The document is a 2015 annual report from TruShield Security Solutions that summarizes cyber threat intelligence over the year. It describes several major security incidents TruShield investigated in 2015, including the DGA17 botnet in January, a new Dyre Trojan banking malware campaign in February, a large Upatre downloader phishing campaign in March, and a Linux XOR DDoS botnet in April. It provides statistics on attacks by industry and discusses trends in ransomware, banking trojans, point of sale malware, and cybercrime costs that are expected to continue rising in 2016.

1. 1
CYBER THREAT INTELLIGENCE
TruShield Security Solutions
2015 Annual Report
Alex Deac

2. Alex Deac
Foreword
“You don’t have to look further than the headlines. Organizations
across all industries, small and large, public and private sector, lack
the ability to detect the inevitable system compromise which
rapidly expands to a data breach.
But does a simple drive-by-download or successful phish have to
result in a data breach? I don't think so, but the key distinction
between the two is how quickly the initial incident can be detected,
contained, and eradicated.
Modern attacks focus more upon the endpoint and the user sitting
at the keyboard than they do upon finding holes in the perimeter
defenses, and it should be keeping us all up at night that one risky
click could be all that stands between us and a massive data
breach.
If we know we can’t be perfect 100% of the time, and the bad guys
just have to get it right once, what hope do we really have?
Constant, 24/7/365 vigilance can help tip the scales back in our
favor.
I believe we must adopt a mindset wherein we accept that a
compromise may happen at any time, through any number of
channels, and, fully cognizant of that eventuality, focus on
immediately detecting, containing, and eradicating that
compromise when it does happen.“
Paul Caiazzo – Principal, TruShield Security Solutions

3. Alex Deac
Contents
Foreword ............................................................................................................................2
A Year in Numbers ............................................................................................................4
Introduction........................................................................................................................5
Monthly Security Events....................................................................................................6
Ransomware, Banking Trojans, PoS Malware, and the Dark Web..........................16
Global Distribution of Malicious Traffic.........................................................................24
2016 Cybercrime Forecast ............................................................................................26
Costs of Cybercrime and Cybersecurity .................................................................26
Cybercrime-as-a-service............................................................................................31
Industries Targeted ......................................................................................................33
Conclusions......................................................................................................................36
References.......................................................................................................................37

4. Alex Deac
A Year in Numbers

5. Alex Deac
Introduction
Our background in compromise assessments, security program development, risk
assessments, and compliance allows us to focus our investigation and
remediation efforts not just on fixing individual vulnerabilities, but rather on
identifying and addressing the root causes of those vulnerabilities. Common
causes we see are a lack of secure network architecture – including connections
to third-party service providers, incomplete or non-existent secure configuration
baselines or device hardening, and an inability to identify, test, and implement
patches as they become available.
TruShield’s real-time security monitoring platform, called Continuous Security
Monitoring (CSM), was born in 2011 after years of lessons learned across hundreds
of risk assessments and incident response engagements. We saw time and again
that regardless of spend, organizations lacked the ability to gain real-time threat
information about their own environments. Our CSM and CSM+ solutions are
designed to solve this problem, and this report represents a year’s worth of
problem-solving for clients across a wide range of industries.
Our solution brings together data from a variety of client-environment sources
such as security appliances, servers, endpoints, Active Directory, and more. We
leverage a broad threat intelligence base to provide a threat-aware platform
that is on the leading edge of current threat Tactics, Techniques, and Procedures
(TTP). Our threat intelligence includes many sources including paid and open
source data feeds, and we add our own custom intelligence collected from
honeypots deployed worldwide.
In 2015 we investigated 428 confirmed incidents caused by Spearphishing,
Banking Trojans, Ransomware, Exploit Kits, Malvertising, Web Application exploits,
and DDoS attacks. A full 43% of the incidents we investigated were in the financial
industry, partially due to our client profiles, and partially due to the sheer volume
of threat traffic focused on the financial indsutry. We additionally saw significant
threat traffic bound for our government and critical infrastructure clients, the legal
industry, retail/e-commerce, and the education space.
The bottom line is this – regardless of industry or market position, it is likely you are
on someone’s target list. If your security program isn’t prepared to withstand the
onslaught, there’s a good chance your organization could experience a data
breach – if you haven’t already.

6. Alex Deac
Figure 1: Attack Vector Monthly Distribution
Monthly Security Events
– DGA17 Botnet Disrupted
We started the year in full force and with plenty of action. In the first two weeks of
the year, we discovered a large botnet operation attacking one of our clients.
Within 24 hours of deploying an initial proof-of-concept of Continuous Security
Monitoring (CSM) in a new client environment, we discovered new details and
behavioral patterns of the DGA 17 botnet. The botnet had already compromised
this network by infecting dozens of endpoints including desktops, laptops, and
smart devices. The majority of devices were infected by Tempedreve botnet
malware which attempted to connect via DNS calls to 195.26.22.248. The IP
address resolved to malware domain testingalwaysfiresyncpixel.com located in
Lisbon, Portugal.

