Professional Documents
Culture Documents
TRIAM - Threat Intelligence Report - April 15
TRIAM - Threat Intelligence Report - April 15
Intelligence
Report
April, 2015
Table of Contents
I
Executive Summary
II
Malware Attacks
Top Vulnerabilities
11
12
13
13
Attacked Protocols
14
SIP Attacks
15
What is SIP?
15
Web Attacks
16
16
16
Brute-Force Attacks
18
18
18
19
19
VII
References
20
VIII
About TRIAM
21
IX
About Contributors
22
III
IV
VI
Executive Summary
To be able to respond to any threat effectively, one must
first identify the threat agents, understand their motives
and study their means of attack comprehensively, i.e. one
must achieve situational awareness to be able to defend
against, respond to, or counter a threat.
In an effort to provide situational awareness to the industry stakeholders, about the cyber threat landscape of
Pakistan, the TRIAM Threat Intelligence Team is extremely
proud to present you this monthly Threat Intelligence report for the month of April 2015.
In this edition of our monthly Threat Intelligence report
we have observed interesting set of activities being performed in Pakistan cyberspace. One of the interesting
observations has been the increased number of attacks
coming IP Addresses of China coinciding with the Chinese Prime Ministers visit to Pakistan in April. The details
of these attacks, and all other attacks are documented in
this report. The major set of attacks that have been discovered recently in Pakistan by global and TISS research
and IR teams are summarized as follows:
Equation Group Equation Group is the most advanced
APT group found so far and is called the Crown Creator of Cyber Espionage. According to Kaspersky Labs
researchers the group is unique in almost every aspect
of their activities: they use tools, that are very advanced
and expensive to develop, in order to infect victims, retrieve data and hide activity in a professional way, and
also utilize classic spying techniques to deliver malicious
payloads to the victims. More details for this advanced
APT group can be found on:
https://securelist.com/blog/research/68750/equationthe-death-star-of-malware-galaxy/
Ransomware Ransomware malware is constantly affecting Pakistan based organizations with key motive of
financial gains. Ransomware works by encrypting data of
infected machines belonging to organizations and individuals thus completely blocking the access to the data.
The decryption key is sent only if a ransom is paid. There
has been exponential increase in number of Ransomware
attacks in the year 2015 and taking preventive measures
from this threat is highly recommended at all layers.
In month of April
information gathered from our sensors indicates that:
Malware Attacks
Malware attacks are the major threats being faced by Pakistani organizations. Using the Internet, attackers employ
unique malware based techniques to infect their target systems for different reasons varying from creating mere
nuisance to stealing credentials to eavesdropping on communication to capturing proprietary and highly confidential
information.
Attackers scan the Internet to look-out for vulnerable services and try to exploit them to gain access to the system and
ultimately the network. Often root-kits (type of malware) are used to take over and maintain control of a compromised
system. The following section of the report will present the latest trends of malware based attacks which were identified
based on the information gathered from our sensors during the month of April.
The correlated information from different sensors reveals that there were more than 2,54,000 number of connection
attempts to Pakistan cyberspace from different countires of the world. Furthermore, we detected more than 57,000
materialized attacks that were launched in this period. Over 9,000 unique IP addresses tried to establish a connection
with our deployed sensors through-out Pakistan at-least once.
After thorough automated analysis and correlation, most of these connection attempts were classified as malicious
and were doing intense scanning for figuring out running services (particularly the vulnerable ones) over Pakistan
cyberspace.
One of the top IP address that established most number of connections was found to be 89.40.31.192 with more
than 38,400 connections. The origin of this IP address was found to be Romania. There were about 1900 unique IP
addresses that succeeded in exploiting a particular vulnerability and uploaded some malware. Total number of attacks
launched during this time period was more than 57,000.
One of the top IP addresses that initiated most number of attacks was found to be 89.40.31.192 with about 12,300
successful attacks. The origin of this IP address was found to be Romania. The most number of attacks were launched
by exploiting MS08-067, MS08-068, MS09-001 vulnerabilities, which could allow remote code execution.
