Notification

  Latest launch: DarkMatter Cyber Security Report. Click here to read more

07 Nov 18

CYBER SECURITY REPORT

DARKMATTER GENERATED THESE INSIGHTS ABOUT THE UAE CYBER SECURITY THREAT LANDSCAPE AS PART OF THE ONGOING COLLABORATION AMONG OUR  SPECIALIST ANALYSTS ACROSS OUR SECURITY OPERATIONS CENTRES (SOC), CYBER NETWORK DEFENCE TEAM (CND), TEST AND VALIDATION LABS, AND CYBER INTELLIGENCE SYSTEMS (CIS).

 

Click here to download

DarkMatter uses the capabilities unique to information security, cyber and threat intelligence, and incident response to collect, analyse, disseminate, and gather threat information and intelligence from multiple sources in support of internal and external efforts to protect our clients from cyber threat activities and events.

This threat intelligence provides our clients with timely and actionable intelligence that empowers them to better combat today’s attacks, anticipate emerging threats, and effectively manage their security posture.

Watch the video below to hear from our EVP - Cyber Services, Eddie Schwartz about the report:

 

 

 

EXECUTIVE SUMMARY

 

Click here to enlarge

This document is the first in a series of DarkMatter Cyber Security reports. In this document and those to follow, we present our clients and stakeholders in government, critical infrastructure and other relevant communities with a snapshot of the state of cyber security and some of the most significant incidents impacting the UAE. 

Based on observations regionally and across the wider threat landscape, DarkMatter identified a number of common, preventable cyber security weaknesses found in UAE hosts and domains, as well as notable attack types, threat vectors and APT groups.

THIS Q3 2018 REPORT SHOWS THERE IS A GREAT DEAL OF CRITICAL RISKS AMONG UAE ORGANISATIONS THAT SHOULD BE ADDRESSED TO IMPROVE CYBER RESILIENCE. 

OUR STUDY SHOWS ORGANISATIONS IN THE UAE CAN ENHANCE THEIR SECURITY POSTURES AND HARDEN THEIR ATTACK SURFACES SIMPLY BY ADDRESSING VULNERABILITIES THAT INCLUDE OUTDATED AND UNSUPPORTED SOFTWARE, WEAK PASSWORDS, UNPATCHED SYSTEMS AND CONFIGURATION MANAGEMENT WEAKNESSES.

The report also highlights some of the most dangerous types of security incidents, threat actors, and threat vectors identified during the period in an effort to help organisations prioritise their cyber security enhancement activities. Based on these observations, DarkMatter recommends organisations implement the following: 

  • Promptly update and patch software
  • Implement system and network security hygiene
  • Identify and remove non-standard software
  • Improve password strength and implement two-factor authentication
  • Implement ongoing scanning and monitoring of critical systems
  • Hold periodic cyber security awareness briefings and training 
  • Initiate continuous security assessments

The content for this quarterly cyber security report draws on insights from DarkMatter regional and external feeds that allowed us during the period to identify, assess and catalogue at least 791,162 publicly visible UAE hosts. DarkMatter also draws insights from the ongoing work performed by our Managed Security Services and Incident Response Services teams, and various Vulnerability Assessment and Penetration Testing engagements.

 

UAE INTERNET FOOTPRINT

 

NEARLY 40% OF IDENTIFIED VULNERABILITIES RANK HIGH/CRITICAL IN SEVERITY, INDICATING MANY ORGANISATIONS FACE A SIGNIFICANT RISK.

DARKMATTER’S ANALYSIS OF THE UAE’S INTERNET-FACING FOOTPRINT, INCLUDING UAE AFFILIATED WEBSITES, HOSTS AND DOMAINS, REVEALED A NUMBER OF KEY RISKS:

Known Vulnerabilities

There were potentially as many as 276,055 vulnerabilities (of at least 791,162 UAE public hosts) identified on related domains and hosts.  these weaknesses derived from known vulnerabilities associated with software used on UAE public hosts. Thirty-nine percent of those vulnerabilities are rated ‘high’ or ‘critical’, with scores of 7 or above on the Common Vulnerability Scoring System (CVSS), a free and open industry standard for assessing the severity of computer system security vulnerabilities.

Foreign Hosting

Of the 136,000 UAE-affiliated websites identified, 35% were hosted outside the borders of the UAE. This means nearly one-third of the websites and systems linked to organisations in the UAE is using international hosting infrastructure. Particularly for government organisations, overseas hosting means they do not have full sovereignty or control of their data and systems, representing a potential risk to sensitive data and operations.

Shared Hosting Environments

Many websites, whether hosted on servers in the UAE or overseas, are using shared hosting environments. This presents a cyber security threat in cases where another website using the shared server is compromised. The attacker could potentially attack all other websites hosted on that server.