7. Alex Deac
Figure 2: DGA17/Tempedreve Botnet
Although the domain was sinkholed by Botnet experts from Anubis Networks, the
infected hosts continued to make call-home leaving the client exposed to further
attacks. It took a large-scale effort that included containment and eradication of
malware, overhauling network security architecture, and deploying our full-
fledged CSM+ platform. Since then, we used information learned from this client
to identify Indicators of Compromise (IoC) related to DGA 17 across multiple
clients especially in Financial, Retail, Legal, and Utilities verticals, all successfully
mitigated.
– New Dyre Trojan Campaign
In February, we exposed a new strain of Dyre - the infamous banking Trojan. After
being alerted by two leading threat intelligence providers we’ve learned that
governmental and financial organizations were targeted by Dyre which rivals in
capabilities with ZeuS and its subsequent versions. The new attack vector used for
delivering the payload was a sophisticated phishing campaign. The two verticals
were targeted by emails containing “Document Important” or “Account Report”
in the subject bar. The email had attached a .zip file which once opened
delivered the malicious payload.

8. Alex Deac
Dyre is known for its capability of stealing credentials and establishing backdoor
communication with remote attackers. At the time of the attacks just a handful
of endpoint security firms developed signatures for the new Dyre. One of the key
components of defending against Dyre or any malware without a signature is
sound cyber hygiene where users are trained to never open files from unknown
sources or containing .zip or .exe attachments. Moreover as part of defense-in-
depth strategy organizations should deploy a managed secure email gateway
capable of screening and blocking suspicious attachments.
Cleanup from Dyre was a long process, due in large part to problems with this
client’s containment strategy – a problem we helped them resolve over the
following months.
– Upatre Downloader Phishing Campaign
In March we encountered a vast phishing operation which delivered Upatre.
While Upatre is just a downloader it also has a very small footprint and countless
versions that avoid detection. In addition Upatre is known to deliver secondary
payloads such as banking Trojans and Ransomware like CryptoWALL. We saw a
lot of Ransomware over 2015, and much of it was secondary payload delivered
by Upatre and other downloaders like it.
During this campaign we identified 129 malware domains responsible for
delivering Upatre, and helped all of our clients prevent additional payload
delivery via these channels.
Upatre Secondary Payloads
GameOver Zeus (GOZ) – Banking Malware responsible for tens of millions
of dollars in losses
Dyre or Dyreza – Banking Malware targeted Bank of America, Citibank,
NatWest (United Kingdom), Royal Bank of Scotland, and Ulster Bank
(Ireland)
CryptoLocker - Ransomware Trojan operated by Command & Control
(C&C) Servers in the Dark Web aka Tor
Vawtrak (also known as Snifula and Neverquest) – Banking Malware that
targeted Bank of America, Capital One, Wells Fargo, Citibank, U.S. Bank,
Fifth Third Bank and Commerce Bank

9. Alex Deac
Rovnix – Rootkit for Windows VBR which makes changes to your PC so
that it downloads and runs other malware each time it starts
– Linux XOR DDoS Botnet
In this month we battled the most malware families throughout the entire year.
Our SOC analysts fought 4 different worm varieties, 3 Exploit Kits, 3 Ransomware
families, 2 Linux Trojan families, and countless Windows Trojans. In April
Tempedreve aka DGA17 Botnet re-activated and beaconed back to its C&C
server. After forensic analysis we determined that infected hosts were on a
schedule to call back every 75 days. Fortunately the C&C domain was previously
sinkholed while our incident responders restored impacted systems without any
further damage.
In April we also detected an instance of the feared Linux XOR DDoS Trojan that
combined a rootkit with backdoor communication to 103.25.9.228 located in
China. The malware is capable of infecting servers running on Linux and directing
them to launch Distributed Denial of Attacks (DDoS) against pre-determined
targets. The botnet behind this malware is responsible for an average of 20 DDoS
attacks a day with the strongest in excess of 150 Gbps. Linux XOR DDoS spreads
via Secure Shell (SSH) services susceptible to brute-force attacks due to weak
passwords and is capable of downloading and executing files, removing services,
installing modules, and updating itself.
Finally we disrupted a Havex RAT operation. This malware is responsible for
targeting Industrial Controls Systems (ICS) and Supervisory Control and Data
Acquisition (SCADA). The attackers have customized software available for
download from ICS/SCADA manufacturer websites in an effort to infect the
computers where the software is installed. Furthermore the cybercriminals uses
Havex to gain control of critical infrastructure and even launch more attacks
against other victims. F-Secure reported more than 88 different versions of this
Trojan which can be used in cyber-espionage operations and kinetic cyber-
attacks. Havex has been seen to connect to 13 malicious domains and continues
to be a serious threat to SCADA/ICS systems.
– Mumblehard Attacks on Linux Mail Servers

10. Alex Deac
In May, we saw a dramatic increase in application exploitation. Adobe’s
products were dominating the landscape with 60 percent of the total observed
exploits targeting their products. We also saw Internet Explorer and OpenSSL
exploitation attempts. Moreover a vulnerability in the Magento e-commerce
platform took center stage in one of our clients’ networks. In fact there were no
less than three security bulletins exploited within 24 hours from disclosure (CVE-
2015-1397, CVE-2015-1398, and CVE-2015-1399. The critical weaknesses allows
attackers to launch a SQL Injection, bypass authentication, and respectively
execute remote file inclusion.
TruShield security analysts also saw
Mumblehard active in the wild. This Linux-
specific malware was responsible for
infecting Linux and BSD systems that run as
email servers with the outcome to launch
large SPAM attacks. The malware,
composed of a downloader and Trojan
was very effective with an initial 9,000 infected hosts IPs within a few months. We
pinpointed at the origin of the attack YELLSOFT which is a company that sells
DirectMailer software for delivering bulk mail and believed to be based in Russia.
Furthermore we detected and removed evidence of the Simda botnet for which
US-CERT issued Alert TA15-105A. Industry analysis indicated that Simda enrolled
more than 770,000 computers in the botnet, but our estimates surpassed 1.5 million
systems worldwide. The attack vectors included SQL Injection, BlackHole Exploit
Kit and different application vulnerabilities. In our cases we observed a
combination of Adobe Flash vulnerability and Styx Exploit Kit.
– PoSeidon Operation Dismantled
What a busy time we had during the first month of the summer with over 200,000
web-based attacks. For the first time we have witnessed majority of attacks
generating from Russian Federation, with a significant percentage being
conducted by groups from this country. The centerpiece was a large operation
directed against clients from banking and retail industries and used as an attack
vector the infamous PoSeidon malware. The cybercrime ring used a newer
technique called Fast Flux DNS which used 60 second DNS calls to obfuscate its