Furthermore, as per our correlated information, port 445 received the highest number of attack traffic with 87.48% of
total attacks received. The service hosted on port 445 was SMBD (Server Message Block Daemon).
Further information related to IP addresses trying to make connections and doing attacks, top malware found, top
vulnerabilities exploited and top protocol / services exploited is given below.
Most Probing
Countries
The IP Addresses from countries doing
the most probing and connection
attempts are shown in Figure 5.
Probing is done to find services
running on targeted systems and
their corresponding vulnerabilities in
the target machines which can be
exploited.
Figure 5 - Country Based Conection Distribution
Most Probing
IP Addresses
The Figure 7 shows the list of
individual IP addresses that are found
to be making connections and doing
probing.
IP Addresses
Connection Attempts
Country
89.40.31.192
38,444
Romania
117.239.228.134
33,135
India
103.24.97.190
16,326
Pakistan
196.29.120.73
15,661
Ghana
94.248.197.73
10,788
Hungary
46.241.224.234
7,181
Armenia
78.106.81.248
6,639
Russian Federation
89.179.28.158
6,271
Russian Federation
128.75.169.45
4,830
Russian Federation
128.74.198.210
4,781
Russian Federation
Most Attacking
IP Addresses
Figure 8 gives the list of individual IP
addresses that initiated most number
of malware attacks by successfully
exploiting vulnerabilities.
IP Addresses
Successful Attacks
Country
89.40.31.192
12357
Romania
117.239.228.134
10680
India
196.29.120.73
7266
Ghana
46.241.224.234
3576
Armenia
94.248.197.73
3402
Hungary
78.106.81.248
2175
Russian Federation
89.179.28.158
2053
Russian Federation
93.81.179.136
1384
Russian Federation
37.145.174.57
1228
Russian Federation
95.29.232.52
1101
Russian Federation
Attacking
IP Addresses - 10 Attacks
Table 3, provides the list of IP addresses that initiated minimum of 10 malware based attacks on Pakistan cyberspace. It
is advised to block these IP addresses on your gateways. Please contact us if you would like to have full list of suspicious
IP addresses.
IP Addresses
Successful Attacks
Country
89.40.31.192
12357
Romania
117.239.228.134
10680
India
196.29.120.73
7266
Ghana
46.241.224.234
3576
Armenia
94.248.197.73
3403
Hungary
78.106.81.248
2175
Russian Federation
89.179.28.158
2053
Russian Federation
93.81.179.136
1384
Russian Federation
37.145.174.57
1228
Russian Federation
95.29.232.52
1101
Russian Federation
37.146.102.200
1000
Russian Federation
78.106.128.120
995
Russian Federation
37.145.177.90
934
Russian Federation
89.179.191.88
641
Russian Federation
95.29.208.177
495
Russian Federation
95.29.218.25
364
Russian Federation
59.103.197.121
362
Pakistan
2.94.120.46
358
Russian Federation
128.75.187.7
300
Russian Federation
93.80.248.154
267
Russian Federation
93.80.189.33
259
Russian Federation
189.4.133.231
243
Brazil
93.80.239.232
229
Russian Federation
128.74.221.216
220
Russian Federation
93.81.184.86
220
Russian Federation
187.21.245.55
206
Brazil
37.145.178.237
188
Russian Federation
189.4.134.2
160
Brazil
187.21.246.10
157
Brazil
46.241.229.78
126
Armenia
10
IP Addresses
Successful Attacks
Country
88.158.45.194
120
Romania
128.74.208.154
111
Russian Federation
93.81.170.38
110
Russian Federation
119.154.250.73
100
Pakistan
46.241.232.20
91
Armenia
37.146.72.76
80
Russian Federation
88.158.42.124
78
Romania
187.21.245.175
69
Brazil
46.241.234.236
60
Armenia
213.191.165.250
51
Bulgaria
46.241.234.241
50
Armenia
81.181.81.94
50
Romania
117.214.192.50
48
India
62.221.159.186
47
Bulgaria
37.145.168.50
46
Russian Federation
88.158.43.53
41
Romania
159.224.159.200
39
Ukraine
95.29.237.152
36
Russian Federation
46.241.232.90
35
Armenia
79.121.38.197
35
Hungary
117.220.141.170
24
India
176.63.146.35
24
Hungary
37.144.248.0
23
Russian Federation
176.73.36.100
21
Georgia
59.103.195.49
20
Pakistan
117.220.136.36
19
India
88.158.45.192
19
Romania
93.80.161.229
19
Russian Federation
92.87.135.28
16
Romania
46.241.243.195
14
Armenia
79.46.167.207
12
Italy
37.145.184.205
11
Russian Federation
37.145.148.107
10
Russian Federation
11
Top 10 Vulnerabilities
MS05-39
Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege.
