17 Jun 19
17 Jun 19
THIS REPORT HIGHLIGHTS THE THREATS AND TRENDS DARKMATTER HAS OBSERVED BETWEEN OCTOBER 2018 AND MARCH 2019 REGIONALLY AND IN THE WIDER THREAT LANDSCAPE. THE GOAL OF THIS DOCUMENT IS TO PROVIDE CLIENTS AND STAKEHOLDERS WITH A SNAPSHOT OF THE STATE OF CYBERSECURITY AND OF THE HEADLINE INCIDENTS AFFECTING THE UAE.
In our first semi-annual report for 2019, DarkMatter documents a growing incidence of cyberattacks across the UAE and the wider Middle East. As cybercriminals keep abreast of emerging developments in technology, they are striking in ever more sophisticated ways and aiming their weapons where they are likely to cause the most damage.
Karim Sabbagh unveiling insights from the report on CNBC
Breaches in the Middle East are both widespread and frequently undetected. They also increasingly appear to be state-sponsored.
This report also provides a particular focus on the UAE’s critical infrastructure sectors identified as the following: Oil and Gas, Financial, Transportation, and Electricity and Water.
A hit on any of these critical infrastructure activities could disrupt the industry and harm the economy. Oil and Gas in particular, a pillar of the UAE’s economy that is of strategic importance to the world, faces the greatest risks from globally reaching actors called Advanced Persistent Threats (APTs). General reporting remains high worldwide when it comes to long-established threat actors targeting oil and gas, such as those believed to be linked to Iran. The same actors also aim at other sectors such as transport.
Two chief motivations stand out in DarkMatter’s review of threat actors operating in the region. Espionage is now the most prominent menace for regional organizations, accounting for the majority of the assessed campaigns. Such campaigns commonly seek illicit access to credentials and personally identifiable information to facilitate follow-on attacks. Sabotage is another significant motivation, as seen with the Shamoon wiper malware (also known as Disttrack) or in website defacements, and it will remain a constant threat.
Public-facing assets and infrastructures comprise the general attack surface in the UAE, partly a consequence of the country’s high internet penetration rate. However, as outlined in our previous report, most of the UAE’s publicly accessible hosts are located outside the nation’s borders, limiting the ability to safeguard these assets.
Adequate safeguards are yet to be enforced consistently across the UAE, DarkMatter’s examination reveals. Unprepared organizations remain largely exposed due to negligent and disordered systems. Weak passwords, outdated and unsupported software, insecure protocols, and open, unrestricted networks are among the most frequent vulnerabilities.
This DarkMatter report contains actionable insights for UAE enterprises, with recommended general policy outlines and a set of technical best practices.
CRITICAL INFRASTRUCTURE: HITTING WHERE IT HURTS
In 2017, a Triton malware strike against Saudi oil giant Petro Rabigh came close to triggering high-pressure explosions of toxic hydrogen sulfide gases along the Red Sea coast. Had the attack succeeded, it could have taken a considerable toll on business and human life. Other examples of destructive attacks, such as Shamoon in Saudi Arabia and Black Energy in Ukraine, left their targets with deleted files, delayed operations and proprietary losses.
These are some ways critical infrastructure can be targeted to devastating effect. The term defines an asset or system that is essential to the functioning of a society and to its health and safety. As explained by the EU, the damage or disruption of such resources, whether intentional or not, poses a significant danger to the security of a nation and its citizens.
In the age of hyper-connected digital economies, technology is no longer merely an extension of critical infrastructure services but plays an enabling role at the core of each service. Security must consequently be ringfenced around these touchpoints. However, cyberattacks on critical infrastructure are now more sophisticated and occur more frequently, exposing worldwide governments and businesses to new risks.
In the UAE, the Telecommunications Regulatory Authority (TRA) has established the National Cyber Security Strategy (NCSS) with the aim of securing national information and communications across the country. The NCSS identifies four essential infrastructure sectors, namely oil and gas, electricity and water, finance and transportation.
OIL AND GAS
Half of all cyberattacks in the Middle East target the oil and gas sector, according to a joint Siemens and Ponemon Institute report. Cybersecurity breaches remain widespread and frequently undetected, and an estimated 75% of regional oil and gas companies have had their security in their operational technology (OT) environment compromised. Moreover, energy supply chains can extend the surface of attack, as we saw with the Shamoon 3 campaign, detailed herein, which crippled an Aramco supplier using destructive malware.
