Online banking theft is especially rampant in the country, whose history of hyperinflation has once led to an early adoption of online financial systems and a large online banking community. In Brazil, cybercriminals prefer using the BANCOS online banking malware strain over ZeuS and other popular crimeware kits.

The emergence of the sophisticated crimeware kit, Picebot, has also revealed that cross-regional underground activities actively happen between hackers in Brazil—the start of a more mature and structured underground ecosystem.

Cybercriminals in Brazil are also known to add a local flavor to their data-stealing methods. These include using the local language in social scams, Orkut as an underground forum, and the Brazilian “Boleto” payment scheme as a money-making target.

Figure 2. Sample boleto used for financial transactions in Brazil. Highlighted sections show codes usually stolen/faked by cybercriminals

Cyber Security Steps in Progress

These risks to individuals, companies, governments, and information and communication technology (ICT) systems, have caused the Brazilian government to take action. The National Strategy of Defense was established in 2008 to protect public administration networks. Two laws, the Azeredo and Carolina Dieckman, were passed to establish police structure against cybercrime and criminalize unauthorized access to sensitive information, respectively. Numerous government research and incident groups were also created for cyber security infrastructure development and incident investigations.

As we broadly saw within the Latin American Region in “Latin American and Caribbean Cybersecurity Trends and Government Responses,” successfully meeting the challenges in Brazil requires political will, law enforcement resources, and a robust, ongoing public-private partnership (PPP) with Internet service providers (ISPs), security companies, and hardware and software vendors.

Find out more about the threat landscape in Brazil on our paper “Brazil, Cybersecurity Challenges Faced by a Fast-Growing Market Economy“.

For more information on the state of cybersecurity in Latin America, you may refer to our research paper (in cooperation with the Organization of American States) Latin American and Caribbean Cybersecurity Trends and Government Responses.

One particular aspect of DEF CON that always gets some media coverage is the Social Engineering Capture the Flag (SECTF) contest, where participants use nothing more than a phone call to get victims at various Fortune 500 to give up bits of information. These are the sort of social engineering attacks that give security professionals at large enterprises nightmares.

These same professionals may be in charge of programs meant to train employees on how to avoid social engineering attacks, but many of these programs are not as effective as they can and should be. What are some of the things that organizations can do to improve these programs?

• Give these programs a good name. This may sound trivial, but there’s a reason to do this. “Catchy” names may well become the butt of jokes, but it keeps training programs – and their lessons – in the minds of users.
• Put users on the other side of the attack – teach them basic social engineering. There’s no better way of understanding how social engineering works than teaching how to do it. By putting employees in the role of the attacker, they can understand how to spot an attack and that any data is valuable to a social engineer – not just what would normally be considered “sensitive.”
• Don’t forget the value of “no”. A very effective tactic used by social engineers is veiled threats that if the target doesn’t do what they are asked, their boss will hear about it and be angry. This can be dealt with culturally: let employees (and managers) know that there will never be a penalty for saying “no” and verifying with whoever’s in charge. Call/mailbacks (via information in company address books) should be part and parcel of company procedure.

Part of a good social engineering training program is “social” penetration testing – i.e., having someone play the role of an attacker and trying to socially engineer employees. However, some organizations try to reduce costs and rely on automated tests alone. This can be a problem – obviously “fake” tests will annoy employees and make them more vulnerable to real attacks. Organizations have to ensure that any tests carried out are as realistic as possible, to realistically and accurately measure the ability to resist social engineering.

Both testing and training have to be a continuous and never-ending process. Social engineering attacks, as with all attacks, only become stronger over time. Employees join and leave the company, or change their roles. A truly effective training program has to keep all of these in mind in order to protect an organization for the long haul.

Websites with exploit kits are one thing that security vendors and researchers frequently try to look into, so it shouldn’t be a surprise that attackers have gone to some length to specifically dodge the good guys. How do they do it?

The most basic method used by attackers is an IP blacklist. Just like security vendors have extensive blacklists of IP addresses used to send spam, host malicious sites, and receive stolen information, attackers have lists of the IP addresses that they believe are used by security vendors and block all access from these addresses.