https://technet.microsoft.com/en-us/library/security/ms05-039.
aspx
MS05-017
Vulnerability in Message Queuing Could Allow Code Execution.
https://technet.microsoft.com/en-us/library/security/ms05-017.
aspx
Vulnerability
Name
Unknown
ClosePrinter
MS08-67
MS06-66
Nw Change Password
MS07-065
MS05-39
MS05-017
QM Delete Object
MS04-12
MS04-11
MS04-031
NDdeSetTrustedShareW
MS03-39
MS04-12
Cumulative Update for Microsoft RPC/DCOM.
https://technet.microsoft.com/en-us/library/security/ms05-017.
aspx
MS04-11
Security Update for Microsoft Windows.
https://technet.microsoft.com/en-us/library/security/ms04-011.
aspx
MS08-67
Vulnerability in Server service that could allow remote code
execution.
MS08-67
http://support.microsoft.com/kb/958644
MS04-031
Vulnerability in NetDDE Could Allow Remote Code Execution.
MS06-66
https://technet.microsoft.com/en-us/library/security/ms04-031.
aspx
MS03-39
Buffer Overrun In RPCSS Service Could Allow Code Execution.
MS07-065
Vulnerability in Message Queuing Could Allow Remote Code
Execution.
https://technet.microsoft.com/en-us/library/security/ms04-011.
aspx
https://technet.microsoft.com/en-us/library/security/ms07-065.
aspx
12
Name
Percent
Net-Worm.Win32.Kido.ih
94.12%
Backdoor.Win32.Rbot.bni
2.28%
Net-Worm.Win32.Allaple.e
1.20%
Net-Worm.Win32.Kido.kj
1.08%
Trojan-Downloader.Win32.Kido.bu
<1%
Trojan-Spy.Win32.Small.pex
<1%
Trojan.Win32.Genome.tusc
<1%
Backdoor.Win32.Agent.aknp
<1%
Trojan.Win32.Genome.ahpxd
<1%
Table 5 - Top Malwares Detected
Malware
Presence
MD5 Hash
Net-Worm.Win32.Kido.ih
94.12%
029e95604293d13fbf621a10ae11edfe
099384dc46cca644e859cb7fb1d6de8b
0af49bbed7ec17b2e8b5ae7b87920715
0ea2203e8c7a1700b29271755e371392
0ea2203e8c7a1700b29271755e371392
Backdoor.Win32.Rbot.bni
2.28%
c1989130056c32fa305e3de57f6f40f1
Net-Worm.Win32.Allaple.e
1.20%
247a51c8a6ea90209fad9bc9208dd48e
Net-Worm.Win32.Kido.kj
1.08%
B8099f59ec27f47e13ca2445731776c8
Trojan-Downloader.Win32.Kido.bu
<1%
4bb05060ae675d1d7177df05e1ac15b4
Trojan-Spy.Win32.Small.pex
<1%
f4d56bac967e0217a0049fe717cc634b
Trojan.Win32.Genome.tusc
<1%
b0426ed44d7819d1ab5ead9b12fd2879
Backdoor.Win32.Agent.aknp
<1%
7867de13bf22a7f3e3559044053e33e7
Trojan.Win32.Genome.ahpxd
<1%
4d56562a6019c05c592b9681e9ca2737
Net-Worm.Win32.Kido.dam.ak
<1%
468348280af746400d629a00ab782f21
13
IP Addresses
Country
Domains
221.8.69.25
China
xqpjtkqid.biz
204.27.59.22
India
yeigidwnrda.ws
195.22.26.231
Portugal
zwvnfggq.ws
195.223.0.0
Italy
smcxq.biz
212.184.0.0
Germany
abyoqc.cn
149.20.56.32
United States
ztcabv.cn
149.20.56.33
United States
gwjewwqgig.cn
149.20.56.34
United States
pdcpbbkit.cn
221.8.69.25
China
xiammogc.cn
54.235.146.190
United States
checkip.dyndns.com
54.235.146.225
United States
xdz.no-ip.org
216.146.38.70
United States
216.146.39.70
United States
216.146.43.70
United States
91.198.22.70
United Kingdom
128.30.52.37
United States
204.95.99.86
United States
14
Attacked Protocols
Protocol
Exploitations
SMB
87.48%
SIP
4.94%
MSSQL
3.85%
MYSQL
1.55%
HTTP
1.24%
EPMAP
<1%
MIRROR
<1%
RSH
<1%
Table 9 - Attacked Protocols
