2018 Analysis Report Annual Summary

On wizSafe Security Signal, we have published threat intelligences discovered on IIJ Managed Security Services and the IIJ Backbone. This article summarizes the contents of analysis report for January to December 2018.

Security Topics

There were many topics in 2018. In this section, we will pick six topics and describe them.

The topics described here are incidents and news that occurred in Japan. The situations for some of the contents may differ in other countries.

Cryptocurrency

Cryptocurrency was one of the major topics in 2018, and there were many variations of them. The examples of topics were:

  • Stolen cryptocurrency due to implementation of cryptocurrency exchange service or the protocols used in the cryptocurrency
  • Cryptocurrency tools included in malware, causing infected hosts to mine cryptocurrency
  • Compromised websites that got mining scripts installed on them
  • Site administrators intentionally including mining scripts on their websites
  • Ransomware demanding cryptocurrency in exchange to the decryption keys

The volume of news related to cryptocurrency has reduced in later half of 2018. However, since the use of cryptocurrency may be beneficial, and since attackers would use them for their convenience, there may be introduction of new topics in upcoming years.

Vulnerabilities of Hardware

On January 2018, there were announcements of vulnerabilities called “Meltdown” and “Spectre”, which were vulnerabilities related to speculative execution and out-of-order execution features implemented on some microprocessors. There were “variants” to the vulnerabilities, and introduction of new variants occurred throughout the year. In addition to microprocessors, there were also vulnerabilities in other hardware. One of the examples was encryption flaws in solid state drives (SSDs). Mitigating vulnerabilities of hardware tend to be difficult as it may require replacement of hardware. Moreover, even if it is possible to fix the vulnerabilities without replacing hardware, the updates may affect functions or performances of the hardware. Therefore, it is important to verify the effects that may result in applying the updates. When we talk about “vulnerabilities”, we may tend to discuss about software vulnerabilities. However, the vulnerabilities may exist on hardware also, and we need to care about these vulnerabilities.

Attacks Using Mails and SMS Messages

Attacks utilizing e-mails are one of the attack methods that have existed from the earlier histories of the Internet, and many attacks still exist in 2018. The e-mail related topics we have focused include:

  • Attachment files that utilize Microsoft Office vulnerabilities
  • Attacks with phishing e-mails
  • Cloud service account, which are officially contracted by the organization, bleached by attackers that logged into the service using the victims’ credentials
  • Users forwarding the organization e-mails to their personal accounts; the attackers access the personal accounts and obtain the information stored in the accounts.

E-mails are still useful, but as we can see, e-mails may cause security incidents. It is important to build a secure and proper system that fits to the users’ requirements. Moreover, it is important to educate users not to be phished by false e-mail contents.

In addition, attacks utilizing SMS messages were also one of the topics for 2018. The message contains URL to an application package that contains malware. To prevent installations of malicious applications to smartphones, there is a configuration to disable installation of applications from sites other than the official application store. Although “Enabled” is the default configuration on many smartphones sold on the market, if it is disabled, enabling such configurations would reduce the risk of installing malicious programs. Moreover, users need to be careful not to respond to malicious messages.

Intrusions to Devices Connected to the Internet

Attacks against various Internet-connected devices were one of the major topics in 2018. One of the examples is the incident where configuration of broadband routers being modified from remote attackers. In this incident, attackers modified DNS server settings of the router to redirect clients to malicious sites by returning false IP addresses to DNS requests. The malicious sites make the client to download malicious Android application package file. The attack is possible when the administrative interface of the router is accessible from the Internet, and username or password configured on the router is either too easy or was not modified from the default values.

Appropriate configuration of the devices that have global IP addresses assigned is essential for avoiding such attacks. Examples of the configurations are setting appropriate passwords, and restricting accesses to the administrative interface from IP addresses other than necessary segments within the LAN. It is possible to find the default passwords for various devices on the Internet, so the administrators must change passwords to something that is different from the default, and it must be complex enough. When configuring access control lists (ACLs) to drop accesses to the administrative interface, it is important to verify that the limitations are functioning appropriately. One of the methods to verify the limitations is to access the device from the Internet.

