Netas Annual Cyber Intelligence Report 2016 v10
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CYBER THREAT INTELLIGENCE REPORT<br />
<strong>2016</strong>
Contents<br />
Executive Summary ...................................................................................................................................... 2<br />
<strong>2016</strong> Highlights ............................................................................................................................................. 2<br />
Upward Attack Trend Targeting VoIP Protocol SIP ................................................................................. 2<br />
A New type of VoIP Attack ....................................................................................................................... 5<br />
IoT- Rise of the Connected Machines ...................................................................................................... 5<br />
The Year of the Data Breaches ................................................................................................................. 7<br />
Ransomware (with Strings Attached) ...................................................................................................... 7<br />
Common <strong>Cyber</strong> Events ............................................................................................................................ 8<br />
2017 Predictions ......................................................................................................................................... 12<br />
NOVA Product Family and Customer Case Studies ................................................................................... 13<br />
Focus Sector ........................................................................................................................................ 13<br />
Issues ................................................................................................................................................... 13<br />
Recommendations .............................................................................................................................. 13<br />
Nova V-Gate ........................................................................................................................................... 14<br />
Fraud Detection and Prevention with V-Gate..................................................................................... 16<br />
Which types of fraud can be blocked with V-Gate? ........................................................................... 17<br />
Samples of a Customer`s Data Generated By V-GATE ........................................................................ 17<br />
VoIP Monitoring Results ..................................................................................................................... 19<br />
VoIP Monitoring Sample Results from Customer Sites:...................................................................... 19<br />
Nova MSP ............................................................................................................................................... 20<br />
Nova V-Spy and Penetration Test .......................................................................................................... 20<br />
NOVA Honeypot Results ............................................................................................................................ 21
Executive Summary<br />
This report contains a summary of the statistics provided by the security products developed by NETAŞ,<br />
the information gathered during consulting services, and the research about cyber security<br />
threats/incidents in <strong>2016</strong>. This information summarizes the weaknesses encountered in organizations, the<br />
threats affecting the systems and the countermeasures and solutions.<br />
A honeypot environment was used to identify attackers and detect the types of attacks. It simulates the<br />
behavior of the real systems. The data obtained from the honeypot environment, which is called NOVA<br />
honeypot, is deeply analyzed to determine the attacks and attackers in this report.<br />
The result of statistical data shows us attackers living in different regions use similar types of scanning<br />
activities. A honeypot is a useful tool for a variety of reasons such as tempting and trapping attackers,<br />
capturing information and generating alerts when someone is interacting with them.<br />
With the established Honeypot environment, some statistical analysis methods can be employed to<br />
determine the type of the attack, the frequency of attack and the region where the attack was started. In<br />
addition, the results and data obtained from the statistical analysis can be very useful for NETAS <strong>Cyber</strong><br />
Security projects and operations center. For example, collecting malware samples, discovering new types<br />
of attacks, attack tools and payloads will help us to discover future defense methods against unknown<br />
attacks.<br />
<strong>2016</strong> Highlights<br />
An unprecedented volume of cyber-attacks has occurred in Turkey and Worldwide over the years. <strong>2016</strong><br />
agenda consists of DDOS attacks on the backbone DNS, ransomware, and targeted malware attacks on<br />
mobile platforms and cyber espionage on critical infrastructure. There have also been incidents of leakage<br />
of critical private data belonging to the governments and individuals from payment systems, social<br />
platforms, banks, government agencies. IoT has made a transition from being mainly a topic of theoretical<br />
and academic discourse to a vivid threat, arousing keen interest in the cyber security industry, and the<br />
cybercrime and hacker communities alike. As a result of numerous sources of research, we correlate<br />
significant outputs below. Some of our sources are IBM X-Force reports, CFCA survey, new papers from<br />
different universities and countries, Sensecy <strong>Annual</strong> <strong>Report</strong>, ESET trends <strong>2016</strong> report and Akamai<br />
statistics.<br />
Upward Attack Trend Targeting VoIP Protocol SIP<br />
There are numerous protocols used in Voice-over-IP (VoIP) communications. According to IBM Managed<br />
Security Services (MSS) data 1 , the most targeted VoIP protocol is Session Initiation Protocol (SIP),<br />
accounting for over 51 percent of the security event activity analyzed in the last 12 months.<br />
1<br />
http://www.foerderland.de/fileadmin/pdf/IBM_XForce_<strong>Report</strong>_<strong>2016</strong>.pdf
Top Targeted VoIP Protocols<br />
1%<br />
48%<br />
51%<br />
SIP Cisco SCCP H225<br />
Figure 1: Top Targeted VoIP Protocols<br />
SIP is one of the most commonly used application layer protocol in VoIP technology, so it’s not surprising<br />
that it’s the most targeted. In fact, we found that there has been an upward trend in attacks targeting the<br />
SIP protocol, with the most notable uptick occurring in the second half of <strong>2016</strong>.<br />
In actual attacks on VoIP communications, we note various types of disruption. Spikes in July and<br />
September were mostly the result of specially crafted SIP messages that were terminated incorrectly.<br />
Persistent, invalid messages are known to cause vulnerable servers and equipment to fail. The spike in<br />
