Monthly Archives: April 2014

The FireEye Advanced Threat Report 2013: European Edition

| By | Advanced Threat Trends, Security Perspective

We recently published the 2013 FireEye Advanced Threat Report during RSA Conference, providing a global overview of the advanced attacks that FireEye discovered last year. We are now drilling that global analysis down into the European threat landscape with our first Regional Advanced Threat Report.

Recent European cyber attacks, like the ones against the European Parliament or LaCie, make it clear that advanced attacks are a becoming a harsh reality in Europe. Motivated by financial and political objectives, threat actors have increased their levels of sophistication to steal personal data and put organizations into non-compliance with user privacy EU directive (2002/58/EC).

The top-line findings from our first Regional Advanced Threat Report are alarming, as we:

  • Recorded over 250 new workstations infected every day
  • Identified more than 90 APT families
  • Observed threats impacting all verticals, particularly the Healthcare, Financial Services and Government verticals

Diving deeper, we saw that the rate of increase in workstation infections skyrocketed in the last four months of 2013. A clear sign of how rapidly threat actors targeting European organizations are evolving, the number of unique infections more than doubled from January to December 2013.

eu1

Figure 1 – Unique Infections Trending over 2013

We also took a look at the distribution of infections amongst European nations and saw a heavily skewed landscape. In particular, Great Britain, Switzerland, Germany and France represented more than 70 percent of infections across 2013, leaving 18 nations to split the remaining 30 percent.

eu2

Figure 2 – Unique Infections by Country

Next, let’s consider which industry verticals in Europe were most targeted by advanced attackers. Threat Actors have been busy targeting high-value organizations that offer rich personal information or intellectual property. The below chart shows the number of infections that occurred in each of the 20 verticals that FireEye tracks around the world. Alarmingly, no industry vertical in Europe was spared and this trend is most likely to continue.

eu3

Figure 3 – Unique Infections by Industry Vertical (Listed from Most-Infected to Least on Right)

Based on the latest Mandiant M-Trends report, the Financial Services vertical accounted for 15 percent of threat actors’ actions on a global basis. In Europe, we saw Financial Services account for 17 percent of attacks, aligning closely to the global statistic. In a stark contrast however, Healthcare/Pharmaceuticals represented 21 percent of infections in Europe compared to the four percent this vertical accounted for globally.

Beyond Infections: Diving Into APT Attacks

When pulling this report together, we saw the notable rise in infection rates and the attacks across verticals, and we also saw strong similarities in how APT attacks targeted European industry verticals. As you can see below, aside from the extraordinary fact that European Federal Governments accounted for a quarter of APT attacks, the Financial Services and Healthcare/Pharmaceutical industries maintained top positions as targets.

eu4

Figure 4 – APT Attacks per Vertical (Listed from Most-Targeted to Least on Right)

This consistency between infections and APT attacks also carried over to the distribution of APT attacks between different countries. As we see below, when it comes to country-by-country analysis, the top-three most impacted in Europe are the UK, Germany and Switzerland – the same top-three infected countries.

eu5

The highest number of APT activity in Europe, by country can be summarized in the following order:

  1. Germany
  2. United Kingdom
  3. Switzerland
  4. Luxembourg
  5. France
  6. Spain
  7. Norway
  8. Belgium
  9. Finland

In addition, we found that when measuring the world’s most-targeted nations by number of unique verticals hit by APT attacks, three European nations made the top-ten: France, the UK, and Germany.

UKI52

With such a strong rise in infections and just a couple of industries and countries accounting for a massive number of the attacks carried-out in Europe, we are certainly seeing a change in the threat landscape with this report. And while the situation would seem bleak already, we predict that there is still more time for the European market to strategically get ahead of these advanced attack before they fully mature into a constant threat.

With that time in mind, we recommend the following for European organizations:

  1. Ensure existing security tools are up to date. Much commodity malware can be easily addressed with legacy, signature-based tools.
  2. Implement Advanced Threat Protection systems to ensure high value data is safeguarded.
  3. Plan and Implement an Incident Response and Management strategy to close existing security gaps.
  4. Share and collaborate with other entities on emerging cyber threats to optimize your security posture.