Politics and Actions on Security

One of the major topics in 2018 was GDPR in Europe. GDPR is a policy in European Economic Area (EEA: European Union states, Iceland, Liechtenstein and Norway). Even if the user of data resides outside of the EEA, if entity exists in EEA, then GDPR is effective for the user of the data. Therefore, we need to pay attention to GDPR. Another topic regarding politics is the Australia data encryption law, which allows Australian government to order service providers to decrypt the user data. Even if a client accessing the service exists in another country, as long as a server exists in Australia, it may affect us. We need to be aware that the laws from other countries may affect us on the Internet.

In Japan, National Institute of Information and Communications Technology (NICT) has started to survey inappropriately configured IoT devices. This operation is justified in a political law, and it is called “NOTICE” (National Operation Towards IoT Clean Environment). There are many cases where Internet-connected devices being abused by attackers. NOTICE aims to scan vulnerable devices, and notice the vulnerabilities to the device owners through their Internet Service Providers. NICT has conducted a pre-survey from November 2018, and then started the actual survey from February 2019.

While the previous two paragraphs described political movements, there were also movements conducted by communities and companies. One of the examples was the Always-On SSL. The primal use of SSL was to encrypt “confidential data” that is transported over the Internet. In 2018, there was a movement to use SSL on general web accesses to prevent attackers from tampering the web contents. To promote this movement, some web browsers started to state unencrypted HTTP communications as “Not secure”. As web browser developers announced this change beforehand, many major web sites started to use HTTPS for general web accesses before the change occurred on the web browser. This is an example of a movement conducted by a company that has affected others.

Development of New Protocols

In 2018, there was a release of WPA3, an updated version of WPA used for connecting to wireless networks. Although we are expecting to see products that support WPA3 in the near future, we need to plan to incorporate the new protocol when products are available.

Another protocol introduced in 2018 was TLS 1.3. To secure the protocol, TLS 1.3 has deprecated some vulnerable features of TLS 1.2. Another improvement in the new version is the throughput. One of the examples is an optimization of handshakes that occur for resuming a suspended session. Some web browsers already support TLS 1.3, and they recommend users to avoid using older TLS versions 1.0 and 1.1. There are always updates to technologies, and we need to understand their improvements and trends.

Analysis

This section summarizes analysis of observatory data in IIJ for 2018.

DDoS Attacks

We detect DDoS attacks in IIJ network backbone and IIJ managed security service devices. Table 1 summarizes DDoS attacks detected by IIJ DDoS Protection Service in 2018.

Table 1: 2018 DDoS Summary
Month # of Incidents
(Average per Day)
Approximated Maximum Packets Per Second
(x10,000)
Maximum Traffics Maximum Attack Duration
Bandwidth Method Duration Method
Jan 422 (13.61) 59 5.79Gbps DNS Amplification 9h 42min HTTP/HTTPS
Feb 465 (16.61) 2,126 20.66Gbps NTP Amplification 19h 10min HTTPS
Mar 808 (26.06) 348 36.02Gbps DNS Amplification 9h 10min HTTPS
Apr 568 (18.93) 86 7.92Gbps LDAP Amplification 5h 8min HTTPS
May 706 (22.77) 335 33.08Gbps memcached 6h 21min NTP Amplification
Jun 623 (20.77) 220 21.45Gbps UDP Amplification 3h 28min NTP, memcached
Jul 641 (20.68) 238 25.24Gbps memcached 2h 54min HTTP/HTTPS
Aug 461 (14.87) 336 15.17Gbps UDP/GRE Flood 2h 32min HTTP/HTTPS
Sep 447 (14.90) 245 25.05Gbps UDP Amplification 3h HTTP/HTTPS
Oct 492 (15.87) 137 14.00Gbps UDP Amplification 4h HTTP/HTTPS
Nov 448 (14.93) 276 23.26Gbps UDP Amplification 2h 30min UDP Flood
Dec 396 (12.77) 409 39.06Gbps UDP Amplification 14h HTTP/HTTPS

Tables 1 informs us that the number of incidents, the maximum packets and the maximum traffics for each month did not have major differences throughout the year with an exception of February. The attack methods that caused the maximum traffics were primarily UDP Amplifications caused by protocols such as DNS and NTP. Since there is no need to establish a connection between hosts for UDP, by disguising the sender IP address of request packets, attackers are able to generate a massive amount of UDP traffics to the targeted IP address. On the other hand, the attacks that lasted longer frequently used TCP protocols such as HTTP and HTTPS. When an attack targets a specific site, attackers research and select an appropriate protocol for the target.