11. Alex Deac
origins. As a result we blacklisted more than 50 malware domains responsible for
spreading PoSeidon.
June was also the month that we recorded a 21 percent surge in application
exploits. The leader was Internet Explorer followed by Adobe Flash, and Adobe
Reader. No wonder this month recorded a peak in exploit kits (EK), including the
hugely popular and versatile Angler. We collected the following EKs for June:
 EXPLOIT-KIT Angler
 EXPLOIT-KIT Astrum
 EXPLOIT-KIT CritX
 EXPLOIT-KIT Fiesta
 EXPLOIT-KIT Magnitude
 EXPLOIT-KIT Nuclear
 EXPLOIT-KIT Styx
We determined that leading cause is still the window of opportunity handed over
by admin to hackers when leaving unpatched critical systems for extended
periods. In many cases those systems goes unpatched for months or even years.
It is always a goal of ours to get clients on regular cyber hygiene programs wherein
inventories are kept up to date, systems are hardened to a standard, and
vulnerabilities are patched as soon as testing and approval processing allows
We also experienced record breaking number of email bounce attacks part due
to misconfiguration of email servers with a peak of 2,499 attempts within 48 hours.
Finally security analysts defended the networks against multiple banking Trojans
that were delivered via phishing campaigns.
– 188,929 Threat Actors
We monitored 188,929 threat actors including spamming, malware domains, and
scanning hosts. A total of 474 Command & Control servers were closely monitored
in order to block any potential botnet attacks. The majority of the C&C Servers
were located in the Netherlands, Germany, and France. Our SOC analysts also
blocked 206,504 web-based attacks against our clients’ networks.
Our success story of the month was successfully disrupting an active malvertising
campaign. During this event we closely monitored and blocked multiple drive-by-
downloads carrying the Angler EK which was attempting to exploit Adobe Flash
Player Zero-day (CVE-2015-0311). The Zero-day vulnerability was impacting
Windows OS, OS X, and Linux platforms while the EK was delivering the infamous
CryptoWALL 3.0. CryptoWALL was everywhere in 2015, and in our experiences in
most cases, where there was CryptoWALL, there was Angler.

12. Alex Deac
Figure 3: Malvertising campaign delivering Ransomware
During this month we also witnessed a surge in Linux/UNIX malware. Among Linux
specific malware were backdoor, worm, downloader, and Trojan. Also we have
blocked two major Banking Trojan campaigns delivering credential stealing ZeuS
and Dridex. Finally we blocked an ongoing SeaDuke APT operation and
blacklisted multiple domains and subdomains responsible for delivery.
– 3,000 SPAM Botnets
Mid-summer was categorized by a surge of 52 percent in attack sources with over
286,133 threat actors including spamming, malware domains, bruteforce, and
scanning hosts. No less than 585 Command & Control (C&C) servers were closely
monitored in order to block any potential botnet attacks. Most C&C Servers were
located in the U.S., China, Netherlands, France, Bulgaria, Ukraine, Turkey, Russia,
and Vietnam. We also monitored and blocked over 3,000 SPAM botnets that were
attempting to overwhelm our clients’ mailing systems.
While the U.S. leads with over 60% as the most sources of web-based attacks, the
most malicious sources were hosted by China (34,535), followed by US (21,981),
Turkey (10,034), France (7,628), and the Netherlands (4,051). Our SOC analysts and
integrated multiple threat intelligence platforms allowed us to determine that the

13. Alex Deac
financial industry continues to represent the most targeted vertical, followed by
the legal industry.
August was the month we unveiled that two US major universities were
compromised by cybercriminals. One of them, the School of Electrical &
Computer Engineering, which is part of the University of Michigan North Campus
was also the most malicious source of the month. Our threat intelligence revealed
that dynamically assigned IP 78.176.131.113 residing in Turkey was responsible for
using the school open network as a platform to launch massive scans. We closed
the month with a cyber-espionage operation, ransomware, and multiple banking
Trojans.
– Record Number of Exploit Kits
The Top 20 attacker countries were responsible for 141,290 exploit attempts
against our clients. While US-based attacks saw a significant reduction from 54
percent to less than 44 percent in attacks, China jumped from 12 percent close
to 17 percent. Even more worrisome Russian Federation which in August ranked
fourth with just over 3 percent, in September almost tripled its attacks to over
14,000.
During this month we fought a Botnet using Namospu Trojan which had C&C
servers located in the tiny island of Tokelau, Netherlands, and Spain. We also
reconnected with an old friend…. the infamous DGA 17 botnet’s known IP range,
currently resolving to anbtr[.]com. This was also the first time we discovered and
released the mastermind’s name - Matthew Pynhas - which has more than 2,350
other known domains registered under his email.
Figure 4: Chrome Browser Malware Warning

