UPDATED: Top 18 Most Important Internet Security Events & Threats of 2014
Curious about the most relevant security events of 2014? Read what marked this year
From data breaches to cyber-criminal actions, state-sponsored espionage and stealth malware, 2014 has been a year full of surprises.
This year is almost over and before we try to see what security dangers lie ahead, we have to look back and acknowledge what were the main security events that marked this year in the IT industry.
At a first glance, we can see how software vulnerabilities like Shellshock and Heartbleed caught our attention, new aggressive malware developed by cyber-criminals tested our antivirus defenses, cyber-espionage employed by states like Russia or China to obtain political or military data from Western states or simply to know what its own citizens are doing, all these are part of cyber-criminal playground.
If we need to put into perspective and reflect on last year’s threat landscape, we need to observe a widespread increase in producing and selling exploit kit sources worldwide. This fact allows malware threats to be customized by various individuals in order to attack specific targets.
We see for example how Zeus source code has been used to develop Gameover, replacing the single centralized C&C server with a peer-to-peer network of infected computers. To make things worse, Zeus Gameover network can be used to download and install Cryptolocker, the infamous ransomware which encrypts your files and demands a ransom to provide the decryption key.
At the same time, online criminals have found and improved ways to elude identification, relying on cryptographic tools and placing their controlled servers in unregulated countries and dark areas of the Internet.
If we read the writings on the wall and connect the dark places of the Internet with countries where it is difficult to conduct a security investigation, we find a correlation between state-sponsored espionage and sophisticated actions employed by cyber-criminals.
Data privacy breaches and software vulnerabilities
Sony Pictures Massive Hack
We said in the previous article version that the Apple iCloud photos breach is the most important security event of 2014. We were so wrong! Apparently, the corporate breach at Sony Pictures is a lot worse and involves not only data loss and secrets brought into light, but unexpected actors coming into play. We have the mighty US FBI department looking for the smoking gun, we have Koreans as perfect cyber-criminal suspects and stolen movies, this time before they are released. Can it get any better? Why does it seem like a Bond movie?
If we put all aside and try to see exactly what happened and how we can stop this from taking place again in the future, we need to think about information security and how it was established at Sony Pictures.
Because, at the end of the day, we need to improve our personal and corporate security and learn the necessary lessons if we want to prevent this kind of security breach from occurring again in the future.
Apple iCloud photos breach
We can name 2014 the year of serious cloud breaches and an important event that remained in public consciousness is the Apple iCloud security breach, where a number of famous people’s photos have been hacked and delivered online. And as soon as this was over, an attack on China iCloud followed, where the hackers tried to steal users’ credentials and get more information on their activities.
All these privacy attacks in an area less exposed until now created a wave of mistrust and disbelief on what can we actually keep safe from cyber-criminals.
The massive data breaches let us notice just how much importance we should place into improving our defenses and keeping our sensitive information in a safe place.
6 million e-mail accounts breached
Our own reports analyzed data from the criminal underground to indicate more than 6 million e-mail accounts and their credentials have been stolen in the last 3 months.
Top 4 software vulnerabilities
The big number of credentials leaking this period can be connected to the high number of software vulnerabilities that we covered in another article. As our security researchers noticed, the main issue is caused by the fact that security holes in software are not fixed fast enough by deploying security patches.
Analyzing the 3rd party products in the market, our analysts concluded the most vulnerable software are: Oracle Java Runtime environment, Adobe Acrobat Reader, Adobe Flash Player / Plugin and Apple Quicktime, for 2012, 2013 and 2014.
This software vulnerability can be translated into a human vulnerability to security exploits and identity theft attempts operated by online criminals.
This vulnerability has been discovered at the beginning of the year and it is recognized as a serious vulnerability in OpenSSL, a common implementation of the SSL and TLS protocols and used across many sites.
One of the worst software vulnerabilities we encountered in 2014, Heartbleed is an encryption flaw which can be used to “read” secure communication across HTTPS; this data can be retrieved can include credentials, financial details and personal information – allowing an IT criminal to swipe data leaving no trace of the malicious operation.