SMB: The Server Message Block, operates as an application-layer network protocol mainly used for providing
shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.
The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia
information systems. HTTP is the foundation of data
communication for the World Wide Web. Hypertext is
structured text that uses logical links (hyperlinks) between nodes containing text.
Mirror: (Managing Isolation in Replicated Real time Object Repositories), a concurrency control protocol specifically designed for firm-deadline application operating on replicated real-time databases.
RSH: The remote shell (rsh) is a command line computer program that executes shell commands as another
user, and on another computer across a computer network.
15
SIP Attacks
What is SIP
The Session Initiation Protocol (SIP) is a communication protocol for signaling and controlling
multimedia communication sessions. The most common applications of SIP are in Internet telephony
for voice and video calls, as well as instant messaging using Internet Protocol (IP) networks.
Most SIP attacks can be divided into two groups. First represents various types of a PBX scanning
and probing. Attacker send OPTION message and wait for an answer or simply try to place a call
with immediate cancellation (It means INVITE message followed by CANCEL message). The second
group represents flood attacks using REGISTER message. REGISTER message is used by a user
agent to register to the registrar (SIP Server). An attacker sends continuous REGISTER messages to
the SIP Server in order to downgrade the Server performance and ultimately making it inaccessible
for authorized users.
Application layer attack on the Session Initiation Protocol (SIP) is used in VoIP services, targeted
at causing denial of service to SIP servers. A SIP register flood consists of sending a high volume
of SIP register packets to SIP servers, therefore exhausting their bandwidth and resources. 96%
messages type were REGISTER based in our sensors.
SIP Message
Total Messages
Register
3862
73448
Table 10 - SIP REGISTER Message
Malicious IP
Total
85.25.160.106
42037
212.129.61.222
9909
188.138.26.190
18088
195.154.39.5
3057
212.83.137.238
211
16
Web Attacks
As websites and web based applications are rapidly growing so are the threats. Complex business
applications are now being delivered over the web (HTTP) and paving way for attackers to exploit
any kind of vulnerability.
The following section presents important data relevant to the web attacks faced by Pakistan
cyberspace.
IP Addresses
Attacks %
Countries
66.74.17.157
21.25%
United States
176.99.122.190
17.70%
Ukraine
176.10.99.200
13.21%
Switzerland
212.83.167.175
10.45%
France
118.138.9.49
10.33%
Germany
176.10.99.201
9.12%
Switzerland
18.239.0.155
7.95%
United States
176.126.252.12
5.82%
Romania
69.197.148.26
2.18%
United States
109.163.234.4
1.99%
Romania
17
Top Few
Web Attacks
Among the type of attacks that we
observed, SQL injection was seen the
most in Pakistan cyberspace.
