Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Critical Infrastructure Organizations Lagging in Security

Businesses and government agencies are a popular target for attackers looking to steal information and destroy networks, and they are woefully unprepared to deal with the attacks, FortiGuard Labs researchers wrote in a new report analyzing attacks in 2013.

Businesses and government agencies are a popular target for attackers looking to steal information and destroy networks, and they are woefully unprepared to deal with the attacks, FortiGuard Labs researchers wrote in a new report analyzing attacks in 2013.

Fortinet researchers pulled data from thousands of FortiGuard firewalls and gateways installed in customer networks around the world for their analysis on advanced persistent threats. Researchers also conducted simple online searches to see real-world examples of how critical infrastructure organizations had secured their systems.

There were over 142 million unsuccessful hacks and intrusions attempts in the first half of 2013, according to statistics collected by Fortinet. Nearly 3.14 billion users were tricked into visiting malicious sites, and Fortinet blocked 4.45 million phishing emails from reaching customers, according to the report.

In a report outlining the rise of advanced persistent threats, Fortinet researchers said these attacks are the “greatest threats on the horizon internationally.” Fortinet defined APTs as sophisticated attacks, usually coming from government agencies, aimed at damaging or stealing data from other governments, companies or individuals.

What makes today’s APTs unique and frightening are the sophistication of the malware, the vectors they’re choosing for attack and the perseverance with which they’re going after their targets, FortiGuard Labs researchers wrote.

Fortinet’s report showed how researchers were able to access a Candian infrastructure company and take a screenshot of an irrigation system. The configuration screen gave the researchers access to the entire industrial control system, to modify settings, read reports, and add new users.

There is no need, when security is this weak, for attackers to bother looking for vulnerabilities or exploits. “It’s clearly not needed: we have full access to the device already,” the researchers wrote.

The attackers use a “substantial arsenal of tools” such as social engineering, forged and fake security certificates, zero-days and other exploits, and both customized and off-the-shelf malware.

Advertisement. Scroll to continue reading.

According to FortiGuard Labs analysis, vulnerabilities and tools used in the attempted attacks included the ZmEu.Vulnerability.Scanner, a directory traversal tool, a command execution tool for Cisco IOS systems, and an exploit targeting the Joomla content management platform.

Other vulnerabilities included HTTP.Chunk.Overflow, HTTP.Negative.Data.Length, ESVA.CGI.Argument.Injection, and PHP.CGI.Argument.Injection.

An APT may be a software exploit taking advantage of a zero-day vulnerability or a lesser-known software bug. Combined with social engineering such as spear phishing, the attack becomes “highly combustible,” Fortinet wrote. Once the attacker breaches the systems, it can use other methods to move around the infrastructure, stealing or destroying data.

The malware used frequently stay dormant for months or years at a time to stay under the radar.

“It’s very possible that a site, such as a major city power grid, is compromised right now and the malware is just waiting for someone to press a button,” the report warned.

Only a handful of countries and groups have the capabilities, skills, funding, and infrastructure required to launch an APT, FortiGuard Labs researchers wrote in the report. The short list includes China, Russia, and the United States. While other countries may have developed their own cyber-armies and APT groups, such as Syria, Iran, and North Korea, “it’s safe to say that most of these nations have at the very least researched the option,” the report said.

APTs may vary attack methods and may lurk for a long period of time, but they generally follow the same steps to succeed. The attacker first determines the target—who to infiltrate and what to steal or destroy. Once the victim is identified, the attacker will do extensive background research, such as looking through search engines, social network activity, and other sources of public information, to learn about potential human targets.

The attacker typically creates a customized phishing email crafted to trick the humans using the information that was gathered. At this point, the attacker is in the network and has planted some kind of malware on the victim’s computer.

The next step is to move around the network by exploiting other vulnerabilities and issues and getting access to other systems and data. Data can be stolen, or systems damaged. Even after the initial objective is complete, the attacker can decide to evade detection and remain in the network to maintain surveillance.

Just as the attackers rely on multiple attack methods and techniques to craft a successful campaign, organizations need to implement a layered defense to protect their networks, the report suggested.

Two-factor authentication would make it harder to gain unauthorized access. By restricting administrative rights, putting in rules on how USB drives are used and limiting access to cloud services, administrators would be able to control the potential damage.

The layers include training users to recognize attacks, segregating the network, creating Web filtering and IP reputation rules, implementing whitelists and blacklists, defining network access control and application control, deploying cloud-based sandboxes and data leak prevention, installing intrusion prevention/detection systems and endpoint protection software, and proactively patching systems.

While firewalls and intrusion prevention technologies are necessary, they are just the beginning of a comprehensive and effective security posture and organizations need to think about a “holistic strategy” to block APTs at various stages of the attack process, the report said.

Forming security partnerships with other organizations ensures the organization has up-to-data threat intelligence and a clear plan of action in the case of an attack.

“No single network security feature will stop an APT,” the report concluded.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.