third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Detailed section » 7 Vulnerability of IT<br />
Microsoft<br />
Windows<br />
6%<br />
Adobe<br />
Reader/<br />
Acrobat<br />
15%<br />
Integrated exploits for products in exploit packs<br />
Mozilla Firefox<br />
3%<br />
Adobe Flash<br />
17%<br />
g Oracle Java<br />
g Adobe Flash<br />
g Microsoft Windows<br />
g Other<br />
Other<br />
9%<br />
Oracle Java<br />
32%<br />
Microsoft<br />
Internet Explorer<br />
18%<br />
g Microsoft Internet Explorer<br />
g Adobe Reader/Acrobat<br />
g Mozilla Firefox<br />
Figure 13. Software abused by exploit kits<br />
exploiting vulnerabilities. The vulnerabilities that are abused are<br />
often already known and not new. In some cases these are zero-day<br />
vulnerabilities. The most notable development in the area of exploit<br />
kits was the disproportionate number of Java vulnerabilities that<br />
were abused.<br />
7.3.3 Malware and infrastructure<br />
The majority of malware focuses on collating financially attractive<br />
data such as credit card or user ID/password details. The by-catch<br />
– such as websites visited, details entered on forms and key strokes –<br />
is often gathered at the same time. The average malware offers even<br />
wider opportunities. For example it is often also possible to secretly<br />
copy documents, take screen shots or take photos or recordings using<br />
a built-in webcam or microphone. There have already been cases<br />
where such techniques have been used for espionage, as well as for<br />
blackmail or voyeurism. It is becoming easier and more appealing for<br />
malicious attackers to capture and abuse or sell such data.<br />
As described in the core assessment, malware is a permanent<br />
element of cyber crime. Spreading malware is becoming increasingly<br />
wholesale and easier. One of the latest trends is to spread<br />
malware through legitimate websites. Malware is increasingly<br />
targeting different platforms, including Mac OS X, mobile platforms<br />
and in the case of state malware also specific industrial systems.<br />
Tools for developing, spreading and managing malware and rogue<br />
infrastructure are becoming increasingly professional. New<br />
malware is to a limited degree being detected by virus scanners and<br />
malware is becoming increasingly difficult to remove from a system.<br />
The previous CSAN indicated that 30 per cent of computers are<br />
infected with malware.<br />
The <strong>NCSC</strong> is increasingly receiving information about malware<br />
infections, rogue infrastructures and indicators of sophisticated<br />
malware. However organisations often still do not have effective<br />
detection mechanisms set up. In response, the organisations<br />
concerned generally make do with cleansing infected systems again.<br />
This means that it is impossible to subsequently establish the<br />
impact of an infection.<br />
Based on information from public sources, developments in the<br />
area of sophisticated attacks, malware and rogue infrastructure can<br />
be summarised as follows:<br />
»»<br />
An increase has been detected in state cyber espionage and<br />
sabotage activities.<br />
»»<br />
Sophisticated attacks are becoming more common and are also<br />
[48: Symantec 2013]<br />
being carried out against smaller organisations.<br />
»»<br />
Sophisticated techniques used by state actors are being adopted<br />
by organised criminals. [197]<br />
»»<br />
The attacker is increasingly gaining benefit. Despite various<br />
initiatives for improvement, the defence measures, methods and<br />
initiatives are lagging further behind the opponents’<br />
opportunities.<br />
7.3.4 Sophisticated malware<br />
Since the previous CSAN, investigators have once again uncovered<br />
forms of highly sophisticated malware. The Wiper, Flame,<br />
Miniflame and Gauss malware are connected to previously detected<br />
malware such as Stuxnet and Duqu. Reports often associate this<br />
with elements of an American/Israeli espionage campaign directed<br />
at targets on the Middle East, with the emphasis on Iran. Other<br />
sophisticated malware recently uncovered includes Miniduke [198] ,<br />
Itaduke, RedOctober [199] and TeamSpy [200] . According to public<br />
sources it is highly probable that multiple states are now actively<br />
using sophisticated malware.<br />
It appears that the techniques used are now being copied by various<br />
actors. The Shamoon malware uses a technique of mutilating files<br />
that is based on the Wiper malware. Wiper was used to make Iranian<br />
oil companies’ systems unclear. Shamoon was used in an attack on<br />
Saudi Aramco and RasGas. [201] Whereas Wiper was a sophisticated<br />
197 http://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide<br />
https://www.securelist.com/en/blog/682/Mediyes_the_dropper_with_a_valid_signature<br />
http://arstechnica.com/security/2012/09/<br />
adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/<br />
198 http://www.h-online.com/security/news/item/Highly-specialised-MiniDuke-malware-targetsdecision-makers-1813304.html<br />
199 http://threatpost.com/en_us/blogs/<br />
rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011113<br />
200 http://threatpost.com/en_us/blogs/researchers-uncover-teamspy-attack<br />
-campaign-targeting-government-research-targets-032013<br />
201 http://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amidcyberattack.<br />
html?_r=1 & http://www.theregister.co.uk/2012/08/30/rasgas_malware_outbreak/<br />
87<br />
»