China gets most of the blame for hacker attacks, but is it justified?
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
May 13, 2013
For more times than it probably cares to remember, China has been singled out by the United States and its allies as one of biggest source of internet hacking attacks. But amid all the anti-China rhetoric, has China been given an unfairly bad name in all of this?
At first blush, there's mounting evidence pinning the source of state-sponsored espionage activity on China. Verizon’s Data Breach Investigations Report – sourcing its data from law enforcement and security agencies across the globe – claims that about 96 percent of state-affiliated attacks came from China.
Then there's the Fire Eye’s Advanced Cyber Attack Landscape report, which reveals that 89 percent of all APT callback activities are associated with APT tools either made in China or closely associated with specific Chinese hacking groups.
Internet security consultancy Mandiant went further in a high profile February report, alleging a concrete link between notorious hacking group Comment Crew (aka APT) and the People’s Liberation Army. Most recently, a Pentagon report issued last week claimed-- “Numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military.”
Broadening the scope beyond state-sponsored internet attacks, the information security industry seems pretty much in agreement that China is a major attack source. Symantec’s latest global Internet Security Threat Report for 2013 claimed the country was the number one source of network attacks, accounting for almost 30 percent of the global number, and second behind the U.S. when it came to “malicious activity” in 2012.
And there's more. Spam blacklist service Composite Blocking List (CBL), meanwhile, deemed Chinese IP addresses as the world’s worst offenders, accounting for 22.5 percent of the global spam list.
The latest numbers from China’s Computer Emergency Reponse Team (CN-CERT) reported that 1.4 million infected computers in the country were controlled by Trojans or Botnets and over 1 million by the 2001 Conficker worm.
Then, Panda Internet Security earlier this year branded China as the most malware-ridden nation, claiming that 55 percent of its computers were infected in a very serious manner.
All of which paints China as a nasty country when it comes to internet security and hacker attacks. But one has to wonder-- is it really 100 percent justified? The nature of the internet means that a large number of IP addresses fingered as attack sources or compromised computers and servers is no indication that attacks are actually being launched by actors from within China.
It is more accurately an indication that within that country exist a large number of vulnerable computers and perhaps inadequate law enforcement or industry self-regulation.
As a matter of fact, China always claims that it's a victim, not a perpetrator, of cyber attacks – many of which it says come from the U.S., so which is which?
The biggest hurdle that internet security researchers face today is explaining the true origin of an attack, says Fortinet’s global security strategist, Derek Manky.
Attacks can be routed through several compromised computers used as proxies all over the world – finding a command and control (C&C) server is definitely not an indication of an attack source. And IPs can easily be spoofed as well, adding another layer of insecurity to the whole picture.
“In some cases, it’s easy enough to trace back one hop but this is never enough because in some cases there are four or five hops and often they encrypt the traffic with VPNs,” Manky explained. “It means that you have to go to every related ISP in each different country, all of which may be subject to different legislation and law enforcement regimes, further complicating an issue that is already tough enough to manage.”
Manky argued that cyber criminals focus their efforts on China because of the larger numbers of potentially vulnerable PCs there and regulatory loopholes which allow unscrupulous domain registrars to continue operating under the radar. But to be fair to China, both of these factors are also true of the United States, however.
“There are a lot of IP addresses in China and there are a lot of infected systems. Many are XP machines not even running Service Pack 2 so they’re low hanging fruit,” Manky said. “They’re infected and then brought under the control of operators outside of China – in the U.S., Latin America, Eastern Europe, etc. And then they are used as a platform which can be leased out by the criminal operator, wherever he or she might be.”
In order to be successful, this kind of Crime-as-a-Service (CaaS) scheme also requires so-called bulletproof hosting firms where hackers can run C&C servers and register malicious domains safe from the prying eyes of law enforcement. “These places provide a safe haven.
Two or three different actors in China come to mind, accepting domain registrations which ultimately lead to attack campaigns – it’s a real and big black hole in China,” said Manky.
“Interestingly, China has done something, albeit it's not that much to begin with. It had an issue with fraudulent registrations so the government acted to tighten registration, but there are still a lot of loopholes in the system – not just in China but everywhere you look.”
The latest CN-CERT statistics reveal that 140 malicious domains, about 34.2 percent located in mainland China, were hosted in such a manner by attackers outside of the country.
Fire Eye EMEA product manager Jason Steer says that China was number three in the firm’s recent report for hosting C&C systems, below the U.S. and South Korea, but agreed with Manky that this in no way signifies that actors inside the country are attacking global targets in huge numbers, so the issue is all over the map.
“Actually, I'd argue something different in fact-- cyber attacks coming from within your country indicate that C&C servers are set up in-country to confuse defenders. Attackers are less easy to spot and find with traffic staying in the country first and then being moved on,” he said.
“Given the geographic size of China and the size of its PC population, it's an obvious place to attack from – with high speed internet and the same insecure computers running Windows there as they do across the world. As it rolls out high speed internet, clearly it’s a good place to locate systems without questions being asked.”