The energy industry is the mainstay of Gulf economies, and the GCC boasts $835bn in active oil and gas construction projects. In the UAE alone, sectoral contracts were worth an estimated $29.6bn between Q4 2018 and Q1 2019. This commercial and strategic magnitude makes the industry an attractive target for geopolitical or economic rivals.
The storage and movement of money has become more vulnerable as the financial sector adopts electronic channels and relies increasingly on technology. Forbes estimates that cybercriminals target financial firms 300 times more frequently than other industries. Looked at another way, 19% of total incidents globally last year were aimed at banking and insurance, IBM reports, citing the quick monetization of customer data as incentives.
The GCC is among the world’s fastest growing markets with a mature and profitable banking sector. As the UAE has established itself as the region’s financial hub, the nation’s banks have also grown.
The extent of the sector sees the UAE ranked sixth on Kaspersky’s list of most targeted countries by banking malware attacks in Q3 2018. As financial activity increases, a further increase in malware attacks is to be expected.
Transportation comprises complex networks, high volumes of real-time data and large numbers of embedded devices. Technology underpins the value chain from satellite communications to the delivery of a parcel, and minimal damage to one segment can adversely affect multiple businesses and civilians.
IBM identified transportation services, including air, bus, rail and water, as the second most targeted sector globally in 2018, with 13% of all recorded cyberattacks. The industry’s continuous reliance on information technology presents a wide attack surface for malicious entities, proving an attractive target for cybercriminals such as DarkHydrus, OilRig, and APT39.
In the UAE, transport remains a significant business activity. Both Abu Dhabi and Dubai consider the sector as a development pillar of their vision strategies for the decade to 2030, and greater prominence raises the likelihood of adverse actions in the future.
WATER AND ELECTRICITY
Utilities such as water and electricity present a prime target for cybercriminals, with their role as the backbone of every nation’s infrastructure. Both are essential to economic and national security and to the daily functioning of a wide range of other industries.
When compared with other industries, an attack on the utilities sector has significantly greater potential for damage, with widespread outage and cascading effects rippling across the economy, since every enterprise relies on energy for its daily functions.
Government departments in the UAE’s utilities sector have made significant efforts to bolster defenses around water and energy facilities.
An intrusion set is a group of antagonistic actions and resources with common properties that is thought to be orchestrated by a single organization. In this report, DarkMatter describes the threat actors and campaigns targeting critical infrastructure observed since the last DarkMatter Cyber Security Report in November 2018.
The most common motivation is cyberespionage, where the objective is to obtain confidential or sensitive information towards a broader goal. Credential and personally identifiable information theft are included in this understanding of a threat actor’s intent. Such information is often used in follow-on operations such as crafting spear phishing attacks or compromising target systems in order to acquire further data.
Cyberespionage differs from sabotage, another common kind of cyberattack, in that threat actors seek to undermine an organization by corrupting its assets or conducting denial of service attacks. DarkMatter details one campaign, Shamoon 3, where sabotage appeared to be the primary motivation. The figure above provides a timeline of activities.
DarkMatter outlines the general attack surface of the UAE in order to assess the likelihood of global threat actors targeting the region. The adoption rate of internet-connected devices as well as the depth of public-facing infrastructure outlines the scope of the attack surface, revealing possible targets as well as potential vulnerabilities that are ripe for exploitation.
The UAE’s digital ecosystem offers an expanded attack surface for cybercrime. The UAE has the second-highest smartphone adoption rate globally at 85% after Singapore, and the nation is one of the world’s most interconnected countries. The importance of the UAE provides an attractive mark for cyberattacks. With a GDP of $382 billion, the Middle East’s third-largest economy is one of the region’s most-targeted countries. Symantec’s 2019 Internet Security Threat Report ranks the UAE 10th in the rate of malicious emails (third in the Middle East) and ninth in the number of targeted attacks by known threat actors.
DarkMatter examined public-facing infrastructure as a whole, since it is accessed by all organizations and individuals. Our analysis also encompasses public-facing assets belonging to organizations within the main critical infrastructure sectors. Significant concerns became apparent. A large number of public-facing assets exhibit several critical or high vulnerabilities, and the majority of hosts under the AE top-level domain lie beyond the nation’s political borders. Digital assets belonging to UAE-based organizations in general are particularly exposed, with about 75% of hosts belonging to all observed UAE organizations located outside the UAE.