To find out more about the report or how to address these rising issues, come visit the FireEye team at InfoSec UK at Stand J60.

The FireEye Advanced Threat Report 2013: UK & Ireland Edition

| By | Advanced Threat Trends, Security Perspective

Accompanying our Regional Advanced Threat Report (ATR) for Europe, we are also drilling even deeper with a Regional ATR focused on the United Kingdom and Ireland (UKI). During our assessment of these two countries, we have identified all types of threat actors compromising our customers’ networks: nation state, cyber criminals, activists, and amateurs alike.

This report summarizes 2013 data gleaned from the FireEye Dynamic Threat Intelligence (DTI) cloud of worldwide malware protection platforms. Over the past year, FireEye:

  • Recorded over 70 new workstations infected every day
  • Identified more than 42 APT families
  • Observed threats impacting all verticals, particularly Financial Services, Telecom, and Energy

As we saw with the European report, the rate of increase in workstation infections across Ireland and the UK skyrocketed in the last four months of 2013. This may indicate that threat actors increased the volume of activity against organizations in the United Kingdom and Ireland in the post-vacation lull because they anticipated employees would be less attentive around security matters and thus have a higher rate of success. Alarmingly, the number of unique infections more than tripled from January to December 2013.

UKI1

Figure 1 – Unique Infections Trending over 2013

Next, let’s consider which industry verticals in UKI were most infected by attackers. Unsurprisingly, the Financial Services vertical is far and away the most targeted in UKI as “The City” is the largest financial platform for Europe and the world. Of course, threat actors have also been busy targeting the other high-value industries of UKI, particularly the Telecommunications and Energy/Utilities/Petroleum Refining verticals. As with the rest of Europe though, no industry vertical was spared in the UK or Ireland and this trend will likely continue as new attack vectors enter these industries.

UKI2

Figure 2 – Unique Infections by Industry Vertical (Listed from Most-Infected to Least on Right)

Rising Attack Landscape Means Rising APT Families

The consistency between the UK’s and Ireland’s threat landscapes has also extended into the way the APT attacks are carried out. Most important to highlight is that Federal Government continues to be the number one target in UKI – as with Europe – only with that industry vertical accounting for a startling 49 percent of APT attacks versus 25 percent for all of Europe.

UKI3

Figure 3 – APT Distribution per Vertical (Listed from Most-Targeted to Least on Right)

Financial Services remains a top-three target of APT attacks as well in UKI, but the Energy/Utilities/Petroleum Refining industry climbs from seventh place in Europe to second place in UKI. Given the major corporations in those spaces operating out of UKI, that these organizations are a prime target by APT actors is unsurprising.

How those APT attacks were carried out is shown in the chart below identifying the 21 APT malware families that we identified in attacks throughout 2013.

UKI4

Figure 4 – APT Malware Families for UKI

We previously noted in our European report that, when looking at the sheer number of APT attacks, the United Kingdom received the second most of any European country in 2013. Despite trailing Germany as the most-targeted European nation, the UK was tied for fourth globally with France and Thailand when it came to most verticals targeted by APT attacks. Specifically, all three nations saw 12 distinct verticals hit, with the next closest European nation being Germany with nine verticals.

UKI52

Figure 5 – APT Attacks by Country

While the UK and Ireland face unique challenges based on the maturity of the Financial Services, Telecommunications and Energy-based industries that are based there, we have found that the overall market is very much in-line with the rest of Europe. Thus, as with our outlook for the whole of Europe, we see an opportunity for UKI cyber defenders to get ahead of the rapidly expanding advanced threat actors.

To find out more about the report or how to address these rising issues, come visit the FireEye team at InfoSec UK at Stand J60.

The Road to Resilience: How Cybersecurity is Moving from the Back Office to the Boardroom

| By | Executive Perspectives, Security Perspective

For too long, our industry has framed cybersecurity as a technical issue.

We have measured success on the volume of malware we detect and block, not how we respond to the threats that matter. We have taken a one-size-fits-all approach to security incidents, regardless of who’s attacking, how they work, and what they’re after. We have rarely engaged other business units when responding to incidents — and when we do, we fixate on the technical details rather than weighing their business impact.

