TRIAM - Threat Intelligence Report - April 15

Threat Intelligence ReportApril, 2015

2 Threat Intelligence Report

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

I Executive Summary 3

II Global Data Analysis 4Malicious Activities Source Countries 4

Attack Distribution Top 03 Foreign Attackers 4

III Malware Attacks 6Most Probing Countries 6

Most Probing Countries Unique IP Addresses 7

Most Probing IP Addresses 7

Most Attacking IP Addresses 8

Attacking IP Addresses 10 Attacks 9

Top Vulnerabilities 11

Most Malwares Detected 12

Detected Malware Hashes 13

Cnc IP Addresses & Domains 13

Attacked Protocols 14

IV SIP Attacks 15What is SIP? 15

V Web Attacks 16IP Addresses Conducting Web Based Attacks 16

Web Attack Payloads 16

VI Brute-Force Attacks 18Most Usernames Used 18

Most Passwords Used 18

Top IP Addresses Conducting SSH Attacks 19

Tools Used For SSH Based Attacks 19

VII References 20

VIII About TRIAM 21

IX About Contributors 22

Table of Contents



Executive SummaryTo be able to respond to any threat effectively, one mustfirst identify the threat agents, understand their motives and study their means of attack comprehensively, i.e. onemust achieve situational awareness to be able to defendagainst, respond to, or counter a threat.

In an effort to provide situational awareness to the in-dustry stakeholders, about the cyber threat landscape of Pakistan, the TRIAM Threat Intelligence Team is extremely proud to present you this monthly Threat Intelligence re-port for the month of April 2015.

In this edition of our monthly Threat Intelligence report we have observed interesting set of activities being per-formed in Pakistan cyberspace. One of the interesting observations has been the increased number of attacks coming IP Addresses of China coinciding with the Chi-nese Prime Ministers visit to Pakistan in April. The details of these attacks, and all other attacks are documented in this report. The major set of attacks that have been dis-covered recently in Pakistan by global and TISS research and IR teams are summarized as follows:

Equation Group Equation Group is the most advanced APT group found so far and is called the Crown Crea-tor of Cyber Espionage. According to Kaspersky Labs researchers the group is unique in almost every aspect of their activities: they use tools, that are very advanced and expensive to develop, in order to infect victims, re-trieve data and hide activity in a professional way, and also utilize classic spying techniques to deliver malicious payloads to the victims. More details for this advanced APT group can be found on: https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/

Ransomware Ransomware malware is constantly af-fecting Pakistan based organizations with key motive of financial gains. Ransomware works by encrypting data of infected machines belonging to organizations and indi-viduals thus completely blocking the access to the data. The decryption key is sent only if a ransom is paid. There has been exponential increase in number of Ransomware attacks in the year 2015 and taking preventive measures from this threat is highly recommended at all layers.

If you require more details on these threats or are ex-

posed to these or different malwares, please reach out to us for focused and quick response.

This report has been compiled using our advanced threat intelligence gathering platform consisting of sensors like honeypots, web crawlers and aggregators deployed through-out Pakistan. The information obtained using these sensors are then enriched by correlating informa-tion from different sources. Our aim for releasing these monthly reports is to enable all stakeholders in Pakistan to keep abreast with on-going threats and remain vigi-lant in protecting their networks from potential attacks. Trillium will soon make these threat feeds available to Pakistan based organizations so that their Security Infor-mation and Event Management (SIEM) systems, Firewalls and Intrusion Detection / Prevention Systems can be fed to provide protection against Pakistan specific attacks.

In month of Aprilinformation gathered from our sensors indicates that:

Multiple IP addresses particularly from China have been probing Pakistan cyberspace actively and look-ing for vulnerabilities to exploit.

Attacks of different nature that materialized and had a major impact have been observed coming from Romania, China and Brazil.

Among the detected malwares that are most active in Pakistan cyberspace, 96% activity has been ob-served for Net-Worm.Win32.Kido.ih an infamous worm that hogs network resources and is spread by exploiting Microsoft OS specific vulnerabilities.

The details of information gathered by our sensors are described further in this report.We hope that you find this months report useful and feel free to contact us with any feedback.DFIR Research team, Threat Intelligence

www.triam.com.pkwww.infosecurity.com.pk



Global Data AnalysisThis section presents analysis of attack data from sensors deployed at different places in Pakistan. We process millions of log entries and security alerts that are being captured by our custom and purpose built sensors during the threat analysis. In order to provide real time threat intelligence and security alerts to our customers we perform advanced analytics on the collected alerts by correlating security events from multiple sensors

The countries hosting IP addresses that are carrying out malicious activities in Pakistan cyberspace are shown in Figure 1.