A more sophisticated method is to infect a given IP address only once. How would this work?

Suppose that a vendor would have a list of websites that is associated with a certain attack. They would access one site (either manually or with automated tools), but the attacker would note that this particular IP address had already accessed a site associated with this attack in a backend database of their own; if the vendor would access other sites that checked with that database they would not be able to successfully access the malicious content.

Figure 1. Crawling avoidance

Backend databases like this can also be used together with dynamic DNS services. The attackers would dynamically create so many random URLs with these services so that they can afford to deactivate a URL within minutes of somebody visiting it.

All of these techniques are supported by exploits kits to different degrees. One of the most common ones is the “infect once” technique, which is used by both versions (1.x and 2.x) of the Blackhole Exploit Kit, as well as Styx and CoolKit.

While individual countermeasures are available, these do place an additional burden on vendors and researchers. While we are able to work around these limitations, it also highlights how important it is not to rely on any one particular method to secure users.

There is no silver bullet to security. A “defense in depth” strategy that uses both cloud and endpoint methods is still the most effective way to ward off threats in today’s security environment. Most importantly, correlation between these multiple methods in order to find all aspects of the infection chain is vital to finding and analyzing new threats.

Securing users via the cloud is still an efficient way of protecting users with broad coverage, powerful correlation and protection while using few resources. Like a cat and mouse game, we will continuously make improvements to crawlers and honey pots to stay ahead of cybercriminals.

However, endpoint protection is a still an essential complement to cloud protection – the threat is running on the end point in real time, with a real user, and in a real environment. On the endpoint, files and sites the user can be inspected in right away, while potentially malicious content (like Javascript and Java) can be executed and analyzed for malicious behavior. Users can be protected before any malicious files are saved onto the user’s system.

In the meantime, information about any newly detected threats is fed back into the cloud and the Smart Protection Network.  This allows us both to protect all users “out of the box” and to gather information about these threats, which we can use to learn more about them and devise more effective methods of protecting users.

Malware targeting online banking sites naturally cause alarm among users, as they are designed to steal not only information but also money from its users. Thus it is no surprise that the surfacing of KINS, peddled as “professional-grade banking Trojan” in the underground market, raised concerns that it might become as successful as ZeuS/ZBOT had been in previous years.

During our investigation, we acquired several KINS variants (detected as TSPY_ZBOT.THY and TSPY_ZBOT.THX) and found that it is not really a “new” Trojan. It uses a different packer and contains sophisticated anti-debugging and anti-analysis routines, but underneath it’s still ZeuS: it uses the same folders and file names, injects the same processes, creates the same registry entries, etcetera.

To thwart analysis and debugging, these KINS variants search for and stop running if it finds it is being run inside several popular virtual machine servers (specifically, VMWare and VirtualBox) or a Windows emulator (WINE). Similarly, other security tools like Sandboxie will also cause the malware to stop running.

In terms of functionality, KINS is essentially identical to to ZeuS/ZBOT; for example, it downloads a configuration file that contains the list of targeted banks, drop zone sites, and webinject files. KINS steals online banking data such as user credentials by injecting a specific code onto the user’s browsers when they visit certain URLs in real time. Once done, the malware shows fake but legitimate-looking pop-ups that ask for banking credentials and additional information such as social security number.

As we are on the latter half of 2013, our prediction of old but reliable threats resurfacing remains true in this year’s threat landscape. In our 2Q Security Roundup, we noted the boost in online banking malware last quarter, in particular of ZeuS/ZBOT variants after being under the radar the past year.

With KINS, we can see the ongoing efforts of cybercriminals to refine dated threats with methods to avoid antimalware detection. We can also expect that KINS won’t be the last of its kind. As well-known Trojan toolkits like SpyEye and Ice IX are now available for free and the “leaked” source code of CARBERP easily accessible, it will be easier for the bad guys to create and distribute their own versions of these malware.

Trend Micro detects and deletes the related malware, while Deep Security offers latest protection against exploits that may lead to KINS infection.