Yes, cybersecurity has a technical component. But more than anything, it is a business issue.

Fortunately, the old mindset is changing. Under the banner of “cyber resilience,” security leaders are beginning to acknowledge that cybersecurity must evolve. Striving to ward off attacks is no longer enough — organizations must also respond to incidents with a focus on managing their business impact.

To gauge how far along organizations in the Europe, Middle East, and Africa (EMEA) are in this evolution, FireEye recently asked 25 security leaders across the region about their experience and perceptions. Their answers reveal a sizable divide among in both awareness and maturity when it comes to cyber resilience.

Breaches Increasingly Routine
Not surprisingly, EMEA security leaders say that cyber breaches are increasingly routine. In our survey, 44 percent of organizations said they had breached at least once per year. And that total probably understates the problem — a full 28 percent were not sure whether they have been breached.

img1

All threats viewed equally — regardless of risk or impact
A solid majority of respondents (68 percent) said they “always” care about breaches. Only 16 percent said their level of concern depends on the severity of the incident. This lopsided statistic suggests that IT professionals are not yet looking at breaches from the perspective of risk or impact.

img2

Priorities misaligned in incident response
We see the same lack of business alignment in organizations’ responses to breaches. When a breach occurs, 84 percent of those in our EMEA survey notify relevant business leaders, and 76 percent notify company executives. We often hear that companies are looking for security leaders to engage at a business level. But if business leaders and executives are still being notified about most breaches, we’re still treating security as a technical problem.

img3

Our survey found a split in where security teams focus their response. About 60 percent base their response plan around all IT systems, and 40 percent focus on critical systems and resources. This response, too, suggests that organizations see many breaches as a technical problem rather than a business problem.

Along the same lines, communications, public relations, and business teams are typically far less engaged in incident responses than IT security and technical teams, executives, and HR departments. If cyber resilience is about enabling business resilience, then business teams should play an equally critical role in incident response.

When engaging with executives, we in the security community do not seem to be taking a risk-based approach. And clearly, we are not speaking executives’ language: the impact of a breach on the company’s financial results.

Who is included in incident response plans?

img4

Moving toward a risk-based security framework
Most security leaders leverage at least one security framework or standard — and in most cases, they leverage two or more. These frameworks include best practices defining what to protect, how to protect it, and how to monitor deployed controls. These features make the frameworks valuable tools to help define strategies and gauge their effectiveness. But adoption of ISO27005 — which focuses on business-risk assessment — is far behind that of ISO27001.

Adopted security frameworksUntitled

Leveraging automation
Just about every security leader would like more resources. But most of us must make the most of what we have.

What is clear from our survey is that incident response is consuming the biggest share of time and resources.

Security tasks that consume the most time and resources (weighted average)img5

The volume of attacks is rising. And IT systems are playing an increasingly critical role in business. So having well-defined and tested response capabilities that leverage automation would seem a key component to cyber resilience.

Bolstering cyber resilience
Cyber security is, and will remain, an evolution. Everyone is on their own journey along the maturity curve. Security leaders must evaluate their place along that curve based on their perceptions of risks and the controls they need to put in place.

Cyber resilience recognizes that prevention is only part of the solution. Organizations must realize the following:

  • Businesses will increasingly measure security leaders not just on what they stop or let through, but on how they respond to what does get through.
  • A breach can happen in seconds, yet the exfiltration takes hours or days and can last for months.[1]
  • When it comes to measuring business impact, not all breaches are equal.

At the same time, organizations must retool their strategies to better discover and respond to security incidents. This shift requires:

  • Having a documented, regularly reviewed, and well-tested cyber response strategy that includes both the business and technical response plans.
  • Reducing the time and costs involved in response.
  • Being able to qualify the business risk of the incident. By better aligning cyber strategies to business drivers and business risk, security leaders can have a bigger business impact and increase their relevance to executives.

New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks

| By , and | Advanced Malware, Exploits, Targeted Attack, Uncategorized

Summary

FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.