Malicious Activities - Source/Host Countries

Figure 1 - Percentage of events by source/host countries

The following figures present the distribution of attack types originating from top three countries hosting the attacking IP addresses. It is quite evident from the following figures that attack type distributions of each originating/hosting country is very different from the other. These figures reflect the fact that attack types, motivation of attackers, and sophistication of attacks are different in different regions of the World.

Attack Distribution - Top 03 Foreign Attackers

Figure 2 - Attacks Originating from IP Addresses Hosted in China



Figure 3 - Attacks Originating from IP Addresses Hosted in Romania

Figure 4 - Attacks Originating from IP Addresses Hosted in Brazil



Malware AttacksMalware attacks are the major threats being faced by Pakistani organizations. Using the Internet, attackers employ unique malware based techniques to infect their target systems for different reasons varying from creating mere nuisance to stealing credentials to eavesdropping on communication to capturing proprietary and highly confidential information.

Attackers scan the Internet to look-out for vulnerable services and try to exploit them to gain access to the system and ultimately the network. Often root-kits (type of malware) are used to take over and maintain control of a compromised system. The following section of the report will present the latest trends of malware based attacks which were identified based on the information gathered from our sensors during the month of April.

The correlated information from different sensors reveals that there were more than 2,54,000 number of connection attempts to Pakistan cyberspace from different countires of the world. Furthermore, we detected more than 57,000 materialized attacks that were launched in this period. Over 9,000 unique IP addresses tried to establish a connection with our deployed sensors through-out Pakistan at-least once.

After thorough automated analysis and correlation, most of these connection attempts were classified as malicious and were doing intense scanning for figuring out running services (particularly the vulnerable ones) over Pakistan cyberspace.

One of the top IP address that established most number of connections was found to be 89.40.31.192 with more than 38,400 connections. The origin of this IP address was found to be Romania. There were about 1900 unique IP addresses that succeeded in exploiting a particular vulnerability and uploaded some malware. Total number of attacks launched during this time period was more than 57,000.

One of the top IP addresses that initiated most number of attacks was found to be 89.40.31.192 with about 12,300 successful attacks. The origin of this IP address was found to be Romania. The most number of attacks were launched by exploiting MS08-067, MS08-068, MS09-001 vulnerabilities, which could allow remote code execution.

Furthermore, as per our correlated information, port 445 received the highest number of attack traffic with 87.48% of total attacks received. The service hosted on port 445 was SMBD (Server Message Block Daemon).

Further information related to IP addresses trying to make connections and doing attacks, top malware found, top vulnerabilities exploited and top protocol / services exploited is given below.

The IP Addresses from countries doing the most probing and connection attempts are shown in Figure 5. Probing is done to find services running on targeted systems and their corresponding vulnerabilities in the target machines which can be exploited.

Most Probing Countries

Figure 5 - Country Based Conection Distribution



The Figure 6 shows the countries hosting the highest number of unique IP addresses that are found to be making connections and doing probing.

Most Probing Countries Unique IP Addresses

The Figure 7 shows the list of individual IP addresses that are found to be making connections and doing probing.

Most Probing IP Addresses

IP Addresses Connection Attempts Country

89.40.31.192 38,444 Romania

117.239.228.134 33,135 India

103.24.97.190 16,326 Pakistan

196.29.120.73 15,661 Ghana

94.248.197.73 10,788 Hungary

46.241.224.234 7,181 Armenia

78.106.81.248 6,639 Russian Federation




Table 1 - IP Address Based Connection Distribution

Table 1, shows a list of Top 10 unique IP addresses that established highest number of connection attempts.

Figure 7 - IP Based Conection Distribution

Figure 6 - Country Based Unique IP Distribution



Figure 8 gives the list of individual IP addresses that initiated most number of malware attacks by successfully exploiting vulnerabilities.

Most Attacking IP Addresses

IP Addresses Successful Attacks Country

89.40.31.192 12357 Romania

117.239.228.134 10680 India

196.29.120.73 7266 Ghana

46.241.224.234 3576 Armenia

94.248.197.73 3402 Hungary

78.106.81.248 2175 Russian Federation





Table 2 below shows the list of Top 10 IP Addresses that launched highest number of attacks.