On the other hand, public-facing assets from organizations within the critical infrastructure sectors are more localized. Only 8.6% of these assets were hosted outside, and they displayed far fewer vulnerabilities proportionally.
There were 64,530 vulnerabilities rated ‘high’ or ‘critical’ (a score of 7 or above on the Common Vulnerability Scoring System) from the 647,891 observed public-facing hosts located in the UAE. A total of 1,949 of these were rated as ‘critical’, with nearly 49% of vulnerabilities arising from management issues of permissions and access control. Public-facing assets in the critical infrastructure sector had a better security posture, with less than 1% reporting vulnerabilities rated as ‘high’ or ‘critical’.
DarkMatter observed that 102,750 of the 137,000+ websites under the .AE top-level domain are hosted outside territorial borders. The use of international webhosting services indicates that the majority of UAE organizations do not have complete sovereignty of their systems and information, which places sensitive data and operations at risk.
Public hosts belonging to critical infrastructure- based organizations were more localized with just 8.6% situated outside the UAE. Public-facing systems in the electricity and water industry had the most international hosts at 12.6%, followed by finance at 10.2%, oil and gas at
9.1%, and transportation at 1.9%.
Unauthorized Access and Misconfigurations at Fault
From November 2018 to March 2019, Security Operations Centers (SOCs) run by DarkMatter, investigated numerous incidents across multiple industries, including in critical infrastructure. Approximately 1% of incidents rose to the level of ‘critical’ and 23% were rated as ‘high’ according to aeCert’s scale – meaning great harm could be done to an organization. These incidents were classified under the categories of ‘Malicious Code’ and ‘Unauthorized Access’.
The vast majority of DarkMatter’s investigations focused around unauthorized access (37.8%) and misconfiguration (46.3%). Those patterns of activity highlight devices with improper or insecure configurations.
DarkMatter’s Cyber Network Defense team identified several vulnerabilities and configuration flaws during its technical assessments. Although the organizations involved in these assessments are not tied to the critical infrastructure sector, they offer an update to our November 2018 Cyber Security Report and highlight the security posture at UAE-based enterprises in general.
91% of our assessments found organizations with outdated software. Target organizations and their assets remain exposed as cybercriminals continue to find and exploit loopholes. Among operating systems and network services, we discovered numerous examples of critical assets missing essential security patches, including high-level risk vulnerabilities in outdated software and services such as Windows OS, Linux, and popular web servers such as IIS and Apache.
91% of DarkMatter’s reviews discovered systems that are vulnerable to remote access due to easily exploitable weak or default passwords. 52% of issues were due to the sustained use of default administrative credentials. Credentials include passwords, usernames, e-mail addresses, and system certificates. Passwords in particular could be easily guessed or acquired through a simple
dictionary attack, and in situations involving those with admin rights, attackers gained access to system functionalities. The risks are notably higher at public-facing assets as cybercriminals often employed automated processes and targeted accounts indiscriminately with default or predictable credentials.
87% of our assessments revealed organizations continue to use insecure protocols such as telnet, FTP, HTTP, and SMTP. In such cases, data was transferred over internal and external networks with clear-text packets.
83% of our appraisals showed the continued use of unsupported software such as operating systems, web servers, and other network services. In contrast with outdated software, which requires critical security patches, unsupported software is no longer serviced by vendors. Therefore, protections for critical vulnerabilities that could be exploited by malicious actors are unlikely to be unavailable.
74% of enterprises used critical network services with security issues arising from poor configuration, such as the failure to follow best
practices with system permissions, allowing remote or anonymous logins, and disabling important security safeguards. DarkMatter
observed configuration issues across a range of systems, including Microsoft Windows servers, Microsoft Active Directory, Linux servers and other network devices.
61% of organizations failed to implement proper network segregation. In a few cases, DarkMatter discovered wireless guest networks
with connectivity to business-critical internal networks. Appropriate segregation prevents users and devices from accessing services beyond
their needs. This is important because even if a user’s credentials are compromised, attack fallout is limited to specific network areas.
Outdated Software: Most Frequent Vulnerabilities and Exposures (CVE) Types
DarkMatter leverages the Common Vulnerability and Exposure (CVE) standardization to describe publicly known vulnerabilities. Every known vulnerability has a CVE identification number and is categorized under a general type. All organizations assessed had systems with vulnerabilities identified by a CVE. Of the 20 most common CVEs discovered by DarkMatter’s Cyber Network Defense team, Information Disclosure / Leak was the most common type. Such vulnerabilities allow an attacker to obtain sensitive information that could be used in launching further attacks. Nearly half (45%) of the 20 most common CVEs affecting the organizations would have an impact severity of ‘high’ or ‘critical’.