14. Alex Deac
In September we had the largest number of exploit kits including Angler, Fiesta,
Goon, Infinity, and Nuclear. These EKs were mostly targeting a record number of
vulnerabilities in Adobe Flash and Adobe Player, counting for about 70 percent
of all weaknesses. Finally we experienced a backdoor on Cisco routers which
allowed the attacker to load different functional modules over the Internet. The
modular backdoor would then let the attackers to maintain persistent presence
within networks once successfully exploit routers.
– DNS-based Reflected DDoS Attack
In October we witnessed 70 percent of all web-based attacks originating from US
instead of other threat actors. The main reason behind was the significant drop of
attacks from 23,340 in September to only 3,394 this month. The 7 fold reduction in
attacks was most likely due to the September agreement between US and China
to mutually not engage in activities such as intellectual property theft and cyber-
espionage.
Also during this month we stopped a major phishing campaign that was targeting
one of our financial clients on the West coast. We determined the origin of the
attack was a compromised email account belonging to a state authority ending
in .gov. After the initial assessment we’ve notified those authorities and they
scrubbed that account. Another big event was a DRDoS attack against one of
our clients in the Legal industry which we successfully diverted. During the post-
mortem lesson we’ve learned that the attack was using a misconfigured DNS
server capable of a factor amplification of 100.
Next, we blocked an Android malware targeting all recent platforms which was
responsible for infecting large amount of devices in 20 countries. The cybercrime
ring responsible for Kemoge uploaded fake “popular” apps to third-party app
stores and promotes the download links via websites and in-app ads. Also we
experienced a record number of Adobe Flash Player instances (78 percent)
exploited by Angler EK. Lastly we observed ActiveX plugin being exploited by
Neutrino EK.
– Three DDoS Attacks Blocked

15. Alex Deac
This month was characterized by China-based attacks coming back to “normal”
in other words leading in terms of most malware domains - 82,344. Attacks from
US- fell on the second place with 35,834 domains generating malware. Other
notable countries responsible for malicious activities were Germany, France,
Netherlands, and Russia. In US we pinpointed that the biggest hubs of cybercrime
are located in California, Michigan, Kansas, and Washington State.
November was the month of DDoS attacks. The first two assaults were made
against Retail clients on 12th and 18th of November and initiated most likely by
group[s] specialized in cyber extortion, most likely a copycat of infamous criminal
group DD4BC (DDoS for Bitcoins). The third DDoS attack performed against the
Education industry and was meant to obfuscate a malware intrusion.
Figure 5: DDoS Attacks
Next we dealt with Sefnit Trojan which attacks Windows platforms from XP to 10.
The campaign against financial industry originated from multiple domains with
suffix .su which once belonged to Soviet Union, nowadays used by Eastern
European crime. Another major attack vector blocked was the first-ever OS X
ransomware – Mabouia. This particular ransomware escalated from proof-of-
concept to attacks in the wild in a matter of weeks.

16. Alex Deac
– Juniper ScreenOS Attempt
We defended our clients against 233,400 web-based attacks generated by the
top 20 attacker countries. We were surprised by new entries in our Top 20 most
malicious countries. Among the top 20 Attackers we noticed for the first time
Costa Rica (3,803), Bulgaria (1,451), and Italy (1,426).
We continued to see as one of the most common technique domain shadowing
were hackers creates sub-domains of popular shopping and entertainment
domains which ultimately lands users on infected websites. As predicted we saw
spikes in malicious traffic mainly due to holiday season which ultimately led to a
flurry of malware including multiple Point-of-Sale Trojans, capable of scrapping
credit card information, Ransomware, and banking Trojans. We also experienced
two operations responsible for cyber espionage and APT groups.
Lastly but equally dangerous was the Juniper ScreenOS backdoor incident. The
secret door found in the ScreenOS - CVE-2015-7755 and CVE-2015-7756 -
impacted multiple firewalls and routers by allowing remote attackers to gain
privileged access. The exploitation attempt was blocked and the risk removed.
THREAT INVESTIGATION
Ransomware, Banking Trojans, PoS Malware, and the Dark
Web
Dark Web
We continuously monitor and scrutinize the Dark Web. Why do we watch the Dark
Web? A decade ago multiple projects were developed to promote anonymous
browsing on Internet and ensure privacy of users. Although the initial goal of
creating anonymous browsing was to protect users’ identity and even free
political speech, lately Tor traffic led to flourishing black markets for cybercrime,
cyber espionage and terrorism, and a whole set of other illegal activities – see the
case of the drug marketplace Silk Road. This represent the Dark Web which should
not be confusing for Deep Web that represent parts of World Wide Web
unsearchable by common engines such as Google or Bing. It is worth noting that
common search engines/crawlers indexes roughly 16 percent of it while the rest
sits beyond reach.