 

INCIDENT TYPES

 

Click here to enlarge

 

DURING THE QUARTER, THE SECURITY OPERATIONS CENTRES RUN BY DARKMATTER’S MANAGED SECURITY SERVICE INVESTIGATED NUMEROUS INCIDENTS. THESE WERE CATEGORISED INTO SIX TYPES AND RANKED ACCORDING TO aeCERT’S SEVERITY SCALE.

Although a relatively low percentage of the overall total, we identified several incidents that rose to the level of ‘critical’ on aeCert’s scale – meaning great harm could be done to an organisation. These ‘critical’ incidents represented 5.3% of all malicious software incidents and 8.3% of all recorded phishing incidents. Some of the incidents were conducted by sophisticated actors, including advanced persistent
threat groups, who deployed targeted phishing schemes to introduce malicious software into the systems of target organisations.

Phishing is the fraudulent attempt to obtain sensitive documents and confidential personal information such as user names and passwords, often for malicious reasons by disguising as a trustworthy entity in an electronic communication. Malicious software, also known as malware, is any software that brings harm to a computer system. Malware can be in the form of worms, viruses, trojans, spyware, adware, rootkits, etc., that steal sensitive or confidential data, delete documents or add software not approved by a user. 

No other incident types reached the level of critical, although every incident type had at least some incidents that rose in severity to ‘High’. During the reporting period, the most common incident types were ‘attempted access’ and ‘misconfiguration’. Attempted access incidents are generated from activity seeking to access or identify a computer, open ports, protocols, services or a combination of these, mainly through scanning. Misconfigurations most likely occur during security change processes, though they also can occur at the time of software
deployment.

The danger presented by software system misconfiguration is that this can leave an organisation exposed and vulnerable to hackers. It is common for attackers to take advantage of poorly configured devices, such as those that use default passwords, to acquire unauthorised access to such devices. Once an attacker exploits a system, they can start making changes to systems and data, and exfiltrate information.

 

THREAT VECTORS

 

DURING THE QUARTER, DARKMATTER IDENTIFIED A NUMBER OF THREAT VECTORS THAT WERE SUCCESSFULLY USED TO ELUDE TARGETED ORGANISATION’S CYBER DEFENCES.

These vectors were identified either as part of a DarkMatter cyber security incident response engagement, or as part of a DarkMatter technical assessment designed to challenge an organisation’s defences. A threat vector is a path or tool that a threat actor uses to attack a target. The most common vectors follow below:

Click here to enlarge

1. Physical Site Access

In-person, onsite access to an organisation’s office space.

2. Phishing

Combined with social networking and social engineering (see below), phishing is a common and extremely effective method for
gaining access to user data and systems.

3. Targeted Malware

Targeted malware uses extensive reconnaissance to identify and target exploits and vulnerabilities in a system. The malware is then deployed or dropped into the target system to gain unauthorised access to sensitive data or to destroy these systems.

4. Mobile Device Exploitation

Adversary gains access to a mobile device used by an organisation or its employee. This can expose confidential data on the device to adversaries or potentially elevate the breach, if adversaries can exploit vulnerabilities on the device to gain access to the organisation’s
corporate environments.

5. Physical Access to Corporate Assets

Hands-on, onsite access to an organisation computer and networking hardware.

6. Vulnerability Exploitation

Attackers build a model of their target computing environment through scanning and discovery of unpatched software and configuration weaknesses. With this model, attackers can exploit weakness to gain additional access to the target environment and steal sensitive data.

7. Social Networking

Adversaries gather information on a target by using social networking applications. This information is then used to build an attack model.

8. Social Engineering

Adversaries gather sensitive or confidential information by manipulating people.

9. Rogue Access Point

Fake wireless access point mimicking the actual wireless network within the vicinity of an organisation’s network. When targets log on to the rogue access point, adversaries can gather information that can be used in further attacks.

 

SECURITY WEAKNESSES

 

DURING THE REPORTING PERIOD, DARKMATTER’S CYBER NETWORK DEFENCE TEAM IDENTIFIED SEVERAL VULNERABILITIES AND CONFIGURATION FLAWS DURING TECHNICAL ASSESSMENTS.

 

 

 

 

 

 

 

 

Outdated Software

93% of our assessments found systems with outdated software. Across a range of operating systems and network services, we found systems missing critical security patches. These included high-level risk vulnerabilities from using the following outdated software and services. 

  • CISCO ASA/IOS
  • APACHE
  • OPENSSL
  • ORACLE
  • VMWARE ESXI
  • MICROSOFT WINDOWS
  • OTHER SOFTWARE

 

 

 

 

 

 

Unsupported Software

83% of our assessment found systems with unsupported software. When software is unsupported, the vendor does not release new security patches, nor is the vendor likely to investigate or announce reports of vulnerabilities. This makes it likely that such software will contain security vulnerabilities.