Threat actors are actively using this exploit in an ongoing campaign which we have named “Operation Clandestine Fox.” However, for many reasons, we will not provide campaign details. But we believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.
According to NetMarket Share, the market share for the targeted versions of IE in 2013 were:

IE 9 13.9%
IE 10 11.04%
IE 11 1.32%

Collectively, in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market. The vulnerability, however, does appear in IE6 through IE11 though the exploit targets IE9 and higher.

The Details

The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.

Exploitation

• Preparing the heap

The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui. It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain.

• Arbitrary memory access

The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.

• Runtime ROP generation

With full memory control, the exploit will search for ZwProtectVirtualMemory, and a stack pivot (opcode 0×94 0xc3) from NTDLL. It also searches for SetThreadContext in kernel32, which is used to clear the debug registers. This technique, documented here, may be an attempt to bypass protections that use hardware breakpoints, such as EMET’s EAF mitigation.

With the addresses of the aforementioned APIs and gadget, the SWF file constructs a ROP chain, and prepends it to its RC4 decrypted shellcode. It then replaces the vftable of a sound object with a fake one that points to the newly created ROP payload. When the sound object attempts to call into its vftable, it instead pivots control to the attacker’s ROP chain.

• ROP and Shellcode

The ROP payload basically tries to make memory at 0×18184000 executable, and to return to 0x1818411c to execute the shellcode.

0:008> dds eax
18184100  770b5f58 ntdll!ZwProtectVirtualMemory
18184104  1818411c
18184108  ffffffff
1818410c  181840e8
18184110  181840ec
18184114  00000040
18184118  181840e4

Inside the shellcode, it saves the current stack pointer to 0×18181800 to safely return to the caller.

mov     dword ptr ds:[18181800h],ebp

Then, it restores the flash.Media.Sound vftable and repairs the corrupted vector object to avoid application crashes.

18184123 b820609f06      mov     eax,69F6020h
18184128 90              nop
18184129 90              nop
1818412a c700c0f22169    mov     dword ptr [eax],offset Flash32_11_7_700_261!AdobeCPGetAPI+0x42ac00 (6921f2c0)
18184133 b800401818      mov     eax,18184000h
18184138 90              nop
18184139 90              nop
1818413a c700fe030000    mov     dword ptr [eax],3FEh ds:0023:18184000=3ffffff0

The shellcode also recovers the ESP register to make sure the stack range is in the current thread stack base/limit.

18184140 8be5            mov     esp,ebp
18184142 83ec2c          sub     esp,2Ch
18184145 90              nop
18184146 eb2c            jmp     18184174

The shellcode calls SetThreadContext to clear the debug registers. It is possible that this is an attempt to bypass mitigations that use the debug registers.

18184174 57              push    edi
18184175 81ece0050000    sub     esp,5E0h
1818417b c7042410000100  mov     dword ptr [esp],10010h
18184182 8d7c2404        lea     edi,[esp+4]
18184186 b9dc050000      mov     ecx,5DCh
1818418b 33c0            xor     eax,eax
1818418d f3aa            rep stos byte ptr es:[edi]
1818418f 54              push    esp
18184190 6afe            push    0FFFFFFFEh
18184192 b8b308b476      mov     eax,offset kernel32!SetThreadContext (76b408b3)
18184197 ffd0            call    eax

The shellcode calls URLDownloadToCacheFileA to download the next stage of the payload, disguised as an image.

Mitigation

Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.
Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10.
Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.

Threat Group History

The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure. They have a number of backdoors including one known as Pirpi that we previously discussed here. CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.

As this is still an active investigation we are not releasing further indicators about the exploit at this time.

Acknowledgement: We thank Christopher Glyer, Matt Fowler, Josh Homan, Ned Moran, Nart Villeneuve and Yichong Lin for their support, research, and analysis on these findings.

Zero-Day Attacks are not the same as Zero-Day Vulnerabilities

| By | Executive Perspectives, Security Perspective

When it comes to “zero-days,” there is much room for confusion in terms of definition and priority. At FireEye, we follow the industry-standard term of “zero-day attacks.” This term is defined as software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and, therefore, no vendor fix or software patch available for it.

