third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Sophisticated malware<br />
CSAN-1 and 2 focused on the Stuxnet and Duqu malware.<br />
During the past year, investigators have uncovered more such<br />
sophisticated malware. Flame, Miniflame, Wiper and Gauss<br />
seem to have a lot in common with Stuxnet and Duqu. These<br />
similarities are not restricted to the techniques used - the<br />
victims are primarily in the Middle East. According to the Wall<br />
Street Journal, the New York Times and The Washington Post,<br />
this malware is part of a campaign called ‘Olympic Games’. The<br />
United States is alleged to have been working with Israel since<br />
on a series of attacks aimed specifically at targets in the Middle<br />
East. One of the things the various malware is said to have<br />
been used for is to gather intelligence about sabotaging the<br />
Iranian nuclear programme, and for spying on Lebanese banks.<br />
Investigators are constantly uncovering more indications that a<br />
state actor with a high level of knowledge is behind the attacks.<br />
For example cryptanalyst Marc Stevens of the Dutch National<br />
Research Institute for Mathematics and Computer Science<br />
(CWI) in Amsterdam has discovered that Flame uses a completely<br />
new, as yet unknown cryptographic variant of attack.<br />
Flame uses an entirely new variant of a ‘chosen prefix collision’<br />
attack so that it appears as a legal security update from<br />
Microsoft. Developing such an attack requires a high level of<br />
cryptanalytical knowledge. As of yet unknown vulnerabilities<br />
and fake certificates have also been used. Analyses carried out<br />
by Symantec among others reveals the attackers’ access and<br />
their division of roles on C&C servers and purging of this is<br />
exceptionally professional. Also of interest is the time that<br />
apparently elapsed between spreading of the malware and its<br />
discovery by investigators. It shows that detection mechanisms<br />
are not able to detect sophisticated threats.<br />
For more information see:<br />
http://online.wsj.com/article/SB10001424052702303506404577448563517340188.html?mod=WSJ_hpp_LEFTTopStories<br />
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.<br />
html?pagewanted=1&_r=2&<br />
http://www.cwi.nl/nieuws/2012/cwi-cryptanalist-ontdekt-nieuwe-cryptografische-aanvalsvariant-in-flame-virus<br />
http://www.fireeye.com/blog/technical/malware-research/2012/08/guys-behind-gauss-and-flame-are-the-same.html<br />
http://online.wsj.com/article/SB10001424052702303506404577448563517340188.html?mod=WSJ_hpp_LEFTTopStories<br />
http://www.securelist.com/en/blog/750/Full_Analysis_of_Flames_Command_Control_servers<br />
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_flamer_newsforyou.pdf<br />
http://www.symantec.com/connect/blogs/have-i-got-newsforyou-analysis-flamer-cc-servers<br />
http://www.securelist.com/en/blog/208193808/What_was_that_Wiper_thing<br />
and professional attack, Shamoon was seemingly a copy-cat by an<br />
actor allied to Iran. A further example of espionage malware<br />
probably originating from Iran is Mahdi [202] , malware that again is<br />
not very sophisticated and is probably used for espionage from Iran.<br />
Western organisations offer sophisticated forms of espionage<br />
technology, including malware, on a commercial basis. It appears<br />
that variations of FinSpy [203] brought to market by the German/<br />
English company Gamma International have been used by investigative<br />
and intelligence services. It now also appears to have been<br />
used to spy on or censure opponents of the regime in Bahrain.<br />
202 http://www.informationweek.com/security/attacks/<br />
mahdi-malware-makers-push-anti-american/240004380<br />
203 https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/<br />
204 http://www.bloomberg.com/news/2012-07-27/gamma-says-no-spyware-sold-to-bahrainmay-be-stolen-copy.html<br />
205 http://www.nytimes.com/2013/01/16/business/rights-group-reports-on-abuses-ofsurveillance-and-censorship-technology.html?_r=1&<br />
206 http://www.pcworld.com/article/2030602/reporters-without-borders-slams-five-nations-forspying-on-media-activists.html<br />
207 http://www.bloomberg.com/news/2012-04-24/unplug-companies-that-help-iran-and-syriaspy-on-citizens.html<br />
Gamma International says that it has not sold the software to<br />
Bahrain and assumes that it was obtained illegally. [204]<br />
According to the media, more situations have recently come to light<br />
where actors from countries such as China [205] , Libya [206] , Morocco,<br />
Vietnam and Syria [207] have used espionage software developed in<br />
the west for surveillance on activists and journalists.<br />
Digital espionage continues to pose a serious threat to private<br />
organisations too. Public/private collaboration has provided better<br />
insight into actual incidents as has sharing information such as<br />
indicators on an incidental basis.<br />
7.4 In conclusion<br />
While the number of vulnerabilities is increasing, it can (again)<br />
be established that these are known vulnerabilities, which with<br />
effective patching and updates can be overcome. However given<br />
that this does not happen enough, the impact of the vulnerabilities<br />
is increasing. In the majority of cases, these vulnerabilities may<br />
result in use in a DoS attack. Following this comes the generation<br />
of random code with restricted rights and access to sensitive data.<br />
The number of vulnerabilities in web browsers and CMSs has this<br />
year witnessed an increase in vulnerabilities.<br />
88