17. Alex Deac
To access the Dark Web one needs a special browser called Tor. TOR stands for
“The Onion Router” and represents a complex network of public and private
relays, VPNs, and Proxies which allows the end-user to hide its identity. By using a
special version of Mozilla Firefox browser the user can access anonymously regular
Internet and in the same time the so-called Dark Web.
Figure 6: Malicious Activity Hosted on Tor
The Dark Web, in general, and Tor network, in particular, offer a secure platform
for cybercriminals to support a vast amount of illegal activities — from anonymous
marketplaces to secure means of communication, to an untraceable and
difficult to shut down infrastructure for deploying malware and botnets. More and
more cybercriminals are hosting their C&C servers on Tor to avoid detection,
identification, and prosecution. Digital currency Bitcoin also plays a significant
part in funding these operations by avoiding normal scrutiny allocated to physical
currencies such as USD and EURO.
Ransomware
At TruShield we were able to map the months with most malicious traffic to the
highest amount of attempted Tor connections. In fact we pinpointed multiple

18. Alex Deac
Ransomware and Banking Trojans campaigns originating from Tor or calling back
home to the anonymous network. We mapped Dyre, Upatre, and many custom
Banking Trojans that were beaconing to C&C servers hiding in Tor. In addition we
unveiled several ransomware operations using as vectors CryptoWALL 2.0 and 3.0,
Crypto Fortress, and TorrentLocker.
Point-of-Sale (PoS) Malware
We defended our clients against multiple PoS malware campaigns during 2015.
In June we stopped the largest operation against one of our financial client by
using PoSeidon malware. Recently we learned that attacks successfully stopped
in 2015 and carrying out specialized PoS malware such as CenterPoS, NewPoS,
and Alina, were most likely linked to global Operation Black Atlas. As with any
other similar campaigns criminals were after credit card information scrapped
from the RAM of the PoS. Of a special interest is NewPoS which is capable of
RAM scraping, keylogging, keep-alive reporting, and data transfer sequencing.
Trend Micro discovered several healthcare providers and insurance companies
among the victims of Black Atlas. However our SOC analysts determined that
the campaign also targeted SMBs in the retail and financial industries. With
majority of victims located in US the origins of Black Atlas were traced to
cybercriminal rings from Russian Federation, Romania, France, Latvia, and India.
Advanced Persistent Threats & Cyber Espionage Operations
While the beginning of 2015 was rather quiet starting with May up until December
we have seen 10 separate instances of APTs and Cyber Espionage operations
that impacted our clients’ networks. However it is important to note that
TruShield’s partners and clients we’re not directly targeted, but rather collateral
damage. To recap a perfect example, Stuxnet Trojans was initially conceived to
take down Iranian nuclear centrifuges however once released in the wild it was
used against SCADA/ICS organizations across the world.
We have observed a major design flaw in the case of Stuxnet and other
weaponized malware such as Duqu and Flame. All these pieces of malware
designed for cyber-espionage and SCADA sabotage were missing a kill switch
which would destroy it. Due to this fact the malware was reverse engineered and
used by cybercrime rings. Nevertheless all attacks against TruShield clients were
diverted or blocked.
Major APT Groups:
APT Aurora – China APT1 - China

19. Alex Deac
APT3 - China
APT12/IXESHE - China
APT17 – China
APT18/Wekby – China
APT28/Sofacy – Russia
APT30 – China
APT “The Dukes” – Russia
APT Poseidon - Brazil
Figure 7: APT &Cyber Espionage Timeline
Desert Falcon – A group of cyber mercenaries believed to be located in
Middle East used the Trojan with the same name to launch successful operations
against military and foreign governments of Egypt, Palestine, Israel and Jordan. A
total of more than 50 nations were impacted with a total of more than 1 million
files stolen from 3,000+ victims.
The Desert falcon group used sophisticated social engineering and spear phishing
schemes to lure their victims in downloading the payload. The criminals were able
to obfuscate the malicious files by using right-to-left extension override technique
which allows .exe or .scr files to go undetected by endpoint security solutions.
One the initial payload is delivered the second stage begins by establishing
backdoor communication and data exfiltration.
Wekby – this group is thought to be part of or related to TG-0416, APT-18, and
Dynamite Panda hacking groups. Wekby group is suspected to be responsible for
multiple attacks against healthcare industry and other verticals over the last 3

20. Alex Deac
years. What set Wekby apart is that instead of using HTTP calls like other APTs,
instead it communicates with its C&C servers via rogue DNS calls.
While in the past the group exploited Adobe Flash Zero-days the July campaign
used Spearphishing as a method of malware delivery. The attackers mostly
impersonated the IT support or helpdesk of the organization. Next the malicious
email directed the victims to upgrade their Citrix agent or VPN client on the
targeted system which ultimately led to systems compromised.
CozyBear – CozyBear also known as CozyDuke or CozyCar is an Advanced
Persistent Threat which is responsible for multiple cyber-espionage campaigns.
This APT was found responsible for hacks against Department of State and The
White House in the end of 2014 beginning of 2015. The malware is delivered via
short media files which depict “Office Monkeys” movie. It is considered part of the
“The Dukes” family.
Once the victim opens and runs the “very funny movie”, the executable launches
a dropper which is responsible for evading anti-virus solutions installed on the
infected host. Next the dropper harvests local systems data and sends it to a
compromised website. The configuration files of the malware are encrypted with
RC4 keys and also releases executables that are signed with fake certificates.
Finally communication with C&C servers is established and data exfiltration
begins.
SeaDuke – is a recent member of the family of weaponized malware including
CozyDuke, MiniDuke, OnionDuke, and CosmicDuke. “The Duke” group behind
these multiple cyber-espionage operations was found responsible for earlier
campaigns against the U.S. and foreign governments by using the CozyBear APT
and CozyCar APT. In contrast with CozyDuke, which was aggressively targeting
multiple industries, SeaDuke is apparently reserved for handpicked high-profile
governmental and military organizations.
This APT uses for communication with C&C servers HTTP/HTTPS calls, which can
mislead many network defense tools. Moreover, because there is no database
present on the C&C server, Duke’s members instead opt for uploading specific
tasks to each compromised network. This is another evading tactic by reducing
the overall footprint of the APT on the compromised systems.
Sofacy – The group with the same name it’s been active since 2008. It mostly
targets military and foreign governments in the NATO area and lately it’s been
active against Ukrainian Government. The Sofacy groups also known as APT28 is
believed to be located in the Russian Federation and possibly in connection with