October <strong>2016</strong> was largely influenced by SIP messages with invalid characters in the SIP “To” field. These<br />
could be reflective of suspicious activity, necessitating further investigation.<br />
The second most targeted protocol, Cisco’s proprietary Skinny Client Control Protocol (SCCP), accounting<br />
for just over 48 percent of detected security events during the same time period. SCCP is a lightweight,<br />
IP-based protocol used for communication between Cisco Unified Communications Manager and Cisco<br />
VoIP phones. Unlike attacks targeting SIP, those targeting the SCCP protocol have been declining slightly<br />
over the past 12 months.<br />
Figure 2: Attacks Targeting SIP Protocol
A large majority of the security events targeting the SCCP protocol — nearly 74 percent — are actually<br />
pre-attack probes that enable the perpetrators to examine device capabilities and gather information on<br />
potential targets. Finally, H225 protocol, which is a part of H.323 protocol suite, accounted for less than 1<br />
percent of the activity.<br />
When it comes to unsolicited information, we’ve gotten pretty good at dealing with or reducing email<br />
spam in our inbox. But what about spam over internet telephony (SPIT), also known as VoIP spam? These<br />
unsolicited, automated phone calls made from internet-provided numbers are just as annoying as junk<br />
mail.<br />
Since it is connected to the same pipes as spam, so to speak, VoIP technology has aided the proliferation<br />
of robocalls, allowing scammers to make illegal calls from anywhere in the world. It floods consumers and<br />
businesses with marketing calls, surveys, and even identity theft scams, also known as vishing.<br />
VoIP technology allows malicious individuals to conduct caller ID spoofing with minimal cost and effort.<br />
This enables attackers to obtain information or facilitate additional scams against their targets. A February<br />
report, for example, highlighted issues with certain VoIP phones that had insecure default configurations,<br />
which allowed attackers to set up, receive and transfer calls, play recordings, upload new firmware and<br />
even use victims’ devices for covert surveillance.<br />
VoIP services are also subject to abuses such as toll fraud, which involves taking control of network access<br />
to avoid paying for telephone calls. VoIP phone consumers should avoid blindly relying on the<br />
manufacturer’s default security settings and use strong passwords.<br />
Figure 3: Fraud Losses Globally 2<br />
2<br />
http://cfca.org/fraudlosssurvey/2015.pdf
Summarily, Encountered Risks and Challenges<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
VoIP traffic fraud Toll Fraud<br />
Caller ID Spoofing Attacks<br />
Lack of VoIP and network security awareness<br />
Wangiri, SPIT calls and DDoS attacks<br />
Conversation Eavesdropping / Sniffing<br />
Not implemented Proprietary policy rules and management of operation issues<br />
Asset/source management problems and not measuring the Quality of Service<br />
A New type of VoIP Attack<br />
An attacker can carry out a distributed denial-of-service (DDoS) attack by flooding a company’s telephone<br />
service with thousands of junk calls per minute from automated IP dialers. A phone DDoS attack could<br />
cripple an organization that relies heavily on its phone systems. The method has even been used to<br />
prevent fraud victims from calling their banks after large sums of money were stolen from their bank<br />
accounts.<br />
Security researchers from the University of California, Irvine; the Sapienza University of Rome; and the<br />
University of Padua were able to reconstruct the sound of keystrokes as text from Skype voice and video<br />
calls. Malicious eavesdroppers could use this method to intercept sensitive and personal information of<br />
Skype users.<br />
The researchers developed a new type of practical keyboard acoustic eavesdropping attack, which they<br />
called “Skype & Type” (S&T). The idea behind this research was that many people do other activities, such<br />
as typing on their keyboards, while they do VoIP (Voice-over-IP) calls.<br />
According to the researchers’ paper 3 , VoIP software can acquire acoustic emanations of pressed<br />
keystrokes and then transmit them to others in the call. Normally, this wouldn’t be an issue if you trusted<br />
the person on the other side of the line, but calls could be intercepted, and the eavesdropper could be<br />
capturing the VoIP users’ keystrokes.<br />
An attacker could capture keystrokes this way with an accuracy of 41.89% if there is absolutely no<br />
knowledge of the keyboard being used or of the target’s typing style. However, the accuracy goes up to<br />
91.7% if there is some knowledge about the keyboard used and the user’s typing behavior.<br />
IoT- Rise of the Connected Machines<br />
The end of <strong>2016</strong> has witnessed a huge surge in the volume of DDoS attacks. Most have had one common<br />
denominator – a botnet dubbed Mirai, a combination of various infected IoT devices, such as CCTV<br />
cameras, DVRs, routers and more.<br />
3<br />
https://arxiv.org/pdf/1609.09359.pdf
Figure 4: Three of the major DDoS attacks conducted using IoT botnets<br />
Although it is a very recent technology, the first signs for this new threat vector were visible in the past<br />
two years, with malicious actors engaging in IoT exploitability and attacks utilizing these devices. As in<br />
other threats that matured over the same period, online discussions and chatter on closed underground<br />
forums proved to be valid precursors for new attack vectors and modi operandi.<br />
Given this fact, these attacks, and those that followed are just a symptom of a process that transpires in<br />
underground hacking communities. IoT botnets are not new. In 2015, for example, the source code of<br />
Bashlite, another IoT botnet, was leaked online. Furthermore, the devices themselves, including CCTVs,<br />
routers, and DVR were connected to the Internet long before <strong>2016</strong>. However, bringing these devices<br />
under one umbrella of IoT and the rapid growth in this field, combined with the interest it reused in a<br />
variety of circles, had an effect on hacking communities. Since early <strong>2016</strong>, we have seen a number of<br />
hacking forums on the English-speaking underground with opening sections dedicated to IoT hacking.<br />
Figure 5: Three of the Major DDoS Attacks Details 4 5<br />
4<br />
https://thehackernews.com/<br />
5<br />
http://www.hackmageddon.com/category/security/cyber-attacks-timeline/
The Year of the Data Breaches<br />
With close to two billion records have been leaked from hundreds of websites and services, <strong>2016</strong> has<br />
witnessed an exponential growth in data breach incidents. These incidents led to the compromise of<br />
various user details, including email addresses, passwords, usernames, full names, phone numbers and<br />
much more. These login credentials, which in many cases were reused on multiple platforms and services,<br />
were stolen from social network websites, such as LinkedIn, Tumblr, VK, gaming platforms, adult content<br />
websites, and others.<br />
Figure 6: Top 10 data breaches 6<br />
While closely monitoring activities on closed sources where many of the leaked databases are offered for<br />
sale, we noticed a pattern – data stolen years ago is only now being offered for sale. This delay reveals an<br />