This security hole appeared in September and was immediately recognized world wide as a serious problem, afecting more than half of Internet websites. Shellshock can be used as a means for spreading malware on Unix, Linux and Mac platforms.
Using this security gap, hackers can deploy malware on legitimate websites in order to retrieve confidential data from compromised computers. And it doesn’t stop here, this major vulnerability is able to provide a cyber-criminal means to gain control over a computer, an event which could be fatal for an enterprise network.
Now, we need to look ahead and acknowledge that software vulnerabilities will still appear in the future, which makes these security threats an unexpected place to start for hackers in their efforts of breaking our defenses and gain access to our sensitive data.
What we can do is to stay informed on software vulnerabilities and apply the necessary security patches as soon as they are released online, before a cyber-criminal has the chance to take any action against us.
Financial and data stealing malware
Cyber-criminal activities increased over the last years and online space has become a favorite hunting ground for people trying to make money or retrieve political information.
This is the threat background organizations should be prepared for in order to withstand major attacks in the years to come.
Cyber-crime technological advances from the last years allowed not only the creation of stealth and more difficult to remove botnets and malicious servers, but improvement of botnet source code.
Let’s just take a look at some pieces of financial and data stealing malware that were present this year in the online space, and which were analyzed by our security analysts at Heimdal Security:
It is a well known fact that the leaking of Zeus source code led other hackers to develop Gameover, probably the most infamous malware ever created.
Gameover is an improved version of Zeus for a few reasons:
The first is that this new piece of malware replaces the traditional centralized command and control server with a peer-to-peer network of infected devices, which makes the malware more resilient and difficult to be removed by security measures.
The second is the creation of a domain generation algorithm, which allows the malware to connect to a new malicious server and send or receive information, in case one of the servers is taken down.
Since we are dealing with one of the most dangerous pieces of malware out there, we have come with a complete analysis on this threat.
Hesperbot is an advanced piece of malicious software which targets online accounts banking credentials. Initially detected by our security analysts in Turkey, in August 2013, this malware has evolved and is now used throughout Europe.
By analyzing its malicious actions, we have managed to connect this software to a real individual and we have now joined law enforcement agencies in tracing down the perpetrator.
Running reverse engineering techniques, our analysts detected the Hesperbot’s infrastructure hosted on servers from Ukraine and Russia. More important for our analysis is that we managed to reveal a connection between Hesperbot, Zeus Gameover and Cryptolocker, the infamous ransomware.
Another new piece of financial and data stealing malware, Dyreza, has targeted until now major online banking websites, like: Bank of America, Natwest, Citibank, RBS and Ulsterbank.
Dyreza has a similar behavior to Zeus Gameover, using also a number of command and control servers in order to exchange information with the infected systems.
Spreading through spam e-mails which contain malicious attachments or through a link included in the e-mail’s body, this malware targets sensitive credentials from online banking services and sends them to a hacker controlled server.
Ransomware is rising
The high number of malware and data stealing software forced the IT industry to come up with various security solutions and defensive mechanisms. As the high number of solutions increased, the botnet network started being used to deliver ransomware.
The most widespread example of ransomware is Cryptolocker, which encrypts data on a computer and demands an exorbitant sum of money from the victim in order to provide the decryption key.
Just to indicate the importance of the recent “collaboration” between Zeus Gameover and CryptoLocker, we need to mention the international joint action against these two major threats that took place at the beginning of the year. Though the number of Zeus Gameover infections is much larger, the CryptoLocker’s ransomware approach made this threat more popular and dreaded than any malware in the Zeus family.
This year also brought a rise of CryptoLocker variants, like Cryptowall, CryptoLocker V2, Cryptodefense and Zerolocker, all of which have similar
behaviors and the same financial interests.