Just for the record, China's internet population at the end of last year stood at 564 million, around 50 million more than a year before. That's still just a 42 percent penetration rate but it's still a lot of users to target nevertheless, meaning that China is likely to remain an attractive location for cyber crime gangs located all over the globe.
The security vulnerabilities in China's address space are also being exploited by home-grown attackers, as a report on China’s Online Underground Economy released last August reveals.
The report demonstrated that almost 23.5 percent of the country’s internet users and 1.1 million web sites were affected in 2011, at a cost of over 5 billion Chinese yuans.
Trend Micro vice president of internet security Tom Kellermann says that there are over 90,000 members of the Chinese shadow economy. “Over the past two years, there has been an explosive growth in criminal hacking activity within China targeting Chinese corporations,” he added.
China’s challenge is to promote greater levels of information security awareness among its vast population, especially as more and more internet users come online for the first time, and tighten up the loopholes which have allowed bulletproof hosters to flourish in the first place.
Such steps will make it less attractive for criminals – reducing the number of attacks launched by operators outside the country using compromised Chinese IP addresses, as well as cutting its domestic cyber crime issues as well.
On average, it’s rather difficult to feel much sympathy with Beijing given the apparent volume and persistence of state-sanctioned internet attacks originating from within the country. But it’s also worth remembering that activities of this kind are certainly being carried out to a lesser or greater extent by all major global powers as well, so China isn't the only player here, but it still remains a major one, nevertheless.
In a September 2012 report, Trend Micro’s Kellermann even concluded that “hackers from the former Soviet bloc are a more sophisticated and clandestine threat than its counterparts in China”.
The issue in China is that it’s currently the noisiest out there. Perhaps if it wants the damaging headlines to go away it needs to get its own house in order and get caught less frequently.
In other internet security news
Cody Kretsinger, a twenty-five year old man from Decatur, Illinois, and a former LulzSec hacker has been placed in federal prison for a year for hacking into Sony Pictures' servers.
Kretsinger was better known to his fellow LulzSec buddies as "Recursion" and was also ordered to carry out 1,000 hours of community service, and a year of home detention, following his release from prison.
He was sentenced by a Los Angeles court yesterday. Kretsinger had pleaded guilty to a single count of conspiracy and unauthorized impairment of servers in a plea-bargaining agreement.
Kretsinger admitted breaking into the Sony Pictures website and extracting information which he passed on to other members of LulzSec, who leaked the data in order to embarrass Sony, a hated enemy of the hacktivist group.
Sony claimed that the hack left it $600,000 out of pocket. Kretsinger was ordered to somehow repay this amount in restitution to Sony, the LA Times adds.
Earlier this month, a 26-year-old British man also pleaded guilty to computer hacking as part of LulzSec, a splinter group of mischief-makers from the larger Anonymous collective.
Ryan Ackroyd, from South Yorkshire, admitted taking part in attacks against numerous high-profile targets including Nintendo, News International, 20th Century Fox, Sony Group and the NHS. Ackroyd adopted the online persona of a 16-year-old girl named Kayla during much of his malfeasance.
Ackroyd and other convicted LulzSec suspects like Jake Davis, 20, from the Shetland Islands, Scotland, 18-year-old Mustafa Al-Bassam from Peckham, south London and Ryan Cleary, 21, from Wickford, Essex are all due to be sentenced on May 14.
Erstwhile LulzSec leader Hector Monsegur, was revealed in March 2012 as an FBI informer who had been grassing on his former cohorts for ten months after his arrest in June 2011. Sabu's sentencing was delayed by six months in February due to his "ongoing cooperation with the government".
In other internet security news
Internet security researchers say they have discovered a whole list of new malware that targets the QUIK stocktrading application used by some banks and financial institutions.
The malware has been used in a series of attacks since November 2012, according to Russian security firm Group-IB. Cyber criminals have traditionally targeted private and corporate banking accounts, using malware such as variants of the ZeuS cybercrime toolkit to log key-strokes and extract account information from investors and traders.
This isn't new-- online stock trading and brokerage systems have been hacked a lot in the past, but attacks have been successful through fake profiles and social engineering scams.
Recently however, trading fraudsters have diversified tactics and begun to use malware, in an effort to defraud the public and steal money.
Particularly, professional black hat coders have designed a new strain of malware targeting specialized trading software called QUIK (Quik Broker, Quik Dealer) from Russian software developers ARQA Technologies and FOCUS I-Vonline from New York-based EGAR Technology.
Such software is used by many banks in the Russian Federation including Sberbank, Alfa-Bank and Promsvyazbank.
Both of the applications are used for trading on MICEX, a leading Russian stock exchange. MICEX offers services including placing and trading stocks, listing securities, and even the facility to set up initial public offerings (IPOs) or company flotations.
Exchange clients trade in stocks and shares issued by the likes of Gazprom, VTB Bank, RusHydro, Mobile TeleSystems, and a few others.