interesting process regarding many high-profile data breaches.<br />
Ransomware (with Strings Attached)<br />
Although not a new phenomenon, <strong>2016</strong> was a record year for ransomware. The threat, which since late<br />
2014 has shown exponential growth, both in sophistication and in sheer numbers, has, according to<br />
several sources, peaked as the top malware during <strong>2016</strong>. 7<br />
With ransomware targeting various organizations, including defense, 8 healthcare 9 , and transportation 10<br />
to name but a few, <strong>2016</strong> has been a highly “productive” year for ransomware distributors, with the record<br />
from 2015 already shattered in Q1 of <strong>2016</strong>. 11<br />
6<br />
Source: haveibeenpwned.com<br />
7<br />
https://antivirus.comodo.com/blog/computer-safety/locky-ransomware-leads-in-malware-infections/<br />
8<br />
http://www.securityweek.com/ransomware-attack-hits-cape-cod-police-department<br />
9<br />
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kansas-hospital-hit-byransomware-extorted-twice<br />
10<br />
http://www.usatoday.com/story/tech/news/<strong>2016</strong>/11/28/san-francisco-metro-hack-meant-free-ridessaturday/94545998/<br />
11<br />
https://blog.barkly.com/ransomware-statistics-<strong>2016</strong>
Added to the equation are the staggering numbers of new ransomware families and variants surfacing<br />
during the past year. While known families, such as Locky, Cerber, and CryptXXX are making the rounds<br />
around the globe, over 44,000 new variants of known ransomware have emerged. 12 Although many of<br />
these variants did not evolve into a real ransomware trend, ransomware is worth mentioning while<br />
reviewing <strong>2016</strong>.<br />
Figure 7: Overall ransomware infections by month and top ransomware detections in top countries- Source: Symantec and Microsoft<br />
Common <strong>Cyber</strong> Events 13<br />
With regards to <strong>Cyber</strong> Crime, the most important recent events are probably the news related to the<br />
alleged hack against the Central Bank of Russia, happened on an unspecified date of <strong>2016</strong>, and ensuring<br />
a bounty of the equivalent of $31 million to the attackers, and the mega breach affecting the 82.5 million<br />
users of Dailymotion. Other “minor” breaches impacted Shiseido (420,000 customers involved), Health<br />
Solutions (35,000 records), Quest Diagnostic (34,000 records), and Kagoya (50,000 users affected).<br />
And while SWIFT revealed that it is still warning banks of a new wave of attacks, the Mirai botnet was also<br />
quite active: thousands of customers from TalkTalk, the UK Post Office, and Eircom have lost their internet<br />
in the wake of yet another attack carried on by this IoT-powered botnet.<br />
ThyssenKrupp was also on the spot when the news emerged of a sophisticated attack starting earlier in<br />
February <strong>2016</strong> and discovered only in April of the same year. This was not the only important event in<br />
Germany since the domestic intelligence agency reported an increase in targeted cyber-attacks against<br />
political parties.<br />
Moving to a different sector (<strong>Cyber</strong>war), an important event has been registered in Saudi Arabia (and<br />
apparently the outbreak is still ongoing) where a new version of the infamous Shamoon wiper malware<br />
12<br />
https://securelist.com/files/<strong>2016</strong>/12/KSB<strong>2016</strong>_Story_of_the_Year_ENG.pdf<br />
13<br />
http://www.hackmageddon.com/category/security/cyber-attacks-timeline/
(allegedly originating from Iran) has paralyzed eight Governmental institutions including the Central Bank<br />
in November <strong>2016</strong>.<br />
A massive campaign occurred against Android users dubbed Gooligan, the return of the infamous Fancy<br />
Bear APT group (AKA APT8), and another hack against Mark Zuckerberg’ Pinterest Account in November<br />
<strong>2016</strong>.<br />
Adultfriendfinder.com hacked again with the consequent leak of a stunning 412 million records. Other<br />
massive breaches include the leak of 780,000 job applicants’ records suffered by Michael Page and the<br />
one affecting the confidential personal records of over 34 million residents in the Indian state of Kerala<br />
The City of El Paso has also been hit hard and robbed of about $3 million after a phishing scam, like Tesco<br />
Bank, whose 9,000 customers had money stolen from their account for a total cost of the attack of GBP<br />
2.5 M (USD 3M).<br />
On the <strong>Cyber</strong> Espionage front, this fortnight has seen the return of APT28 and APT29, whilst the<br />
Anonymous came out of the blue, DDoSing Scotland Yard in retaliation for the arrests during the annual<br />
Million Mask March in London.<br />
October 21, 2106, the day the internet died. will be remembered for ages, and, besides this event, which<br />
is undermining our certainties, the list of the noticeable attacks is quite well populated: Weebly was hit<br />
by a massive breach, probably occurred in February <strong>2016</strong> (43 million users), Foursquare is on the list as<br />
well (23 million victims from a breach purportedly occurred in December 2013, even if the company did<br />
not confirm it), AdultFriendFinder was also hit (again) and 73 million accounts are floating on the dark<br />
web, and finally the details of 3.2 million cards belonging to customers of top Indian Banks were also<br />
leaked in one of the worst incidents ever.<br />
Other interesting events include the discovery of a long lasting campaign by the infamous APT28 AKA<br />
Fancy Bear, (over 1,000 high-profile individuals across the globe between 16 March and 14 September<br />
2015, and the return of Anonymous-affiliated hackers.<br />
200 alleged Yahoo! accounts have been published on the Real Deal marketplace by Peace, the same<br />
hacker who had previously sold the DB dumps of MySpace and LinkedIn.<br />
But this has not been the only mega breach of this fortnight: 15 million Iranian users of Telegram have<br />
been compromised by attackers tied with the infamous state-sponsored group Rocket Kitten, 3.7 million<br />
customers of Banner Health, an Arizona-based healthcare group, have been equally compromised<br />
(unfortunately the trail of massive breaches affecting healthcare continue), and finally, hackers belonging<br />
to the Pravy Sector collective have dumped more than 150GB of data from Central Ohio Urology Group.<br />
Other interesting events in cyber crime include the discovery of malware in 20 locations of HEI Hotels &<br />
Resorts, the chain that owns Starwood, Marriott, Hyatt, and Intercontinental hotels, the hack against<br />
Bitfinex, in which hackers made off with $65m worth of Bitcoins (£48m, €57m), creating a turmoil in the<br />
value of the cryptocurrency, and the wave of DDoS attacks orchestrated by the PoodleCorp collective<br />
against several video games portals such as Blizzard’s battle.net or the PlayStation Network.<br />
And whereas the Anonymous turned their attentions mainly against Brazil, because of the Olympic Games<br />
of Rio<strong>2016</strong>, the list of cyber espionage operation is really too long to summarize.<br />
Pokemon GO is a massive phenomenon. So massive to attract the unwelcome attentions of the OurMine<br />
and PoodleCorp crews, who purportedly took down the server infrastructure in two distinct attacks.