Table 2 - IP Address Based Distribution

Figure 8 - IP Address Based Distribution




89.40.31.192 12357 Romania

117.239.228.134 10680 India

196.29.120.73 7266 Ghana

46.241.224.234 3576 Armenia

94.248.197.73 3403 Hungary












59.103.197.121 362 Pakistan





189.4.133.231 243 Brazil




187.21.245.55 206 Brazil


189.4.134.2 160 Brazil

187.21.246.10 157 Brazil

46.241.229.78 126 Armenia

Attacking IP Addresses - 10 Attacks

Table 3, provides the list of IP addresses that initiated minimum of 10 malware based attacks on Pakistan cyberspace. It is advised to block these IP addresses on your gateways. Please contact us if you would like to have full list of suspicious IP addresses.




88.158.45.194 120 Romania



119.154.250.73 100 Pakistan

46.241.232.20 91 Armenia


88.158.42.124 78 Romania

187.21.245.175 69 Brazil

46.241.234.236 60 Armenia

213.191.165.250 51 Bulgaria

46.241.234.241 50 Armenia

81.181.81.94 50 Romania

117.214.192.50 48 India

62.221.159.186 47 Bulgaria


88.158.43.53 41 Romania

159.224.159.200 39 Ukraine


46.241.232.90 35 Armenia

79.121.38.197 35 Hungary

117.220.141.170 24 India

176.63.146.35 24 Hungary


176.73.36.100 21 Georgia

59.103.195.49 20 Pakistan

117.220.136.36 19 India

88.158.45.192 19 Romania


92.87.135.28 16 Romania

46.241.243.195 14 Armenia

79.46.167.207 12 Italy



Table 3 - IP Address Based Distribution - 10 Attacks



Top 10 Vulnerabilities

Below is the list and details of vulnerabilities that were exploited the most for malware based injection. It is strongly recommended to fully patch all of the known vulnerabilities related to OS and third-party programs installed in your network. You can contact us to perform security assessment of your IT infrastructure for any potential loopholes and vulnerabilities.

VUlneRABIlIty nAme

Unknown ClosePrinter

MS08-67 Net Path Canonicalize

MS06-66 Nw Change Password

MS07-065 QM Create Object Internals

MS05-39 PNP Query Res Conf List

MS05-017 QM Delete Object

MS04-12 Remote Create Instance

MS04-11 DS Roler Upgrade DownLevel

MS04-031 NDdeSetTrustedShareW

MS03-39 Net Add Alternative Computer

MS08-67Vulnerability in Server service that could allow remote code

execution.

http://support.microsoft.com/kb/958644

MS06-66Vulnerabilities in Client Service for NetWare Could Allow Re-

mote Code Execution.

https://technet.microsoft.com/en-us/library/security/ms06-066.

aspx

MS05-39Vulnerability in Plug and Play Could Allow Remote Code Ex-

ecution and Elevation of Privilege.


aspx

MS05-017Vulnerability in Message Queuing Could Allow Code Execu-

tion.


aspx

MS04-12Cumulative Update for Microsoft RPC/DCOM.


aspx

MS04-11Security Update for Microsoft Windows.


aspx

MS08-67Vulnerability in Server service that could allow remote code

execution.

http://support.microsoft.com/kb/958644

MS04-031Vulnerability in NetDDE Could Allow Remote Code Execution.


aspx

MS03-39Buffer Overrun In RPCSS Service Could Allow Code Execution.


aspx

MS07-065Vulnerability in Message Queuing Could Allow Remote Code

Execution.


aspx

Table 4 - Top 10 Vulnerabilities



Top Few Detected MalwaresTable 5 gives the list of most malwares that have been detected in Pakistan cyberspace. The naming convention used for these malwares is based on Kaspersky detection. You can find the same malware with different name which are given to them by other antivirus engines.

Name Percent

Net-Worm.Win32.Kido.ih 94.12%

Backdoor.Win32.Rbot.bni 2.28%

Net-Worm.Win32.Allaple.e 1.20%

Net-Worm.Win32.Kido.kj 1.08%

Trojan-Downloader.Win32.Kido.bu



Following tables show the list of IP addresses and domain names that are found to be malicious and were communicating with infected machines

CnC IP Addresses & Domains

IP Addresses Country

221.8.69.25 China

204.27.59.22 India

195.22.26.231 Portugal

195.223.0.0 Italy

212.184.0.0 Germany

149.20.56.32 United States



221.8.69.25 China






91.198.22.70 United Kingdom



Table 7 - CnC IP Addresses

Domains

xqpjtkqid.biz

yeigidwnrda.ws

zwvnfggq.ws

smcxq.biz

abyoqc.cn

ztcabv.cn

gwjewwqgig.cn

pdcpbbkit.cn

xiammogc.cn

checkip.dyndns.com

xdz.no-ip.orgTable 8 - CnC Domains



Attacked Protocols

Table 9, below, shows the list of protocols which were found being exploited for most number of attacks.