Andrey Komarov of Group-IB says that the online trading malware was a variation of the Ranbyus spyware normally used to infect Windows computers and target online banking customers.
"It has quite similar functions to Zeus, as it uses a VNC spawning module which helps the hacker to be connected to the infected computer absolutely remotely and to do his fraud in silence, that's why it won't be detected by anti-fraud filters, as the theft will happen from the same IP address," Komarov explained.
Worse, another Trojan virus identified as Broker-J, also targets QUIK but uses other techniques instead, effectively stealing encryption keys from the QUIK storage and transferring them to cybercriminals, still using the same IP to avoid detection.
"The end customer should use standard methods of antivirus defense if he or she runs financial software on a personal computer which is connected to public networks," said Vladimir Kurlyandchik, head of business development at ARQA Technologies.
"People should use efficient internet security appliances and antivirus software, and also make use of firewalls. It is our standard recommendation," he added.
"In case of any suspicions of unauthorized access to an account the end user should immediately initiate the procedure of changing access keys, along with new user IDs and secure passwords," he added.
Kurlyandchik also stated that the QUIK platform incorporates several new technologies to also help prevent unauthorized access, including two factor authentications using either RSA Secure-ID tokens or SMS messages sent to a pre-registered phone, as well as other similar security devices.
"The securities broker now has a few and improved tools to monitor suspicious activity and to block access to the system from suspicious IP-addresses, hosts etc," he said.
In other internet security news
Since last week, many hosting providers are reporting a huge increase in attempts to hack into blogs and content management systems, with WordPress implementations again being hit the most with hackers' offensive. It's not the first time that Wordpress blogs have been the subject of hacking attempts and it probably won't be the last.
Thousands of Wordpress installations across the globe were hit by a brute force botnet attack, featuring several attempts to hack into blogs using a combination of popular usernames (eg, "admin", "myblog" and "user") and an array of unsafe passwords such as "god", "sex", "love" and "1 2 3 4 5".
Attacks of this type are commonplace-- it's the sharp rise in volume late last week to around three to four times the normal volume rather than anything technically devious that has set many alarm bells ringing all over the web.
Around 90,000 compromised servers have been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard.
To help mitigate such attacks, the senior system administration team at Sun Hosting, a large Canadian hosting provider, has rolled out wide security policies to help contain and limit such attacks. For the time being, the company has removed any public information detailing the new way they're blocking the attacks, as the hackers seem to be actively monitoring for changes, and altering their tactics.
Sun Hosting says: "If your site or blog has been targeted in similar attacks, the security precautions we've implemented may limit the access to your WordPress admin dashboard. We have chosen to proactively protect our customers from such attacks in order to avoid a potentially larger security issue on your account. Your admin password should consist of a minimum of 12 characters, with upper case and lower case letters, numbers as well as ponctuation marks."
The primary target appears to be WordPress installations but Joomla users also reportedly took some hammering as well. Early suggestions are that hackers are looking to harvest "low-hanging fruit" as quickly as possible in order to gain access to a bank of compromised sites for follow-up malfeasance, which could be anything from hosting malware to publishing phishing pages or running some sort of denial of service attack.
"It's 'doorknob rattling' but on an industrial and international scale," notes Paul Ducklin, Sophos's head of technology for Asia Pacific.
WordPress founder Matt Mullenweg said that the attack illustrates the need to use a distinct username and a hard-to-guess password, common-sense advice that applies to using web services in general, not just for blog administration.
If you still use "admin" as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you're up-to-date on the latest version of WordPress. Do this and you'll be ahead of 95 percent of sites out there and probably never have an issue."
Most other advice isn't great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn't going to be great. They could try from a different IP a second for 24 hours, as an example.
Olli Niemi, internet security and vulnerability expert at Stonesoft outlined the range of possible motives behind the attack. “A concern of this attack is that by compromising WordPress blogs attackers may be able to upload malicious content and embed this into the blog," Niemi said.
"When readers visit the blogs in question they would then be subject to attack, come under compromise and develop into botnets. The attacks against the Wordpress blogs seem to be distributed, with automated attacks coming from multiple sources,” he added.
Matt Middleton, U.K. and Ireland regional director of corporate security firm Cyber-Ark, said that hacking attempts on corporate blogs might be used as an access point to hack into other much more sensitive enterprise systems. Weak passwords need to be changed ASAP, he argues.
“Common usernames and weak passwords are extremely risky online, however, and the dangers are compounded if users re-use the same login credentials for other sites as well. Once hackers have cracked a username and password, it’s extremely common that they’ll attempt to use the same combination for additional sites in the attempt to fraudulently use accounts, or access information such as credit card details or corporate data," added Middleton.
Many denial of service (DoS) attacks against large U.S. banks in January were powered from compromised WordPress sites and blogs rather than malware-infected zombie PCs.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
Source: Trend Micro.
You can link to the Internet Security web site as much as you like.