The OurMine collective was also involved in other primary Twitter accounts hijacks (Shuhei Yoshida, the<br />
president of worldwide studios at Sony, and, John Hanke, the CEO of Niantic, the studio that developed<br />
Pokemon GO), but also belonging to Sarah Silverman’s account was hacked in the same period.<br />
Other massive breaches were reported, targeting Interpark, a South Korean E-Commerce Company (10.1<br />
million users affected), and two video games: the forum of Clash of Kings (1.6 million) and Warframe<br />
(775,000 users affected).<br />
Two more weeks, two more mega breaches: the total of account siphoned from Tumblr and MySpace<br />
exceeds 300 million setting a new unwelcome record. But that was not the only remarkable event for this<br />
fortnight, which also revealed the real extent of the SWIFT hack, involving 12 additional banks.<br />
The hacktivists were also quite active in this period: the Anonymous added other targets to their OpIcarus,<br />
and also leaked 2 GB of data from 33 Turkish hospitals. Phineas Phisher, the infamous hacktivist behind<br />
the attacks to Hacking Team and Gamma International was back, leaking the details of several cops from<br />
the Catalan Police Union (and posting a tutorial on YouTube).<br />
In this period also registered several <strong>Cyber</strong> Espionage operations, such as the attack against RUAG, a Swiss<br />
defense contractor (probably orchestrated from Russia) and the operations Stealth Falcon (against Emirati<br />
journalists, activists, and dissidents) and OilRig (against Saudi Arabian financial institutions and technology<br />
organizations).<br />
1.5 million: this is the number of customer records stolen from Verizon Enterprise Solutions, and put<br />
published on an underground forum, in which can be considered the most important event of this<br />
fortnight. This event has shadowed another massive breach, in Japan, where the local police have<br />
discovered over 18 million user credentials hosted on a server of a local Japanese company, which allowed<br />
Chinese hackers to use its infrastructure for their attacks. Last but not least, these two weeks have also<br />
seen an unusual number of malvertising events with several high-profile victims.
The Anonymous were also quite active: most of all in the Philippines where hacktivists affiliated with the<br />
movement have dumped the entire populations of voters, consisting of 55 million records. Other minor<br />
operations hit Canada (a mining company), Kenya (a refinery), and Angola (28 government websites).<br />
The <strong>Cyber</strong> War between India and Pakistan seems to be far from a conclusion. These two weeks have<br />
reported two operations carried on by Pakistan against India, one of which is quite particular: a malicious<br />
app uploaded in the Google Play Store, immediately become quite popular among the Indian Army, which<br />
allowed the Pakistani to snoop on the enemy’s conversations.<br />
Even if this fortnight has not been particularly rich of events from a mere numeric perspective, a few<br />
breaches are destined to be remembered for long for the consequences not necessarily limited to the<br />
InfoSec community. I am obviously talking about the Mossack Fonseca leak, the dump containing the<br />
records of “50 million Turkish” citizens, and the 43 GB of data belonging to the Syrian Nation Agency for<br />
Network Services. The list of the victims of massive breaches also included Naughty America with its 3.8<br />
million accounts.<br />
On the <strong>Cyber</strong> Espionage/<strong>Cyber</strong> War front, this has been quite a tough period for Sweden whose air traffic<br />
control system has been allegedly targeted by Russian hackers (a solar storm according to the official<br />
version). In the same days, the Swedish Armed force has revealed that their military computers were<br />
hacked and used in an attack targeting major US banks in 2013… Not a great reward for a military network.<br />
And while the <strong>Cyber</strong> War between Armenia and Azerbaijan reached new levels (with the involvement of<br />
Turkish actors), there is nothing particularly meaningful to mention related to hacktivism. Like every year<br />
hacktivists from all over the world threatened Israel in occasion of the so-called #OpIsrael declared for<br />
April 7th. However, following the trend of the last few years, the damages (if any) were absolutely<br />
negligible.<br />
Regarding the first trend, there have been several noticeable events: a trove of passwords discovered in<br />
the dark web (a total of more than 300 million accounts spread in two different leaks and belonging to<br />
different services such as Google, Microsoft and mail.ru), and the alleged hack of two additional services<br />
(Fling.com, an adult site, and Neopets, a virtual pet community), compromising millions of accounts.<br />
The hacktivist has quite “hacktive” as well (it reminded me the “good old days”). Despite their action has<br />
been limited to DDoS attacks, the list of the targets is quite long and includes, among the others, the Bank<br />
of Greece and the Bank of England.<br />
Other interesting events include the release of the leak of UAE Investbank and the discovery of a longlasting<br />
campaign orchestrated by Iranian actors.<br />
This fortnight has shown quite a high number of events, in terms of the impact the most important ones<br />
hit two companies, a bank (Crelan) and an aerospace industry (FACC), which lost respectively USD 75.8<br />
and 54.5 as the effect of a BEC (Business Email Compromise).<br />
Another remarkable event concerns a “possible” hack of NASA. The term “possible” is more than justified<br />
here since there are many doubts regarding the fact that the attack really happened.<br />
And while Israel and Ukraine were the victims of more cyber-attacks against their critical infrastructures,<br />
HSBC was flooded by a DDoS attack, the <strong>Cyber</strong> War between Armenian and Azerbaijani hackers added<br />
new chapters, and the Anonymous continued their personal war against the Taiwanese government.