Here is the Wikipedia definition:

“A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch.[1] There are zero days between the time the vulnerability is discovered (and made public), and the first attack.”

Many security researchers identify vulnerabilities – some as a byproduct of attack detection and others as a core focus. With the exception of vulnerabilities identified by black hat hackers for use in attacks, nearly all vulnerabilities are responsibly, and confidentially, sent to the party responsible for the creation of the software so that fixes can be made. These can range from critical holes like those we found exploited in globally popular software like Internet Explorer to the never-exploited ones in rarely used applications.

FireEye has demonstrated unparalleled capabilities finding zero-day exploits that are “in the wild,” meaning the vulnerability is being used by criminals and threat actors for malicious purposes. In 2013, FireEye discovered 11 zero-day exploits that were actively in use by advanced threat actors and has already discovered an additional two in 2014. Zero-day exploits already in use by APT actors represent the most critical cyber threat to the CISOs of organizations. Even if APT actors do not target an organization, other criminal exploit authors will often reverse the zero-day exploit and create their own version before patches can be released.

At FireEye, we examine data from over 2 million virtual machines located in every corner of the globe, resulting in near instantaneous threat intelligence and threat metrics being captured in our Dynamic Threat Intelligence™ (DTI) cloud. This intelligence allows us to evaluate the entire attack life cycle, or “kill chain,” of an attack and view the behaviors of the attacker. FireEye examines all of the tools, tactics and procedures (TTPs) used by attackers to create an initial compromise, establish a foothold, escalate privileges, conduct internal reconnaissance, move laterally, maintain persistence, and finally complete their mission.

Killchain

Figure 1. The attack lifecycle

Our focus is to create a holistic view towards security at every step in the attack lifecycle, of which identification of zero-day exploits in use by malicious actors plays one component. We also contribute back to the security research community by sharing detailed, comprehensive views on attack lifecycles, for example in Operation Ephemeral Hydra. At FireEye, our defense strategy encompasses all malicious activities you may find on your network, or on your endpoints – including those that leverage zero-day vulnerabilities and those that do not.

NGOs: Fighting Human Rights Violations and, Now, Cyber Threat Groups

| By | Threat Intelligence, Threat Research

With so many non-government organizations (NGOs) in operation today around the world, we asked ourselves a question here at FireEye Labs. Who would think about targeting NGOs? Steal from a nonprofit? It would seem unthinkable to most people. But, as we can see from a few recent examples below, this is a clear reality.

As more NGOs reach out to us, it is clear that the situation for them is not a pretty one. Based on the breaches we have observed in this space, it appears there are more than 15 distinct advanced threat groups active in NGO networks. The sheer volume and variety of threat groups active in NGO environments struck us as unusually high for a single industry and indicates the incredibly difficult threat landscape NGOs face.

Hamstrung by limited budgets to establish strong network defenses and few personnel that understand how and why these threats are materializing, NGOs make a relatively easy target. Even if they aren’t profitable, NGOs use credit cards for donations, transact with cash, store personally identifiable information (PII) and, in some cases, even house intellectual property. Many NGOs also work on political issues—an inviting target for opponents who want to monitor their communications and activities. Weak defenses and a target-rich environment make NGOs an enticing victim to maliciously motivated threat actors.

Cyber Operations at NGOs: An Intelligence Collection Pursuit?

NGOs — particularly those based in the U.S. — have long been perceived as instruments of U.S. government policy. Regimes with a less-than-favorable view of the U.S. frequently consider NGOs’ work as a rallying point for domestic unrest and political opposition. Three nations that fit this description — China, Russia and Iran — are all rumored or known to have existing and growing cyber operations to support their governments’ political agendas. Data acquired from NGOs via network compromises has the potential to grant these nation-states valuable, predictive insights on key policy topics and NGO programming, as well as intelligence on personnel and their contacts.