21. Alex Deac
or sponsored by its government. Sofacy APT targets Windows, Linux, and iOS
platforms.
In July/August period, the group launched several waves of attacks relying on
Zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and
Windows OS. We’ve seen exploitation of Java Zero-day CVE-2015-2590 for the
Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33.
The signature piece of the group is using multiple backdoors on the same
malware to avoid detection and removal while maintaining uninterrupted
communication with C&C servers.
Black Coffee - This malware also targets Windows platforms, and can accept
commands from a control server that would allow it to execute shell commands,
read/write files, obtain disk information, search files, enumerate and terminate
processes, and more. The malware could also steal credentials from the infected
computer. The Trojan is used by Chinese group APT 17 and used the TechNet
(Microsoft Support) forum to disguise its C&C server.
The APT17 group created fake user profiles that contains one or more URLs that
linked to the biography sections of attacker-created profiles as well as forum
threads that contained comments from those same profiles. The malware then
communicated directly with the IP address to receive commands and late send
stolen information. If the C&C server is discovered or shut down, the attackers can
switch the encoded IP address on TechNet to retain control of the victims’
machines. Since then Microsoft disrupted the malicious activity.
Wild Neutron - the economic espionage operation first seen in 2013 in attacks
against Apple, Facebook, Twitter, and Microsoft made a big comeback in 2015
by attacking legal firms, investment firms, and mergers & acquisitions
conglomerates. The vector exploits unknown Flash Player vulnerability and has the
ability to switch backdoor communication to alternate C&Cs in case the primary
is taken down.
The malware is composed by a main backdoor module that initiates first
communication with C&C server; several information gathering modules;
exploitation tools; SSH-based exfiltration tools; and intermediate loaders and
droppers that decrypt and run the payloads. Wild Neutron’s main backdoor
module contains a number of evasion techniques, designed to detect or time out
sandboxes and emulation engines. This APT targets Windows and OS X platforms.

22. Alex Deac
Hodoor APT – is a Trojan capable of infecting Windows systems. In fact multiple
Windows Operating Systems were found to be exploited by this APT which
establishes backdoor communication with remote attackers via C&C servers.
We have reported and blacklisted the following malware domains responsible for
delivering Hodoor:
chamus.gmailboxes.com
chq.newsonet.net
cib.businessconsults.net
cibuc.blackcake.net
citrix.globalowa.com
climate.newsonet.net
clin.earthsolution.org
cman.blackcake.net
coco.purpledaily.com
cok.purpledaily.com
comfile.softsolutionbox.net
contact.arrowservice.net
contact.ignorelist.com
contact.purpledaily.com
control.arrowservice.net
control.blackberrycluter.com
cook.globalowa.com
cool.newsonet.net
copierexpert.com
corp.purpledaily.com
count.blackcake.net
cov.arrowservice.net
covclient.arrowservice.net
cow.arrowservice.net
cowboy.bigish.net
crab.arrowservice.net
crazycow.homenet.org
csba.bigdepression.net
csc.businessconsults.net
business.chileexe77.com
Arid Viper - This malware has been observed in the Middle East as part of the
Operation Arid Viper also known as Desert Falcons. The cyber-espionage
operation was first seen in 2011 and became increasingly active in targeted
government, financial, transportation, and education industries especially in
Palestine, Egypt, and Israel. The sophisticated malware includes various modules
including spyware, keylogger, and backdoor communication. Arid Viper targets
Windows and Android platforms.
The attack uses spearphishing campaign that lures the victims to watch a video
that depicts a violent car crash. Instead of an embedded URLs the malicious
email leads the victim to download a RAR file. As soon as the RAR is downloaded
its self-extract the video file titled ‘this.morning’ which actually contains the
malicious video payload. Once the infection propagates to the system a
backdoor communication channel is established to the C&C server and data
exfiltration begins.

23. Alex Deac
GlassRAT – is a malware only recently discovered that has in fact been around
since at least September 2012. The RAT modules includes reverse shell functionality
that provides attackers access to the infected device. Glass RAT has zero
detection capabilities by using forged security certificates that appears to belong
to a popular Chinese software developer.
Security researchers determined that malicious domains used by Glass RAT as
C&C servers overlapped with other known malware such PlugX, MagicFire, and
MirageFox. What makes Glass RAT unique is its ability to use the Adobe Flash Player
icon to mask its dropper and ultimately stay stealthy for an extended period.
Major vendors present in the Virus Total engine developed signatures only late
December which means the ring could operate undetected for 3 years.
GhØstRAT – is a well-known remote access Trojan (RAT) commonly used in
targeted attacks and widely available to both threat actors and cybercriminals
alike. The RAT is been observed in the wild since 2001 and continue to pose a
serious threat by adding new features such:
Take full control of the remote screen on the infected bot.
Provide real time as well as offline keystroke logging
Provide live feed of webcam, microphone of infected host
Download remote binaries on the infected remote host
Take control of remote shutdown and reboot of host
Disable infected computer remote pointer and keyboard input
Enter into shell of remote infected host with full control
Provide a list of all the active processes
At the end of this section it’s important to highlight that while we’ve listed
separately APTs and cyber espionage most often there are blurry lines between
the two. Many cyber-espionage operations uses one or multiple APTs to
compromise the adversary’s systems. Likewise so-called APT groups can be
involved in cybercrime and espionage in the same time. In fact it’s been the case
for decades that nation and state-sponsored intelligence communities used
cybercrime (e.g. stolen trade secrets and intellectual property) to fund their
espionage operations.