2017 Predictions<br />
NOVA Research Center review some of the most important events of the year globally, and their impact<br />
on the worlds of the ICT users. It is difficult to sum up everything in one phrase. Important issues that we<br />
may encounter regarding cyber crime in 2017 are listed below 14 :<br />
<br />
<br />
<br />
<br />
<br />
It will be hard to determine who participated in the attacks: With cyber-attacks playing an<br />
increasingly important role in international relations, knowing who is doing the attacks will be a<br />
fundamental problem in terms of steps such as political retaliation. The search for identification<br />
will bring about an increase in the number of criminals who leave misleading clues about their<br />
identity.<br />
The Rise of Information Wars: In <strong>2016</strong>, the World began to take the misuse of leaked information<br />
seriously. Such attacks are expected to increase in 2017, and there is a risk that the attackers who<br />
might benefit from the tendency of people to believe in this kind of data, disclose such<br />
information as partially or fully manipulated.<br />
Experts predict an increase in the number of attackers in the so-called "Robin Hood" style, which<br />
attacks to systems for the good of the majority.<br />
Increased Vulnerability against <strong>Cyber</strong> Sabotage: Critical infrastructures and production systems<br />
of vital importance will continue to attract attackers in the geopolitical periods of tension, as long<br />
as the internet remain connected, with little or no protection.<br />
Mobile Espionage: Especially targeted are the mobile devices and as the security industry will<br />
have difficulty in obtaining full access to mobile operating systems for forensic analysis, espionage<br />
activities are expected to take place more often.<br />
More Advanced Financial Attacks: It is anticipated that attacks such as the SWIFT robbery in <strong>2016</strong><br />
will be improved using advanced methods. Resources that specialize in this matter will be shared<br />
in underground forums or sold as services.<br />
<br />
<br />
<br />
<br />
Payment Systems in Danger: Various payment systems are becoming increasingly popular and<br />
are expected to attract more attention from attackers.<br />
Break off the “Trust” in Ransomware: While experts predict that the rise of ransomware will<br />
continue, they also anticipate that victims will no longer trust the attackers, that is, they will not<br />
believe that their data will be returned if they make a payment. It is anticipated that this will be a<br />
turning point for people ready to pay.<br />
Device Integrity on Overcrowded Internet: There is a high risk that hackers will be able to handle<br />
and pawn as many devices as possible, while Internet of Thing (IOT) devices vendors continue to<br />
produce unprotected and vulnerable devices.<br />
The Criminal Attraction of Digital Advertisements: In the next year, we will see like tracking and<br />
targeting tools we are used to seeing in the advertising industry are being used to track so-called<br />
activists and opponents. Similarly, ad networks that offer excellent destination profiling<br />
capabilities through IP address combinations, browser information detection, interests, and sign<br />
on selections will be used by targeted cyber-espionage agencies.<br />
14<br />
Kaspersky- Predictions for 2017 report.
NOVA Product Family and Customer Case Studies<br />
As Department of <strong>Cyber</strong> Security at NETAS, we have cyber-security products and services namely,<br />
Assessment Tools to find vulnerabilities, Penetration Test Service, and next-generation firewall, which are<br />
all gathered under our brand NOVA. NOVA brand is a result of our studies on cyber security area with our<br />
46 years of R&D experience. All the products are developed locally in <strong>Netas</strong> R&D labs. NOVA has cyber<br />
security projects such as VoIP, WEB and IoT security, big data security analytics, mobile malware analysis<br />
and security operation center.<br />
Nova cyber security product family consists of 3 different products and penetration service.<br />
<br />
<br />
<br />
<br />
Nova V-Gate – Detecting and preventing VoIP threats and frauds via IDS/IPS mechanism. V-GATE<br />
is ready to accomplish your security by performing deep packet inspection, statistical and<br />
behavioral analysis, detecting anomalies and preventing VoIP attacks, VoIP monitoring and<br />
operational management via policy rule editor.<br />
Nova MSP – Make a secure multimedia communication via Media Security Platform, NOVA MSP.<br />
It can achieve secure media transfer enriched with various security methods and flexible crypto<br />
algorithm usage, enabling secure voice and video communication, file and message transfer, and<br />
whiteboard usage<br />
Nova V-Spy – V-SPY is an automated enriched VoIP penetration test suite including a rich variety<br />
of VoIP attack modules, detailed reports of security measures via the expert system.<br />
Nova PenTest – Pentest Services test the applications, infrastructure and devices themselves to<br />
ensure they are protected from VoIP, WEB and Unified Communications-related attacks.<br />
www.novacybersecurity.com<br />
Focus Sector<br />
Telecommunication (Mobile, Internet, and VoIP Service Providers) Service Providers<br />
Enterprise Companies<br />
Honeypot<br />
Issues<br />
<br />
<br />
<br />
<br />
<br />
<br />
Financial and tax losses via Toll & Traffic Frauds<br />
Denial of Service<br />
Social engineering via Caller Id Spoofing<br />
Eavesdropping and Privacy<br />
Loss of reputation<br />
Losses due to quality of product & service<br />
Recommendations<br />
Creating a secure VoIP infrastructure begins with identifying vulnerabilities and reporting<br />
solutions. For this, it is advisable to use specialized vulnerability analysis tools and security experts<br />
to detect logical errors.<br />
<br />
Using VoIP Firewall products, which detect and prevent incidents and attacks by performing indepth<br />
instant data analysis without delaying the voice traffic, with dynamic rule creation and<br />
filtering against intelligent and unknown attacks. With application layer level analysis, they can<br />
detect known attacks as well as the abnormal situations of zero-day attacks by performing<br />
message analysis and status analysis. In addition to the network security, service abusing and<br />
unauthorized call prevention with real-time alarms will be protected from big damages.