18
Brute-Force Attacks
A brute-force attack is the simplest method to gain access to an application or operating system by applying different
credentials. In brute-force attack, an attacker tries different but exhaustive combinations of usernames and passwords,
over and over again, until he is successfully logged-in. The following section presents the data relevant to brute-force
activities performed on SSH protocol in Pakistan cyberspace.
Most Commonly
Used Usernames
Below table lists the most user attempts seen
in Pakistan for SSH. The root username was
tried the most number of times. It is strongly
recommended to avoid such user names
or use complex user names or two factor
authentications.
Username
Attempts
root
119497
ubnt
251
admin
113
guest
28
test
26
support
23
tester
14
testing
14
user
12
Table 13 - Most Usernames Used
Most Commonly
Used Passwords
Below table lists the most attempted passwords.
The admin password was tried the most number
of times. It is strongly recommended to avoid
these types of passwords.
Password
Attempts
admin
88
root
82
123456
70
ubnt
67
password
62
1qaz2wsx
57
passw0rd
29
1q2w3e4r
29
!qaz@wsx
28
qwerty
25
abc123
25
19
IP Address
Attempts
Country
58.218.199.49
1538
China
61.160.213.190
1302
China
58.218.204.245
1241
China
58.218.213.254
1175
China
221.229.166.28
1157
China
117.21.174.111
1150
China
58.218.204.226
1149
China
221.229.166.27
1138
China
58.218.204.248
1087
China
58.218.199.195
1040
China
Tools
Connections
SSH-2.0-PUTTY
40138
SSH-2.0-libssh2_1.4.3
1962
SSH-2.0-libssh2_1.4.1
620
SSH-2.0-JSCH-0.1.51
90
SSH-2.0-libssh2_1.5.0
72
SSH-2.0-PuTTY_Release_0.63
34
SSH-2.0-Granados-1.0
24
SSH-2.0-PuTTY_Local:_
May_14_2009_21:12:18
20
SSH-2.0-libssh2_1.4.2
12
20
List of Figures
Figure 1 - Percentage of events by source countries
16
17
List of Tables
Table 1 - IP Address Based Connection Distribution
10
12
12
13
13
14
15
15
16
18
18
19
19
21
About TRIAM
With almost a decade of experience, expertise and leadership in the information security
market, Trillium Information Security Systems (Pvt) Ltd. has launched Pakistans first
and only focused Managed Security Service Provider brand TRIAM.
TRIAMs portfolio of information security services is backed by the industrys leading minds. Our team has an
accumulated experience of more than 150 years of delivering successful information security projects to leading
enterprises from all industry verticals of Pakistan, and the region. In addition to our industry experience, TRIAM
researchers have published over 45 research papers thereby enabling TRIAM to explore/study/understand niche
areas of the information security domain.
TRIAM is hence launched as the one of the regions most skilled and experienced information security service provider
delivering services to customers that are backed by world leading threat intelligence.
Security Monitoring
Stored Data Security Analytics
Real-Time Data Security Analytics
Digital Forensics & Incident Response Services
Malware Analysis
Digital Forensics & Investigation
Incident Handling & Reporting
Security Assessment Services
Application Security Assessment
Infrastructure Security Assessment
Threat Intelligence Services
Threat Feeds
Botnet Tracking
Threat Notifications
22
About Contributers
This research has been conducted by Trillium Information Security Systems
(TISS) in collaboration with Applied Security Engineering Research Group
at the COMSATS Institute of Information Technology.
We would like to thank the team members of the TRIAM Threat Intelligence
Team and the TISS OPSEC Team for their attention and contribution to
the publication of this report.
For more
Information
To learn more about Trillium Information
Security Systems and its brand TRIAM,
please visit:
infosecurity.com.pk
triam.com.pk
23