  • MICROSOFT WINDOWS OPERATING SYSTEM (OS)
  • UNIX OS
  • ORACLE DATABASE MANAGEMENT SYSTEM
  • APACHE WEB SERVER
  • MICROSOFT OFFICE

 

 

 

 

Credential Problems

77% of our assessments identified the use of default or weak credentials. Credentials include passwords, usernames, e-mail addresses and system certificates. In cases with default or weak passwords, credentials could be guessed or acquired through a simple dictionary attack, and in situations involving those with admin rights, attackers would gain access to system administrative functionalities.

 

 

Poor Configuration

Several assessed organisations used Microsoft network technologies such as Microsoft Windows OS, Active Directory, etc., for their corporate networks. However, in most cases, these environments were not well configured, creating significant internal risks for organisations.

 

 

 

Inadequate Network Segregation

53% of our assessments identified organisations with inadequate network segregation. Appropriate segregation prevents users and devices from accessing services beyond their needs. This is important because it means that even if a user’s credentials are compromised, the attacker would only gain access to specific areas of the enterprise network.

 

 

 

 

Software Vulnerabilities

Nearly half (45%) of the 20 most common software vulnerabilities affecting organisations in the UAE would have an impact severity of ‘high’ or ‘critical’. The majority of software vulnerabilities that could be exploited by a threat actor are information-disclosure vulnerabilities. Such vulnerabilities would allow an attacker to obtain sensitive information that could be used in launching further attacks.

 

 

Insecure Protocols

57% of our assessments identified the use of insecure protocols such as telnet, FTP, HTTP and SMTP. These protocols are unencrypted and send data as clear-text packets.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Potentially Unwanted Applications

A large number of potentially unwanted applications were found to be installed on assessed websites and
systems. They included: 

  • Rogue software update applications that typically are financially motivated AdWare that collects system information and attempts to coerce the user into purchasing other software.
  • Remote access administration software that can allow access into a corporate environment and bypass the corporate security mechanisms in place.
  • Toolbars that may profile user behaviour in order to serve targeted advertisements.
  • Peer-to-peer file sharing software known to distribute pirated/unlicensed software. The use of P2P file sharing may saturate a network’s bandwidth, causing degradation of services. It also is often used
    to distribute malicious software.
  • Cryptocurrency mining software that can abuse system resources, leading to latency and decreased
    performance.
  • Key generators that often contain adware and potentially unwanted programs. Pirated versions of software often require a keygen application in order to generate a license key to use the software. This can have legal implications for the organisation.
  • Cloud-based file sharing applications that can lead to the leakage of confidential data.
  • Adware modules that can change a user’s homepage and desktop background, and add unwanted toolbars, plugins and browser add-ons, etc.

 

 

APT GROUPS

 

AMONG VARIOUS APT GROUPS TARGETTING THE UAE, DARKMATTER PROVIDES BELOW A FOCUS ON FOUR OF PARTICULAR INTEREST FOR GOVERNMENT AND PRIVATE SECTOR ENTITIES CONCERNED ABOUT PROTECTING SENSITIVE INFORMATION.

 

Identified by DarkMatter

 

 

 

 

 

 

 

Windshift APT

Is a cyber espionage actor that targets individuals. This actor began its cyber espionage activities in 2016 with focus on the GCC. WINDSHIFT APT has an advanced spear phishing infrastructure that is able to deliver spear-phishing emails and text messages designed to continuously track individuals during a reconnaissance phase. It deceives targets during the credentials harvesting phases by impersonating international and local platform providers. 

WINDSHIFT APT targets specific individuals for espionage and surveillance purposes, mainly tracking individuals and monitoring their activities. WINDSHIFT APT rarely engages targets with malware. The DarkMatter-identified attacks involve signed macOS malware dubbed WINDTAIL and WINDTAPE that seek, respectively, to steal documents and continuously take screenshots of the target computer. WINDSHIFT APT has been identified in the wild using a unique method to automatically infect target macOS computers by abusing native macOS features and custom URL-schemes.