Using VoIP IDS/IPS products that will prevent VoIP traffic and toll fraud, identify social engineering<br />
and contribute to operational management. It is possible to provide a complete solution by the<br />
coercion of the legislator and cooperation of the operators.<br />
Security measures in traditional data networks cannot be applied to the VoIP world. Without<br />
performance problems, there must be applications that are working on time-critical data.<br />
Standards for VoIP Security must be defined. It is recommended that separate security standards<br />
be provided for producers, vendors, and users and ensuring compliance with these standards.<br />
VoIP monitoring products should be used to increase the service quality by measuring VoIP<br />
services.<br />
VoIP Operational Management tools for prioritization and management of VoIP services<br />
Handling secure mobile communications platform (secure voice, messaging and sharing) which<br />
allows complete control over the infrastructure, enforcement of privacy and regulatory<br />
compliance requirement.<br />
Nova V-Gate<br />
Most attacks targeting the VoIP infrastructure make use of the signaling technologies. SIP is the most<br />
common signaling protocol used for VoIP communications. Therefore, an application level firewall is<br />
required to protect the system. NETAS VoIP Firewall was designed in order to fulfill this requirement.<br />
NETAS VoIP Firewall is not a solution that only detects anomalies and prevents attacks, but also detects<br />
and prevents VoIP frauds such as toll fraud, premium rate services.<br />
V-GATE is a modular, transparent, high-performance VoIP firewall aimed at protecting VoIP systems from<br />
high costly, damaging attacks by preventing known and unknown application-layer attacks such as toll<br />
fraud, premium rate services, Dos/DDoS/TDoS, brute force, fuzzing.<br />
It is designed against attacks that lead to great damage, including damages that cause deactivation as well<br />
as revenue and reputation loss. Nova V-GATE attack prevention system protects servers providing VoIP<br />
communication against known and unknown attacks. It is the first domestic firewall preventing a broader<br />
range of attacks compared to its international competitors and includes different detection and<br />
prevention methods for toll frauds.<br />
NOVA V-Gate, which started to work actively for our customers in <strong>2016</strong>, reveals the existence of<br />
unidentified attacks. Unfortunately, the same sensitivity is not shown for VoIP environments while the<br />
Internet infrastructure is monitored regularly. By analyzing the data collected from our customers in <strong>2016</strong>,<br />
fraud calls in the VoIP infrastructure, caller id spoofing, and service interruption, making unauthorized<br />
call/dropping authorized call, unbilled calls, and policy violation can be detected.
Figure 8: Nova V-Gate Components<br />
Protocol Attack Detection<br />
and Prevention<br />
DOS/DDOS<br />
Attacks from same IP or IP<br />
groups<br />
Attacks from different IP or IP<br />
groups<br />
Attacks from same user or user<br />
groups<br />
Attacks to same user or user<br />
groups<br />
FUZZING<br />
SIP Syntax control<br />
SQL Injection<br />
SIP ANOMALY<br />
Brute Force<br />
Enumeration<br />
Bye/Cancel Tear Down<br />
CLI Spoofing<br />
TRAFFIC FRAUD<br />
Too Many Hops Detection<br />
False Response Routıng<br />
Trusted/Untrusted Route<br />
Operational<br />
Management<br />
User Group and Prefix<br />
User based Call Monitor<br />
Flexible Policy Rule Editor<br />
According to call<br />
features, blocking or<br />
allowing options<br />
o Caller/Called<br />
Number<br />
o User/IP Groups<br />
o Domain<br />
o Message types<br />
o Call direction<br />
o Call time<br />
o SDP Media<br />
Information (Codec<br />
type, media<br />
attributes, etc.)<br />
VoIP Monitoring<br />
Call state monitoring<br />
with cause codes<br />
Successful calls<br />
Error calls<br />
Unsuccessful calls<br />
Blocked calls by Nova<br />
V Gate IPS<br />
Multi-Contact Header<br />
Support<br />
LCR featured call<br />
monitoring<br />
Multi-source and<br />
destination VoIP<br />
Monitoring<br />
Advance <strong>Report</strong>ing<br />
Call state<br />
monitoring<br />
Trunk based call<br />
monitoring<br />
Data Analysis<br />
Statistical data analysis on<br />
CDR data<br />
Group based call direction<br />
report<br />
Anomaly detection<br />
Behavior-based user<br />
analysis<br />
Call number<br />
Call duration<br />
Call direction<br />
Call time<br />
Worktimes<br />
Time off<br />
Fraud Type definition<br />
According to fraud types,<br />
user group definition<br />
Table 1: Nova V-Gate Components
Fraud Detection and Prevention with V-Gate<br />
<br />
<br />
<br />
Traffic and Toll Fraud<br />
IDS- Flexible, Multi Parameters Rule Policy<br />
o Calls in a specific time frame:<br />
o Weekdays, Weekends, Work-hours, Off-hours, etc.<br />
o Certain numbers of Calls<br />
o Certain duration of Calls<br />
o Forwarded Calls<br />
o International Calls<br />
o Calls belonging to certain User Groups<br />
o Calls towards groups<br />
Real-Time Actions (IPS Proactive Approach)<br />
o Alarm, Log<br />
o Block next calls<br />
o Rejection<br />
o Termination of active calls<br />
o Monitoring and <strong>Report</strong>ing Fraud suspected calls<br />
Figure 9: Nova V-Gate IDS-IPS Components
Which types of fraud can be blocked with V-Gate?<br />
Fraud Type<br />
F1<br />
F2<br />
F3<br />
F4<br />
F5<br />
F6<br />
F7<br />
F8<br />
Fraud Scenarios<br />
Small number of calls with long durations<br />
Large number of calls with short durations<br />
Long duration calls within a specific slice of time<br />
Large number of calls towards specific category within a specific slice of time<br />
Long duration calls towards specific category within a specific slice of time<br />
Long duration multiple calls from the same user towards the same destination at the<br />
same time<br />
Large number of short duration calls from the same user towards the same destination<br />
at the same time<br />
Large number of Long duration calls towards specific category within a specific slice of<br />
time<br />
Samples of a Customer`s Data Generated By V-GATE<br />
Table 2: Fraud Types prevented by Nova V-Gate<br />
Figure 10 indicates most of the Fraud types observed in one of the Service Providers. It seems that<br />
fraudulent users have tendency of making small numbers of long duration calls (F1 in Table 2) and of<br />
making long duration calls in a specific period of times (F3 in Table 2)<br />
Figure 10: Fraud Calls Percentage Based On Fraud Types<br />
It can be figured out that prevented Fraud calls mostly are made towards regions with high calling charges<br />
(See Figure 11 and Figure 12). Service Providers generally classify each international numbers based on<br />
the calling price. While K5 is assumed as the most expensive international regions, K1 is the least. It is<br />
inferred from the below figures (Figure 11 and Figure 12) that K5 as a destination Category and Uganda<br />
as a destination country is the most targeted destination points by the fraudulent users.