Over the last few years, we have observed China-based advanced persistent threat (APT) groups frequently target U.S.-based NGOs. Unsurprisingly, they were organizations with programs that touched on Chinese human rights, democratic reforms, and social issues. In these instances, data theft was not just limited to documents about NGO programming, but also included documents on grants, legal proceedings, research programs, and even employee communications. The threat actors and recipients of the stolen data were likely able to gain significant insights into the NGOs’ operations, issues, and personnel. Not only were the threat actors better positioned to understand the NGOs’ values and plans, but, more importantly, they could potentially identify in-country contacts for the NGOs. These domestic contacts could face repercussions for their collaboration with the NGO.

NGO

Figure 1: A sample breakout of the types of documents stolen from an NGO

Sought-After Financial Data Goldmine

Because NGOs are often dependent on donations from large donors and dedicated supporters, they maintain or process financial data of potentially great value to cybercriminals who seek to steal PII. This financial information could be used to perpetrate identity theft and other types of criminal exploitation, including the theft of credit card numbers, bank account information, and other PII of wealthy individuals. There are any number of cases of non-profits who were either breached via network compromise or even experienced the physical theft of devices that gave perpetrators access to databases filled with valuable information such as names, addresses and social security numbers. In one instance, a simple website misconfiguration exposed one nonprofit’s database of donors and their personal information.

The acknowledged wealth of many NGO donors likely contributes to the motivations financial threat groups would have in targeting NGOs. FireEye tracks a number of criminal threat groups who conduct network intrusions to obtain data similar to the kind NGOs manage in large quantities. These threat actors may seek financial gain from cyber operations through direct theft of funds or the resale of data they have stolen. Because NGOs maintain valuable financial data, and perhaps other data they perceive to be valuable, criminal threat actors may target these networks with the intent to profit.

Perception of Weak Defenses

When criminals are looking for an easy target, NGOs’ networks may be perceived to be easy pickings. Just as the common thief would rather steal items of value from a house without an alarm than one with, the same is true with advanced threat actors and cybercriminals. NGOs possess information of value that a variety of threat actors desire, and their networks can sometimes be far easier targets than government institutions or large commercial organizations, due to their typically limited resources when it comes to network security and defense.

Although NGOs face a unique landscape when it comes to advanced threats in terms of the sheer number of threat groups targeting them and the widely varying possible impacts of a breach, their operations and needs share many similarities with those of our small- and medium-sized (SMB) customers. To that end, FireEye Labs recommends reviewing our latest SMB-focused white paper for more insight into what the broader threat landscape looks like for NGO-like organizations. A copy of the paper can be found here: https://www.fireeyesolution.com/smb_five_reasons_wp.html.

If an Android Has a Heart, Does It Bleed?

| By , and | Mobile Threats, Threat Intelligence, Threat Research, Vulnerabilities

The OpenSSL Heartbleed vulnerability “allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” [1]. Heartbleed surprised the public by allowing attackers to steal sensitive information from vulnerable websites by sending crafted SSL heartbeat messages. However, due to the fact that servers can send heartbeats to clients as well, malicious servers can, in turn, attack vulnerable clients and steal sensitive information. For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.

Currently there are about 17 antivirus apps on Google Play branded as “Heartbleed detectors”. Six of them scan the OpenSSL library belonging to the Android platform for vulnerabilities. Unfortunately, this method isn’t sufficient for detecting the Heartbleed vulnerability on Android. Except in limited Android versions (mainly 4.1.0-4.1.1), the majority of Android platforms are not vulnerable, as most versions use OpenSSL libraries that are not vulnerable or simply have the OpenSSL heartbeat functionality disabled.

However, Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries. Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents.

We studied apps with vulnerable OpenSSL libraries and confirmed this attack. Most of the vulnerable apps are games, and some are office-based applications. Although there is not much valuable information in the game apps, attackers can steal OAuth tokens (access tokens and refresh tokens) to hijack the game accounts; as such, the information might be useful for hijacking those linked social network accounts with incorrect configurations. Office apps vulnerable to Heartbleed are much more dangerous due to further potential data leakage.