PRotoCol exPloItAtIonS

SMB 87.48%

SIP 4.94%

MSSQL 3.85%

MYSQL 1.55%

HTTP 1.24%

EPMAP



SIP AttacksWhat is SIP

The Session Initiation Protocol (SIP) is a communication protocol for signaling and controlling multimedia communication sessions. The most common applications of SIP are in Internet telephony for voice and video calls, as well as instant messaging using Internet Protocol (IP) networks.

SIP Attacks divisionMost SIP attacks can be divided into two groups. First represents various types of a PBX scanning and probing. Attacker send OPTION message and wait for an answer or simply try to place a call with immediate cancellation (It means INVITE message followed by CANCEL message). The second group represents flood attacks using REGISTER message. REGISTER message is used by a user agent to register to the registrar (SIP Server). An attacker sends continuous REGISTER messages to the SIP Server in order to downgrade the Server performance and ultimately making it inaccessible for authorized users.

Register flooding attackApplication layer attack on the Session Initiation Protocol (SIP) is used in VoIP services, targeted at causing denial of service to SIP servers. A SIP register flood consists of sending a high volume of SIP register packets to SIP servers, therefore exhausting their bandwidth and resources. 96% messages type were REGISTER based in our sensors.

SIP Message No. of Distinct Connections Total Messages

Register 3862 73448

Table 10 - SIP REGISTER Message

Malicious IP Total

85.25.160.106 42037

212.129.61.222 9909

188.138.26.190 18088

195.154.39.5 3057

212.83.137.238 211

Table 11 - SIP Malicious IP Addresses



Web AttacksAs websites and web based applications are rapidly growing so are the threats. Complex business applications are now being delivered over the web (HTTP) and paving way for attackers to exploit any kind of vulnerability.The following section presents important data relevant to the web attacks faced by Pakistan cyberspace.

The countries hosting IP Addresses performing the most attacks are shown in Figure 9:

Top Few Countries WithMost Web Attacks

IP Addresses Attacks % Countries

66.74.17.157 21.25% United States

176.99.122.190 17.70% Ukraine

176.10.99.200 13.21% Switzerland

212.83.167.175 10.45% France

118.138.9.49 10.33% Germany

176.10.99.201 9.12% Switzerland

18.239.0.155 7.95% United States

176.126.252.12 5.82% Romania

69.197.148.26 2.18% United States

109.163.234.4 1.99% Romania

Table 12 - IP Addresses Conducting Web Based Attacks

Figure 9 - Countries with Web Based Attacks

Following is the list of IP addresses which are found to be launching highest number of Web attacks. It is recommended to block these IP addresses to secure your system from such attacks.

Top Few IP Addresses -Most Web Attacks



Figure 10 - Web Based Attacks

Among the type of attacks that we observed, SQL injection was seen the most in Pakistan cyberspace.

Top FewWeb Attacks



Brute-Force AttacksA brute-force attack is the simplest method to gain access to an application or operating system by applying different credentials. In brute-force attack, an attacker tries different but exhaustive combinations of usernames and passwords, over and over again, until he is successfully logged-in. The following section presents the data relevant to brute-force activities performed on SSH protocol in Pakistan cyberspace.

Below table lists the most user attempts seen in Pakistan for SSH. The root username was tried the most number of times. It is strongly recommended to avoid such user names or use complex user names or two factor authentications.

Most CommonlyUsed Usernames

Username Attempts

root 119497

ubnt 251

admin 113

guest 28

test 26

support 23

tester 14

testing 14

user 12

Table 13 - Most Usernames Used

Below table lists the most attempted passwords. The admin password was tried the most number of times. It is strongly recommended to avoid these types of passwords.

Most Commonly Used Passwords

Password Attempts

admin 88

root 82

123456 70

ubnt 67

password 62

1qaz2wsx 57

passw0rd 29

1q2w3e4r 29

!qaz@wsx 28

qwerty 25

abc123 25

Table 14 - Most Passwords Used



Below table lists the IP addresses with origin that have carried out maximum SSH attacks in Pakistan cyberspace. It is strongly recommended to block these IP address on gateway level.

Top few IP Addresses Conducting SSH Attacks

IP Address Attempts Country

58.218.199.49 1538 China

61.160.213.190 1302 China

58.218.204.245 1241 China

58.218.213.254 1175 China

221.229.166.28 1157 China

117.21.174.111 1150 China

58.218.204.226 1149 China

221.229.166.27 1138 China

58.218.204.248 1087 China

58.218.199.195 1040 China

Table 15 - IP Addresses Conducting SSH Attacks

Below is the list of tools that were used to gain access on SSH in Pakistan cyberspace.