24. Alex Deac
Global Distribution of Malicious Traffic
Figure 8: Distribution of attacks June-December
Overall we witnessed over 3 Million attacks against our clients’ networks in 2015.
However the first 8 countries counted for almost 900,000 web-based attacks
between June and December. US continues to lead in most malicious categories
including SPAM, Malware Domains, Phishing, DDoS, and Hacktivism.
Attacks originating in China and Russian Federation continues to pose the biggest
threat to our clients from all industries. Both countries generate a large number of
cybercrime and cyber-espionage. Russia has currently an estimate of over 20,000
individuals engaged in cybercrime due in part to the subpar job market that not
offer career opportunities to its IT workforce. Another factor in the ever increasing
cybercrime is that while the local underground market for exploit kits,
ransomware, and banking Trojans used to be rated in the hundreds or even
thousands of USD nowadays the values dropped 3 to 4 times. As a result hackers
are more aggressive in gaining new income avenues especially Cybercrime-as-
a-service where client can hire them for Ransomware attacks, DDoS, and other
attacks. The hackers’ cut in this case varies from 25 to 50 percent of the revenue.
While Chinese hackers are still leading in scanning and Brute-force attempts, the
real issue is the nation-state cyber-espionage and APT groups. In fact the recent
survey among more than 17,000 IT specialists - of which more than half where in
management, and executive positions - revealed that majority are fearing of
Chinese-backed cyber-attacks (89%) followed by Iran (67%), Russian Federation
(65%), North Korea (58%), and Syria (50%). To confirm our statement The Rise of
Nation State Attacks survey listed among the most important objectives of nation-
state attacks business disruption (73%) aka DDoS attacks, followed by cyber-

25. Alex Deac
espionage (56%) aka APT groups, and data exfiltration (44%) as in intellectual
property and trade secrets theft.
China - a persistent state-sponsored campaign of attacks
2008 – Obama and McCain presidential campaign breach
2010 – First reported APT respectively Aurora Operation against Google and
other 30 companies including major US defense contractors
2011 – US Chamber of Commerce is breached
2012 – Jet Propulsion Laboratory compromised
2013 – Relatively unknown threat intelligence pioneer at the time
(Mandiant) unveils China’s APT1 which marked the very first public exposure
of their cyber warfare
2014 – USPS attack exposes more than 800,000 governmental employees’
records
2015 – Second OPM breach impact 20+ million US citizens including their
clearance status
2015 – Breaches to Anthem and Premera Blue Cross resulted in more than
100 million healthcare records compromised
While China leads in terms of APT groups Russians dominate the Point-of-Sale
malware. China also hosts the most malware domains, and Brute Force. Korea
hosts ranks second in WEBAPPs and DDoS attacks which is due to weak legislation.
On a special note is Brazil which distinguish itself as a leader in banking Trojans
and underground market for malware. Brazil’s case is tied to expansive cheap
Internet access and one of the countries with the highest levels of corruption
within G-20 largest economies. Moreover Brazil has failed to implement sound
legislation to enforce breach reporting. Finally as recently reported one of the
longest lasting APT groups – Poseidon – is believed to have roots in Brazil.

26. Alex Deac
Figure 9: Top Countries generating most attacks
As for the European countries, we have reported time and again that bulletproof
hosting allows cybercrime rings to infect a significant number of C&C servers in
Germany, Netherlands, and France. However we’ve noted in November that
Netherlands’ authorities in collaboration with FBI and major companies took
significant steps in reducing cybercrime. The proof is in the numbers which shows
a significant decrease of Dutch-based malicious activity, from 4,611 in June to
only 692 attacks in December.
2016 Cybercrime Forecast
Costs of Cybercrime and Cybersecurity
In our hyper-connected world the threats we see on a daily basis have evolved
from hacktivists and script-kiddies to new in-roads by brick-and-mortar organized
crime. In fact we witness an unprecedented level of sophisticated attacks and
to an ever increasing scale. Financial and reputational losses have reached an
almost unbearable cost for many small and medium organizations.

27. Alex Deac
The total amount in USD due to cybercrime damages seems to vary greatly
between different reputable sources due to different methodologies and size of
the sample. However, all of the reports seems to agree that numbers are
staggering and continue to rise. Allianz Global reports that first the 10 largest
economies suffered in 2015 more than $250 Billion in losses while overall the world
economy suffered an estimate of $445 Billion. US leads with $108Bn, followed by
China $60Bn, Germany $59Bn, Brazil $7.7Bn, UK $4.3Bn, India $4Bn, France $3Bn,
Russia $2Bn, Japan $980M, and Italy $900M.
Figure 10: Global costs of cybercrime
More granularly, according to Ponemon Institute the average cost of cybercrime
in 2015 per large organizations is $15.4M in US, trailed by Germany $7.5M, Japan
$6.8M, UK $6.3M, Brazil $3.8M, Australia, $3.5M, and Russian Federation $2.4M. It is
important to note that only 252 companies in 7 countries participated in the
survey. The same study shows that costs continues to rise year-over-year from 2014
to 2015. Russia leads with 29 percent gain, US 19 percent, UK and Japan 14
percent, Australia 13 percent, and Germany with only 8. However, Germany has
the highest percentage of cybercrime to its GDP, approximately 2.5 times bigger
than US. It is also important to note that globally attacks recorded a hike of 38
percent from 2014 to 2015 and a similar increase is expected for 2016.