State sponsored cyber-espionage activities
State sponsored cyber-criminal attacks and offensive strategies adapted for the new cyber battlefield are part of the present warfare. Present conflicts between states or domestic unrest involve developing capabilities for cyber attacks and defense.
At the same time, the cyber infrastructure already developed for political purposes is targeting economic and financial institutions all over the world. The espionage campaigns we analyzed this year indicate a strong state-sponsored component that we cannot dismiss.
The Russian Connection
At the beginning of November, we took a glimpse at a troublesome report from FireEye, a report which analyzed a professional cyber-criminal group specialized in stealing political information from governments and security institutions from Eastern and Western European states, which are part of the European Union, NATO or want to adhere to these organizations.
The report indicates that the group’s main objectives are political and state confidential data, especially valuable information that are of great interest to the present Russian external politics.
And other connections between the cyber-criminal actions and Russian interests seem to appear, like the professional looking code created to be developed over a long period of time and the working hours period that correspond to Moscow and St. Petersburg areas, a fact that also indicates the presence of a specially organized team of IT professionals employed for the Russian state interest.
The Chinese Hackers
2014 has been an important year in cyber-crime and security news involving Chinese hackers has been all over the Internet.
We had in May 2014 the United States Department of Justice charging five men described as “military hackers“, who hacked into United States institutions to retrieve sensitive information for Chinese companies. This is the first case of this type.
The 5 hackers who are part of the Chinese military have been indicted for economic espionage and it is the first time a state charged another state on this type of hacking.
Cyber-criminal actions and state-sponsored espionage have pushed the relationship between the United States and China to the limits, especially after the former NSA contractor, Edward Snowden, revealed US surveillance and hacking actions on Chinese firms.
Hong Kong Protests
The Honk Kong protests took place not only on the streets, but also in the online environment.
The pro-democracy protesters’ blogs and the websites that support this movement have been targeted by malware designed to retrieve sensitive information.
The websites that have been affected are Alliance for True Democracy – Hong Kong, People Power – Hong Kong and other sites which supported the Occupy Central and Umbrella Revolution movements against the Chinese government.
It doesn’t take much to think that the Chinese government may be behind these attacks, especially when the hacking campaigns came in an unprecedented degree of sophistication.
There is an invisible front on the world wide web where a shadow cyber war takes place. You may think that you -as a private individual- are not affected, but the people who use these methods and target political data aren’t targeting at the same time economic information?
And how long will it pass until your company is affected?
State protection against cyber-crime
Regin – A sophistical piece of malware
In November, this year, Symantec reports suggested that a newly uncovered spying threat – Regin – has been developed by a nation-state, due to its high degree of sophistication and purpose.
The analysis on Regin indicated that this malicious software has been used to run cyber-espionage campaigns and retrieve sensitive information from governments, large companies and individuals.
Used from 2008, this malware uses stealth features and is able to avoid detection by most antivirus solutions on the market. Symantec reports suggest this malicious tool is designed to run surveillance and it is a high probability to have been developed by a nation.
Among its capabilities are those of stealing online accounts credentials, private data and monitor network traffic.
Language shifts focus to adapt for new cyber-criminal threats
As a sign of an increasing usage of cyber-criminal tools into espionage activities, there is a change in how the U.S. Justice Department restructures the national security policy to go after cyber attacks and cyber-espionage activities, taking their importance to a higher level.
And it is just normal, if we take a look at all the security news we had this year, where there was not a single week we didn’t read about Russian or Chinese hackers trying to access secret information from the United States state institutions, military organizations or from large American companies.
Europe goes into action
On the other side of Atlantic, we see steps for increasing the online security for countries in Europe.
For example, we have the biggest cyber security exercise in Europe, that gathered over 200 organisations and IT security experts from 29 European countries, from the public and private sectors, testing their defense capabilities against a large scale cyber-security threat.
The purpose of these security events is to improve the national capabilities to face cyber-crises situations at a public, state level, but also at a
private level, where we have large companies and security agencies.