Mostly Used Tools For SSH Based Attacks

Tools Connections

SSH-2.0-PUTTY 40138

SSH-2.0-libssh2_1.4.3 1962

SSH-2.0-libssh2_1.4.1 620

SSH-2.0-JSCH-0.1.51 90

SSH-2.0-libssh2_1.5.0 72

SSH-2.0-PuTTY_Release_0.63 34

SSH-2.0-Granados-1.0 24

SSH-2.0-PuTTY_Local:_May_14_2009_21:12:18

20

SSH-2.0-libssh2_1.4.2 12

Table 16 - Tools Used For SSH Attacks



list of Figures

Figure 1 - Percentage of events by source countries 4

Figure 2 - Attacks Originating from IP Addresses Hosted in China 4

Figure 3 - Attacks Originating from IP Addresses Hosted in Romania 5

Figure 4 - Attacks Originating from IP Addresses Hosted in Brazil 5

Figure 5 - Country Based Connection Distribution 6

Figure 6 - Country Unique IP Distribution 7

Figure 7 - IP Based Connection Distribution 7

Figure 8 - IP Address Based Distribution 8

Figure 9 - Countries with Web Based Attacks 16

Figure 10 - Web Based Attacks 17

list of tables

Table 1 - IP Address Based Connection Distribution 6

Table 2 - IP Address Based Distribution 7

Table 3 - IP Based Distribution 10 Attacks 8

Table 4 - Top 10 Vulnerabilities 10

Table 5 - Top Malwares Detected 12

Table 6 - Detected Malware Hashes 12

Table 7 - CnC IP Addresses 13

Table 8 - CnC Domains 13

Table 9 - Attacked Protocols 14

Table 10 - SIP REGISTER Message 15

Table 11 - SIP Malicious IP Addresses 15

Table 12 - IP Addresses Conducting Web Based Attacks 16

Table 13 - Most Usernames Used 18

Table 14 - Most Passwords Used 18

Table 15 - IP Addresses Doing SSH Attacks 19

Table 16 - Tools Used For SSH Attacks 19



About TRIAMWith almost a decade of experience, expertise and leadership in the information security market, Trillium Information Security Systems (Pvt) Ltd. has launched Pakistans first and only focused Managed Security Service Provider brand TRIAM.

TRIAMs portfolio of information security services is backed by the industrys leading minds. Our team has an accumulated experience of more than 150 years of delivering successful information security projects to leading enterprises from all industry verticals of Pakistan, and the region. In addition to our industry experience, TRIAM researchers have published over 45 research papers thereby enabling TRIAM to explore/study/understand niche areas of the information security domain.

TRIAM is hence launched as the one of the regions most skilled and experienced information security service provider delivering services to customers that are backed by world leading threat intelligence.

TRIAM Service Portfolio

Security monitoring Stored Data Security Analytics

Real-Time Data Security Analytics

Digital Forensics & Incident Response Services malware Analysis Digital Forensics & Investigation

Incident Handling & Reporting

Security Assessment Services Application Security Assessment

Infrastructure Security Assessment threat Intelligence Services threat Feeds Botnet tracking Threat Notifications



About ContributersThis research has been conducted by Trillium Information Security Systems (TISS) in collaboration with Applied Security Engineering Research Group at the COMSATS Institute of Information Technology.

We would like to thank the team members of the TRIAM Threat Intelligence Team and the TISS OPSEC Team for their attention and contribution to the publication of this report.

For more InformationTo learn more about Trillium Information Security Systems and its brand TRIAM, please visit:

infosecurity.com.pktriam.com.pk



Copyright Trillium Information Security Sys-tems (Pvt) Ltd. 2015

Trillium Information Security Systems (Pvt) Ltd.Head Office10th Floor, AWT Plaza,5-The Mall,Rawalpindi, Pakistan.46000

Produced in the Islamic Republic of Pakistan.March 2015

This document is current as of the initial date of publication and may be changed by Trillium Information Security Systems at any time.

The information contained in this guide is for ed-ucational and awareness purposes only. There is no way TISS may be responsible for any misuse of the information.

All the information contained in this document is meant for developing information security de-fense skills among the recipients of this docu-ment in order to help in preventing malicious at-tacks.

The information in this document is provided as is without any warranty, express or implied.

Threat Intelligence Team

TRIAM - Threat Intelligence Report - April 15

Documents

web attacks

malware attacks

ssh attacks

sip attacks

probing ip addresses

monthly threat intelligence

web based attacks

attacking ip addresses