During our investigation of the office apps that contains a vulnerable version of OpenSSL, we were surprised that they were not vulnerable to the Heartbleed attack. How could it be? A deeper look shows that these apps either make a mistake in the native code linkage, or just contain dead code. Therefore, when they try to invoke SSL functions, they directly use the non-vulnerable OpenSSL library contained within the Android OS, instead of using the vulnerable library provided by the app. The linkage mistake is common for Android applications built with native code. As such, the side-effect of this mistake helps reduce the apps’ overall risk profile.

Within the 17 Heartbleed detector apps on Google play, only 6 detectors check installed apps on the device for Heartbleed vulnerability. Within the 6, 2 report all apps installed as “Safe”, including those we confirmed as vulnerable. One detector doesn’t show any app scan results and another one doesn’t scan the OpenSSL version correctly. Only 2 of them did a decent check on Heartbleed vulnerability of apps. Although they conservatively labeled some non-vulnerable apps as vulnerable, we agree it is a viable report which highlights both the vulnerabilities and the linkage mistakes. We’ve also seen several fake Heartbleed detectors in the 17 apps, which don’t perform real detections nor display detection results to users and only serve as adware.

On April 10th, we scanned more than 54K Google Play apps (each with over 100K downloads) and found that there were at least 220 million downloads affected by the Heartbleed vulnerability. We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products. Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes. The total number of vulnerable apps download has since decreased to 150 million on April 17th.

[1] Vulnerability Summary for CVE-2014-0160

Dissecting Advanced Attacks: FireEye Labs and the 2014 DBIR

| By | Advanced Threat Trends, Business of Security, Security Perspective

Each year, a number of reports are released on the changing state of the threat landscape and where cyber security is headed. Like our annual Advanced Threat Reports and M-Trends Reports, Verizon has released the “Data Breach Investigations Report” (DBIR), which is considered by many in the security industry as the most comprehensive guide to data breaches. This year, owing to the large number of and deep insights into cyber espionage and advanced persistent threat campaigns that we track, Verizon tapped the FireEye Labs team to contribute to the latest version of the report.

The 2014 DBIR takes a comprehensive look into all forms of attacks from the past year and, as we have always done with our investigations, newly examines the incident patterns of attacks. This type of analysis is what we like to call behavioral or contextual analysis of a breach lifecycle and is invaluable in understanding advanced threats that are not readily apparent in traditional detection methods.

To help with this initiative, FireEye Labs contributed information on several advanced attacks uncovered in 2013 that were likely driven by cyber espionage motives. Information on the individual attacks can be found here:

To view a full version of the Verizon DBIR, you can download a copy here: http://www.verizonenterprise.com/DBIR/. Also, be on the lookout for the release of our European Advanced Threat Report next week.

InfoSecurity Europe 2014: Cybersecurity for the Masses

| By | Business of Security, Security Perspective, Uncategorized

InfoSecurity Europe is the biggest security event and most important date on the calendar for information security professionals across Europe. The event aims to break through the noise and provide the European audience with all the necessary information to better understand cyber threats to their networks. Join FireEye experts and learn how to prepare for a new frontier of advanced attackers:

  • Visit stand J60 and check out FireEye’s Geek Bar. A certified geek will analyze your portable device to determine if you’ve received any malware. The live demonstration can prove useful to better understand and identify potential threats to your network.
  • Join FireEye Director of Technology Strategy Jason Steer, SI Technical Lead Simon Mullis, and Greg Day, EMEA CTO among others, as they discuss the threat landscape and walk attendees through interactive, educational workshops and presentations. Join us on our stand to understand the threat landscape – presentations every 30 minutes all 3 days.
  • Senior Director of Market Research at FireEye Rob Rachwald will be speaking on Wednesday, April 30, where he’ll cover the nitty gritty of sandbox evasion. Mr. Rachwald’s presentation will help the audience gain an overview of various sandboxing techniques, understand current sandbox bypass methods, as well as identify best practices to optimize malware detection.
  • Mandiant's Director, David Damato and Technical Director, Ryan Kazanciyan will be speaking on Wednesday, April 30. Drawing from the speakers’ first-hand experiences and case-studies, this presentation will highlight lessons learned from many years of responding to targeted attacks by nation state actors and other groups.
  • FireEye SVP and COO Kevin Mandia will make a special appearance on Wednesday, April 30 to discuss FireEye’s recent acquisition of Mandiant, as well as to discuss today’s changing threat landscape.
  • The FireEye team will also release the latest findings from Mandiant’s annual M-Trends report and European ATR research report. The results offer visibility into motives, approaches, and different skill levels of attackers both in Europe and around the globe.
  • Participate in FireEye’s photo contest and have the opportunity to win an Apple® gift card worth £250! Look around London and you will see FireEye branded taxis zipping around the city. Grab your camera or smart phone and take a picture of you and the taxi. Submit your photo to helena.brito@fireeye.com and your photo will be posted to FireEye’s Facebook page. You will also be automatically entered into the contest.