Figure 11: Percentage of Fraud Calls Prevented<br />
By V-GATE Based On Destination Category<br />
Figure 12: Percentage of Fraud Calls Prevented<br />
By V-GATE Based On Destination Country<br />
Figure 13 gives average call durations for international calls made towards each call destination category.<br />
It is obviously seen that there occurs a peak in call durations of calls towards K5 between 0.00 and 04.00.<br />
This is a typical F1 Fraud type behavior which points out a small number of long duration calls. Fraudsters<br />
generally prefer night hours to make long duration calls towards the high-cost destination numbers.<br />
Mean Call Duration (sec)<br />
F1 Fraud type (Small<br />
number long duration)<br />
can be seen among<br />
the calls towards K5<br />
Hour<br />
Figure 13: Hourly Average Call Durations Based On Call Destination Category
VoIP Monitoring Results<br />
• Outbound calls have higher error rates than inbound calls.<br />
• Most of the Errors of call setup:<br />
o<br />
o<br />
o<br />
o<br />
Decline (just only outbound calls)<br />
Address Incomplete<br />
Busy here<br />
Service unavailable.<br />
Suggestions for Effective Use:<br />
• More effective network management rules can be defined on the V-GATE Group Based structure by<br />
creating IP / Trunk / User Groups according to the IP and user information of the caller.<br />
• Call management can be provided by creating Policy Rule to control internal and external hours<br />
behavior.<br />
• By controlling the call duration on a case-by-case basis, it is possible to limit the number of users<br />
exceeding certain usage.<br />
VoIP Monitoring Sample Results from Customer Sites:<br />
In Figure 14 and 15, one of the VoIP Monitoring abilities of V-GATE can be examined. A customer can see<br />
how much of the calls were successfully completed, how much of them remained unanswered, or how<br />
much of them were ended with errors. Besides, the cause values of Error calls reported by V-GATE can<br />
contribute to the customer awareness of the main causes of the errors in their traffic.<br />
Figure 14: Percentage of Call Completion States<br />
Figure 15: Percentage of ERROR Calls Based on Error<br />
Reason
Nova MSP<br />
We are providing protection with our NOVA MSP solution against the attack on mobile communications,<br />
which has a rapidly growing share of security research in recent years. The MSP product, which was<br />
started to be used in <strong>2016</strong>, have end-to-end encryption, secure video conference, and encrypted file<br />
transfer features. It prevents man in the middle attacks and data breaches. We are continuing our R&D<br />
activities in this area and we aim to take our place in corporate messaging platforms and offer new<br />
solutions with advanced features.<br />
Nova V-Spy and Penetration Test<br />
Last year, it has been observed that institutions with very large ICT systems (Adobe, eBay, etc.) are<br />
exposed to cyber-attacks and data leaks, even though there are many defensive devices and applications.<br />
The most important factor in the formation of this situation is now shown as changing the types and<br />
methods of attack by changing the rules of the game. According to a study conducted, it is found that 66%<br />
of these attacks are detected during a security breach, especially in large institutions. 87% of detected<br />
security violations are discovered by external sources. After that, Offensive and defensive tools and<br />
methods will be used together. Like an attacker, penetration test experts simulate hacking scenarios on<br />
real production systems. In this regard, weaknesses and vulnerabilities in the organization can be detected<br />
before the attack.<br />
Figure 15: <strong>Cyber</strong> Security Evaluation<br />
Network and Web application security assessment and evaluation process is performed by V-Spy and<br />
Pentest service. By analyzing all the tests that can be done in a whole and not a partial view of security,<br />
tests are carried out with an approach focused on the results that will benefit the customer.