 

Observed in the UAE

 

 

MuddyWater APT
Is a copycat threat actor that relies on known and publicly available tools and scripts, using just a little custom code, and initially stealing just a little information from the infected systems, such as OS information, hostname, username and IP. MuddyWater APT targets government entities and  responds effectively and quickly to any public release disclosing their TTPs by sending an updated version of their scripts to the targets. For detailed research on this APT, visit our blog

 

 

 

 

Chafer APT

Is an APT group believed to be sponsored by the Iranian government and operating for the purposes of espionage. It uses a variety of tools to attack entities in the Middle East. Chafer appears to be primarily engaged in surveillance and tracking of individuals. Sectors targeted by Chafer include airlines, aircraft services, software and IT services
companies serving the air and sea transport sectors, telecoms, etc. Their attacks are highly sophisticated in nature.  For more information, visit https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions

 

 

 

 

Greenbug APT

Is a believed to be an Iranian cyber-espionage group. Greenbug targets organisations in the Middle East by using a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor alongside a selection of other hacking tools to steal sensitive credentials from compromised organisations. One example is the OilRig campaign,
a series of cyber attacks whose earliest actions are dated to 2015. For detailed research on this group, visit our blog at https://www.darkmatter.ae/blogs/greenbug-cyber-espionage-group-targets-uae/ 

 

 

 

RECOMMENDATIONS

 

BASED ON THE FINDINGS OF THIS QUARTERLY REPORT, DARKMATTER RECOMMENDS THAT UAE ENTITIES IMPLEMENT THE FOLLOWING BEST PRACTICES:

 

 

Awareness training

Cybercriminals continue to find new avenues to exploit the human factor, making security awareness training and simulated phishing exercises important ways to train employees on how to identify and report social engineering attempts.

 

 

Secure protocols

All protocols on a network should be identified. Those not required should be disabled, while those serving a business function should be replaced with secure protocols such as Secure Shell (SSH), HTTPS, and SNMPv3.

 

Two-factor authentication

Two-factor authentication should be implemented to add an additional layer of security for account login.

 

 

 

Patch management

Integral to any good security program is automated enterprise software patch management. This helps ensure that all applications, operating systems and their components are up to date. New vulnerabilities and exploits emerge frequently, so failing to implement patches as they are released can expose an organisation to unnecessary risk.

 

 

 

Configuration management

Misconfigurations are most likely to occur during security change processes. A configuration management process helps prevent misconfiguration-related incidents. More specifically, organisations should establish standard configurations based on industry best practice, and then continuously monitor for
changes from that baseline. This will enable quick identification of a misconfiguration before it can be exploited by an attacker.

 

 

Software upgrades

Upgrade all unsupported software to currently supported versions.

 

 

Network Segmentation

Deploy network segmentation appropriately, so you can ensure true zoning isolation. Follow the principle of ‘least privilege’ as you segregate the network.
Configure the network so that users, servers, and other devices access only those services required to perform their tasks.

 

 

Potentially Unwanted Application 

Potentially Unwanted Programs installed on systems can be mitigated through whitelisting, performing periodic threat hunts, removing unnecessary administrative rights, and blocking executables from running from non-approved locations such as USBs, Appdata or temp directories.

 

 

 

 

 

Password hygiene

Change default passwords as soon as a new system or software is added to the network. If allowed by the software, enable account lockout mechanisms to  mitigate authentication attacks. At a minimum, ensure that all passwords deployed are different, secure, and meet the organisation’s complex password policy. Additionally:

  • Do not use passwords found in dictionaries
  • Passwords should be memorable
  • Use passphrases instead of passwords

 

 

SUMMARY

 

THE THREAT LANDSCAPE IS BECOMING INCREASINGLY COMPLEX AND HYPER-CONNECTED. THE UAE HAS SIGNIFICANT WEALTH AND  EXCELS AT INNOVATION, MAKING IT A PARTICULARLY ATTRACTIVE TARGET FOR ADVANCED THREAT ACTORS. AS SUCH, IT IS IMPORTANT FOR ORGANISATIONS TO UNDERSTAND AND MANAGE THE SECURITY THREATS AND RISKS, SO THAT THEY CAN FULLY EMBRACE THE  BENEFITS OF INCREASED CONNECTIVITY AND MORE POWERFUL DIGITAL TECHNOLOGIES.

As described in this report, websites and systems linked to the UAE were exposed to a wide range of cyber threats. While these included some of the most sophisticated, including advanced persistent threat groups, many of the most common causes of cyber security risk came from organisations using outdated and unsupported software, allowing the use of weak passwords, not patching systems, and weaknesses in configuration management. 

These results reinforce the importance for organisations to follow best practice in areas such as: robust cyber situational awareness,  vulnerability assessments, continuous monitoring and incident response capabilities to detect and respond to security events promptly. More specifically, DarkMatter recommends organisations do the following:

  • Promptly update and patch software
  • Implement system and network security hygiene
  • Identify and removal non-standard software
  • Improve passwords strength and implement two-factor authentication
  • Implement ongoing scanning and monitoring of critical systems
  • Hold periodic cyber security awareness briefings and training
  • Initiate continuous security assessments