FireEye Taxi

Stop by Stand J60 to learn more about the newly expanded FireEye Security Platform, which integrates expertise from Mandiant and is designed to give customers one solution to go from threat alert to remediation. We’ll have live demonstrations of all the new FireEye products. In the mean time, be sure to follow @FireEye for the latest threat research and updates from the company.

We hope to see you in London the week of April 29 through May 1. If you are unable to attend, check back on the blog for interviews and insights from the conference. You can register for a free entry ticket by clicking HERE – your badge will arrive with “FireEye Guest” printed on the bottom.

The Economics of Security

| By | Business of Security, Executive Perspectives, Security Perspective

During many of my customer meetings, I often hear security leaders ask the question: “What technology could I remove to free up budget to enable the implementation of FireEye?”

My natural response is to inquire how and when they assess the real value, not the ROI, they get from their existing solutions. Whilst every security solution provides an “ROI” – often a metric based around industry data on how many security “events” they return – this assessment should not focus on noisy “ROI,” but which solution gives your company the most valuable information. Considering the nature and pace of change when it comes to malware and advanced attacks, this is something to validate regularly and involves looking at more factors than a generic ROI tool can factor in.

In a small survey of about 30 European CxOs we ran in December 2013, I asked the question of how they validated the value of security controls, and, surprisingly, at least 36 percent still didn’t conduct any annual assessment.

doyouvalidate

Having spent quite a bit of time looking at analyst models and what exists publically today, the fact that some still don’t conduct these assessments emphasizes that there still isn’t a well-defined model to correlate business value against investment for security solutions.

Take, for example, the outsourced model where Key Performance Indicators (KPIs) are typically established. Too often I hear anecdotal examples where KPIs were based on incidents found; this simply encourages dialing-up the technologies being monitored so that every incident – malicious or not – is tracked and reported, drowning out the ability to identify real threats.

For example, companies investing in big data solutions that gather and equate the millions to billions of events delivered each week to value. However, because they are too resource-constrained to convert these into actionable data, the true value is not extracted and, because doing so in a resource-constrained environment takes so long, the return here would seem extremely poor to a sheer numbers-based evaluation.

However, if the value of said product is measured by the actions taken to mitigate a major security event, that extra time spent executing on a few major items rather than not executing on a large amount of items becomes invaluable to the business. As such, we must blend together the quantitative metrics such as the costs of a solution (capex & opex), incident levels and overlay those values with qualitative insight. These evaluation criterion would look something like the below:

opexcapex

 

  • Noise to incident ratio - What is an acceptable incident to noise (i.e., false positives or irrelevant alerts) ratio?
  • Volume versus impact - We can alert and respond to a million incidents but it’s the one outage of a critical system or breach of business IP or customer records will have a far more significant impact on the business.
  • How actionable is the solution - Critical to an alert is timeliness, how long does it take to identify an incident and what level of human skills are required to interpret the results. Spotting a breach is hard, doing the forensics is harder, and understanding the motives of the attacker is harder still.
  • Business outcome - Did a technology mitigate, reduce or simply delay the business impact. Did it tick a compliance control to avoid penalty fees or did it protect IP & customer data?

In the coming months we are going to delve into the economics of security in greater detail. Whilst there are many tools out there discussing security process and ROI tools showing generic return, we all have limited budget and resources. With the scale and scope of security tools continues to grow we must innovate our thinking, in how we each quantify the value of our investments.