In the tests we have done so far;<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
decrypting the encrypted security codes via capturing network packets and utilizing added value<br />
penetration test<br />
Spoofing the any customer’s phone number (caller id spoofing) and using this number to bypass<br />
call center control mechanism (OTP Message).<br />
Call generation with customer call center number to company’s customers<br />
Information gathering from web services<br />
VoIP PBX and network devices are vulnerable to password attacks (dictionary, brute force)<br />
Detected vulnerable components to DDOS/TDOS attacks from Internal network<br />
Active call dropping can be done with registered users on IP PBX management application<br />
No monitoring or prevention solution detected on VoIP infrastructure.<br />
Other security tests include password cracking, call eavesdropping, data leakage, call dropping, crashing<br />
and slowing down systems, traffic and toll fraud, Premium rate services fraud, situations have been<br />
identified. Operators' Traffic / Roaming / Toll Fraud attacks and IP-based blocking instead of user-based<br />
losses are noteworthy.<br />
NOVA Honeypot Results<br />
The main location of this honeypot is the NETAS R&D labs in Turkey. It takes part in the isolated side<br />
(Demilitarized Zone-DMZ) of the internal network. Simulation environment opened directly to the<br />
Internet, all incoming requests are logged and statistical analyses are carried out. The packages used for<br />
the attack was analyzed through deep packet inspection. Malware and payload commands are extracted<br />
and stored.<br />
Figure 17: NOVA Honeypot Architecture<br />
Table 3 presents a short statistics, to get a better understanding of the data which was collected in the<br />
honeypot. The numbers cannot be directly compared, but the table gives a short impression for the results
of the following analyses. The Dionaea collects more packets compared to Kippo honeypot because it<br />
listens to more services ports compared to Kippo. However, Kippo detects a lot more source IP addresses.<br />
The system in honeypot provides a larger range of destination IP addresses and collects all SIP messages<br />
directed to the Asterisk PBX. However, in all of the components, the origin of the attack is very much alike.<br />
Table 3: Basic Statistical Results of the honeypot<br />
NOVA honeypot system, located in front of VoIP systems, was launched in June <strong>2016</strong>. Until today, there<br />
has not been any complicated malware attack, but Kippo has been attacked by various services. While<br />
Telnet was the most popular service, attacks in worldwide were equally spread among other services. In<br />
Figure 18, these attacks are port-based, and Figure 18 shows countries infographic. Attacks against<br />
honeypot on Turkey most frequently come from China, Vietnam, Russia, Brazil, USA, and Canada.<br />
Figure 18: Origin of Attack Globally<br />
According to collected data, the most attacks came from SIP (port 5060) protocol. Although it is not open,<br />
attackers tried to access to 23 ports through Telnet service. In password attacks, root/123456 and<br />
admin/admin combination have been most tried. Another thing to notice is that IoT devices such as<br />
raspberry pi and arduino are targeted when looking at the commands executed in SSH sessions and the<br />
password attempts. A total of 1350 instances of malware were collected and the system was<br />
compromised through the SSH service 9 times and the OS commands was executed. 436 Web addresses<br />
(URLs) are used in the attack vectors. Although there were many VoIP message traffic during the<br />
monitoring period, a full conversation was not established and no fraud case occurred.
Figure 19: Most Attacked Service<br />
It is easy to say that 5060 port of the SIP (Session Initiation Protocol) which is a VoIP protocol is second in<br />
the attack sequence as well as the most attacks come through the 23 port of the telnet protocol. When<br />
the statistics are considered, it is seen that more than one attack is performed from the same IP addresses<br />
so we think that most of the attacking clients could be automated vulnerability scanning tool, not a<br />
human. We see that these automated tools perform operations such as port scanning, service discovery,<br />
the discovery of operating system and vulnerability scanning in the scanned systems. For example, we<br />
found some SQL query payloads to exploit SQL injection vulnerability in the attacking log.<br />
When we look at the distribution of the attacking countries according to the time, we predict that a<br />
specific attack tool is being accessed from different countries by using self-concealing methods such as<br />
VPN and tor.<br />
In the honeypot systems, we captured 200 malware sample. After the scanning that malware samples via<br />
Virustotal which involve multiple antivirus engines, the results show that a unique malware family from<br />
Conflicker Trojan based. It uses Microsoft MS08-67 vulnerability. Figure 20 shows that type of malware<br />
distribution.<br />
The NOVA Honeypot started working in June <strong>2016</strong>. Therefore, we considered data collected over a period<br />
of 6 months, from June <strong>2016</strong> to December <strong>2016</strong>.
Figure 20: Type of Malware<br />
We identified 210,862 common IP addresses among Dionaea, Kippo 965 IPs, and V-Gate 375 IPs. It further<br />
endorses the hypothesis that attackers scan a wide range of IP addresses while performing SIP-based VoIP<br />
attacks because a large IP-range was observed and these attackers were identified in each of them.<br />
The number of common IP addresses suggests that only a small number of attackers are recurring in the<br />
honeypots. Figure 21 shows the number of trying count from identified attackers IP during last 6 months.<br />
For a clearer view, the y-axis is shown on a logarithmic scale. More than 90% of the attackers were<br />
identified on less than 7 different days and only a small number of attackers was recognized more often.<br />
We found an average occurrence of the same IP address of 3.2281 days in Dionaea, 2.1823 days in Kippo<br />
and 1.9382 days in V-Gate. For further analyses, we focused on the globally active attackers which were<br />
periodically identified in the honeypots.<br />
800<br />
700<br />
600<br />
500<br />
400<br />
300<br />
200<br />
100<br />
Attack Counts per unique IP<br />
0<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20<br />
Dionaea Kippo V-Gate<br />
Figure 21: Attack Counts from Same IP Addresses in the Dioanea, Kippo Honeypots and V-Gate<br />
The top globally active attackers in the honeypots have the same source IP address. Table 4 shows the<br />
identified long-term attackers in the honeypots with more than 60 days. All of them send only SIP<br />
OPTIONS packets with exactly the same User-Agent and the same TO address. Some of the SIP TO
addresses were not defined at the honeypots, but the attacker used exactly the same string periodically.<br />
It seems that the attacker was not interested in the specific response for this TO Address, but rather for<br />
any request from the VoIP server. Most long-term scanners are from the USA, Canada, Germany, and the<br />
France. The Days columns in the table which represent the days count for returning attackers from the<br />
same IP in the honeypot. In both platforms, the attacker with the most days was last identified on 6th of<br />
December <strong>2016</strong> (49 unique attacks).<br />
Table 4: TOP 10 VoIP attacker's IP
<strong>Cyber</strong> Security R&D - NOVA Technology Development Group<br />
E: info@novacybersecurity.com<br />
T: +90 216 522 20 00<br />
F: +90 216 522 23 62<br />
W: http://novacybersecurity.com<br />
NETAŞ Telekomünikasyon A.Ş.<br />
Yenişehir Mahallesi Osmanlı Bulvarı No:11 34912<br />
Kurtköy - Pendik / İstanbul