BASED ON OUR KEY FINDINGS OVER THE REVIEW PERIOD, DARKMATTER RECOMMENDS THE FOLLOWING BEST PRACTICES:
Ensure security awareness programs are implemented across the organization. The human factor remains the most targeted vulnerability by threat
Multi factor Authentication
Stolen credentials are a key target for threat actors, so it is essential to implement multi-factor authentication. This simple security mechanism can help mitigate credential theft.
Misconfigurations are most likely to occur during security change processes. A configuration management procedure helps prevent such incidents. Standard configurations must accord with industry best practices and be continuously monitored for changes to quickly identify a misconfiguration weakness that could be exploited by threat actors.
Change default passwords as soon as a new system or software is added to the network. Where possible, account lockout mechanisms should be
enabled to mitigate authentication attacks. At a minimum, ensure that all passwords deployed are different, secure and follow a complex password
policy defined by the organization. Such a policy must cover the following points:
Mobile Device Management
Implement a mobile device management solution for corporate devices, with effective security policies and the ability to quarantine devices.
Implement a sender policy framework to help avoid the use of spoofed internal domains. Threat actors adopt such methods in spear phishing attacks to deceive the target into believing a malicious email originates from an internal source.
Disable unnecessary network protocols. When required by the business, they should be replaced with secure protocols such as Secure Shell (SSH), HTTPS and SNMPv3.
Employ network segmentation so that actual zoning isolation is effective. Segregate the network according to the principle of least privilege. Configure the network so users, servers, and other devices may only access the minimum services required to perform their tasks.
An automated enterprise software patch management solution is integral to a comprehensive security program. It is important that all applications including the underlying operating system and its components are up to date. New vulnerabilities and exploits are released frequently and when they are not patched, an organization posed to unnecessary risk.
Upgrade all outdated software to the latest version.
Deploy endpoint protection platform solutions that can monitor and flag suspicious real-time events, such as the use of PowerShell. Additional endpoint protection solutions that leverage whitelisting, where only explicitly allowed executables can be run by the user, would provide further protection. Any endpoint security solution should also include traditional malware detection methods.
UAE ORGANIZATIONS ARE EXPOSED WITH WEAK CREDENTIALS, UNSUPPORTED SOFTWARE AND UNSEGREGATED NETWORKS, AMONG OTHER HAZARDS. DARKMATTER’S REVIEW OF SECURITY WEAKNESSES, TRENDS IN CAMPAIGNS AND THE SECURITY POSTURE OF ITS CLIENT BASE, REVEALS THAT VIRTUALLY ALL INDUSTRY SECTORS REMAIN VULNERABLE TO THESE OMNIPRESENT THREATS.
DarkMatter’s semi-annual report 2019 reviews the threat landscape against which the typical connected organization in the Middle East operates.
Cyberespionage has emerged as the principal security threat for the critical infrastructure sector, while sabotage remains a clear and ever-present danger. Attackers commonly use spear phishing to obtain credentials and now employ creative, customized and multi-layered approaches to deceive their targets into sharing access data. Additionally, public-facing web assets are being placed at considerable risk due to their exposure as a result of international hosting.
DarkMatter’s analysis over the review period indicates that the UAE’s critical infrastructure will remain frequently targeted by threat actors operating on a global scale.
DarkMatter’s Threat Intelligence capability provides timely and actionable intelligence so that clients are better armed against today’s attacks and can anticipate emerging threats and effectively manage their security posture.
DarkMatter’s integrated and efficient solutions support enterprises through reliable and cost-effective threat information that protects the brand, data and information, and information systems. By collaborating with the highly specialized analysts in our Threat Intelligence Center (TIC), Security Operations Center (SOC), Cyber Network Defense Team (CND), Test and Validation Labs (xen1thLabs), and Cyber Intelligence Systems (CIS), DarkMatter clients benefit from insightful information about the UAE threat landscape.
DarkMatter uses competencies across information security, cyber and threat intelligence and incident response to collect, analyze, disseminate and formulate multimodal strategies that can be leveraged to protect the enterprise from criminal activities and events.