Russia and China collaboration
Though these 2 countries have been lately accussed by US officials for using cyber attacks against US institutions and companies, they are also affected by cyber-criminal actions.
This could be the reason why we see a need for a cyber-security treaty between these two countries. The treaty should improve cooperation between them and enable common cyber-security operations.
We have to mention not only the security threats that came from these two countries against the West, but also their protests against the NSA
surveillance activities, as it has been revealed by Edward Snowden.
Collaboration between private security companies and state agencies
Probably the most famous security event this year was the Apple iCloud photos breach, which affected so many celebrities and draw world wide attention to a very simple fact, all IT security voices knew for a long time already:
These days, no one is safe, no matter how you are.
And it is not something that should surprise us. When we have cyber-criminals sponsored by nation-states to target institutions and private firms all over the world, what keeps these people from using the same tools against normal people?
It is more than probable that we will continue to encounter data breaches caused by software vulnerabilities, advanced pieces of data stealing malware, states using cyber espionage against other states for economic or political purposes.
For this reason, we believe the most important security event this year is the international collaboration between agencies in Europe and United States and security software companies.
This joint cooperation targeted the malware infrastructure that supported Zeus Gameover and CryptoLocker, an action which succeeded in taking it down, even though temporarily.
Zeus Gameover is an advanced type of malware mainly designed to retrieve online banking credentials from the infected systems. Spreading through spam campaigns and phishing messages, this piece of software spread on more than 1 million systems globally.
This was an event that allowed us to learn some important lessons about what the future holds for the IT security environment and how we should act when facing these threats.
What the future may hold
It is easy to notice an increasing involvement of states and governments in protecting or taking advantage from cyber-criminal actions.
To keep our systems protected in this diversified threat environment, we need to employ not only new protection tools, but operate a change in mentality.
Using the latest technologies available and serious funding from state agencies, online criminals are able to better organize and deploy long-term data and financial stealing activities. To keep vital data safe and protect sensitive information from other states, security companies need to increase their collaboration with official institutions to create a solid security infrastructure.
Besides state intervention in the cyber-criminal world, 2014 witnessed an evolution of cyber-criminal attacks against the individual. For this reason, the following tendencies we believe will continue to develop in the years to come:
We live in an interconnected world, where our mobile phones can do almost all the things a regular computer can. Connecting our digital and physical lives offers a chance for cyber-criminals to have access to private data and financial information. Such an opportunity won’t be missed in the years to come.
Internet of Things
The present trend of interconnecting mobile devices and social networks with gadgets and home devices makes the threat landscapes a challenging space. With malware threats emerging from all spheres of technology, it won’t be long till the general attention of worldwide hackers is drawn to this new online area. If the years to come announce an increasing number of threats, we can already see security companies preparing for that moment.
If we didn’t pay too much attention to the iOS users until now and we considered it mostly a malware free zone, after the Apple iCloud security incident, where hundreds of “celebrities” accounts have been hacked, we became aware of the privacy and security dangers affecting the users in this market. The same we predict to happen in the Internet of Things case. Until a massive security incident takes place, the IoT won’t be considered as important by most people.
Social media world
Is there any need to emphasize again the security risks posed by sharing and spreading your personal information in an online environment that cannot be controlled and where you allow access to unknown or little known people? Online scams spread by e-mail spam and social media channels is becoming the norm and the increasing occurrence of identity theft events occupy the mainstream security scene. And yet, we predict a growing development of these privacy threats in social media, since the fine line between sharing personal data and keeping sensitive information protected will always be crossed and abused.
Starting a public debate on the security risks that affected our systems and the next episode threats that come in the following years keeps us aware and ready for whatever the future may hold.
It’s not just about predicting and reacting, but creating a security background in an IT infrastructure that keeps us ready for whatever the next day may bring.
How can we judge what occurred this year? Is there a conclusion we can jump to?
What security events are relevant for the online environment? What can we take from our past and make it useful for our future?
This post was originally published by Aurelian Neagu in December 2014.