In 2018, memcached caused one of the massive DDoS attacks. Many operating system distributions do not install memcached by default. However, if a system runs memcached, and if its configuration is inappropriate, the daemon may accept TCP and UDP packets on all of the network interfaces available on the host. If the host is accessible from the Internet, memcached responds to requests. When such hosts receive UDP requests, they may cause UDP Amplification attacks. If hosts and software do not have appropriate filters, there are possibilities of affecting others connected to the Internet. To prevent from attacking others without a consent, be sure to configure hosts and software that is running on your network.

IIJ Managed Security Services

IIJ Managed IPS/IDS Services have detected the following signatures throughout the year.

  • ZmEu Exploit Scanner
  • SQL injections (several signatures)
  • Attempts to read password files
  • PHP file inclusion vulnerabilities

ZmEu is a scan tool for phpMyAdmin vulnerabilities. Attacks against such web applications have been occurring throughout the year.

The other attack that had occurred frequently in earlier half of 2018 targeted Oracle WebLogic Server. The attack utilizes vulnerabilities of Oracle WebLogic Server to execute malicious codes from remote sites. One of the examples was the GhostMiner. When the attack succeeds, the victim downloads a mining program, and executes it without a consensus of the administrator. This was an example of attackers attempting to obtain profits from cryptocurrency mining, rather than compromising a web page or disclosing information.

In later half of 2018, attacks targeting Netis/Netcore routers have become a majority of detections. Detection of the attacks started in June, and at least half, and almost 90 percent in the worst case, of the monthly detections was this attack. In August and September, the top ten ranking of the monthly detections included attacks against D-Link routers; attacks against routers were definitely one of the major attacks in 2018. These attacks against routers were Mirai variants. In addition to the attacks against routers, there were noticeable amount of SQL injections detections for consecutive three months since October.

Malware Detected in Web Accesses and Mail Attachments

IIJ services have detected malware in web accesses and mail attachments.

Malware Infection through Web Site Accesses

Regarding the web accesses, downloads of malicious JavaScripts were detected throughout the year. There are several methods to make clients download the malicious JavaScripts. The two major methods were by compromising a WordPress page to enclose the script, and by obtaining expired domains that used to host legitimate JavaScripts. Especially for a method of obtaining expired domains, clients loaded the scripts when they accessed a web page that referred the script since the file paths of the malicious files were same as the previous legitimate JavaScripts.

When a page refers to contents such as JavaScripts and advertisements that are located outside of the website, the contents may end up changing without consents of referrers. Moreover, even if the website does not refer to the external contents, there are always risks as attackers may compromise the website. When publishing a website, it is important to check periodically that all the contents appear appropriately.

Malware Infection through Mail Attachments

Regarding the mail attachment, we have detected Mydoom and Androm throughout the year. Mydoom is a worm discovered in 2014, and when it infects a device, it may modify configuration of the device or create a backdoor. Andromeda is a botnet malware discovered in 2012, and it creates backdoor, too.

One of the major topics in 2018 was attachment files that utilize features of Microsoft Office. In addition to the classical Macro viruses, the detected files used other features such as Web Queries (files with “.iqy” and “.xls” extensions), Equation Editor, Common Controls, and Dynamic Data Exchange (DDE). When opening files that contain such features, Microsoft Office displays warning messages. If you see such messages and you are not aware of the reason, do not permit to execute the features.

Closings

The attacks introduced and caused major impacts in 2018 were “applications” of the existing attack methods. For examples, memcached was another application that caused UDP Amplifications, and use of features such as Web Queries was another example of misuse of Microsoft Office feature where Macro has been a traditional attack method. To avoid from joining to the amplification attacks, it is important to filter unnecessary requests from the Internet. To protect your computer from malicious files, it is important to avoid accepting the warning displayed on the applications, or avoid opening unnecessary files. Although these attack methods are “applications” of the existing attack methods, the measures to protect against them could be the same; applying traditional protections may help protecting against newer attack methods.

On the other hand, there were also new methods of attacks, including but not limited to cryptocurrency related attacks, attacks against infrastructures, and vulnerabilities of CPUs and other hardware. Moreover, there were many introductions of new technologies, including updates to the standards such as WPA and TLS. To defend against the new attack methods and technologies, in addition to installing the basic protections, it is important to follow and understand the new technologies.