28. Alex Deac
The business disruption caused by DDoS attacks costs an average of over
$400,000 and requires 19 days to fully restore operations. Those costs are
associated with containment and eradication, loss of revenue, legal fees, and
reputational damage. Likewise, costs of Ransomware on enterprises are on rise
with an average of more than $15,000 but could go as high as $125,000 per
incident while the total for reported in 2015 for CryptoWALL 3.0 is estimated to
$325Million in damages. On the bright side, if there is one, according to the recent
survey, the majority of attacks are dropped after 60 hours if there is no breach. In
addition numbers of total breaches (reported) reached 781for US with more than
169,000,000 records exposed for 2015. Another worrisome cost is associated with
Spearphishing, with an average of $1.6Million per incident and representing 38
percent of all cyber-attacks. Other reports shows as much as $3.7 Million per
Phishing incident with half of it due to productivity loss.
Another aspect of breach-related costs is insurance claims for 2015. As pointed
before enterprises cannot transfer entirely the risk to insurance companies,
instead they still have to prove paying due care and due diligence. Although
many companies strive to enhance their security posture by following regulation
and best industry practices such as NIST, PCI-DSS, and ISO they also purchase
cyber insurance. It’s important to note that cyber insurers will not cover the entire
extent of the damage such in the case of Home Depot were they had a
coverage policy good for $100Million while total losses were more than double.
The key aspect is that while cost of breaches in US continues to
rise from $6.1Million (2012) to $6.5Million (2015) cyber insurers
are covering less respectively from $3.6 Million in 2012 to only
$670,000.
A recent report from Net Diligence surveyed in their study 160 claims related to
cyber-attacks. Below is the costliest mean payout breakdown per industry:
 Retail - 1,795,266
 Healthcare - $1,325,777
 Professional Services - $329,845
 Technology - $206,532
 Hospitality - $195,447
 Financial - $141,249
 Gaming & Casino - $87,275
 Restaurant - $75,744

29. Alex Deac
 Entertainment - $73,968
Records Compromised = 169,068,506
In 2015, we also observed the largest number of records compromised for any
one year in the last 10 years. Healthcare is not only dominating the landscape
with 112,832,082 records compromised (67 percent) but also holds the second
largest financial damages, as shown in the preceding section. Governmental
breaches also counted for 20 percent of total in 2015 with 34,222,763 records
followed by Business with 10 percent, respectively 16,191,017 records
compromised.
Figure 11: Total number of records compromised in US for 2015
All of this is perhaps even more staggering when viewed against the PwC global
study showing that organizations continue to increase their spending in
information security. In fact in US alone InfoSec budgets have grown at almost
double the rate of IT budgets between 2013 and 2015. Also cybersecurity
insurance is the fastest growing area for IT security budgets. However it is
important to highlight fine prints of these policies since no insurance company will

30. Alex Deac
cover losses due to negligence. Another worrisome aspect is that just over half of
the companies are hiring CSOs or CISOs while only 45 percent of organizations
have their Board of Directors involved in the Information Security.
Moreover the actual budget allocated to cybersecurity in 2015 was about $75Bn
globally, with an expected increase of less than 5 percent for 2016. Comparing
all reports that estimate cyber-attacks increasing by 15 to 40 percent in 2016 the
net increase of cybersecurity spending proves to be an uphill battle. In 2016 we’ll
continue to witness same slogan in many Boards of Directors – “We are not a
target” when in fact every single organization has its own trade secrets,
intellectual property (IP), and financial data that is attractive to hackers. The
correct approach should be “Security incidents are inevitable, we need to
prepare to detect, remove, and restore as quickly as possible”.
Even with the significant increase in IT security spending we saw a similar
approach across the board. Organizations belonging to different verticals
especially government and legal are increasing their budget toward IT security
appliances with SIEM solutions in the lead. In the same time they fail to clearly
identify the level of effort required to correctly deploy, integrate, configure,
maintain, and more than anything respond to alerts. Factoring in the equation
the severe shortage of cybersecurity professionals makes the situation even worst.
Furthermore, one of our internal studies revealed that SIEM solutions are becoming
more affordable but organizations fails to take in consideration all the costs
required to get the right people and build a Security Operations Center (SOC)
from scratch. Our estimates are that for every $100,000 spent on security
technologies another $800,000 to $1M are needed to fully operationalize the SOC
and begin to return value for the investment. And these are not one-time costs,
operating and maintaining a basic SOC requires annual costs upward of $1-1.5
million. In fact majority of organizations are not even considering SIEM, IPS/IDS,
DLP and other advanced technologies as part of continuous security monitoring,
instead they acquire them mainly for compliance.
The same report reveals that more than 80 percent of small to medium size
businesses (SMB) do not factor in the costs for a 24/7/365 security operation.
Alternately, many organizations that purchase SIEM solutions are unpleasantly
surprised by the amount of data that SIEM solutions are producing. Their in-house
resources are often overwhelmed by the number of security events, making it
impossible to identify actual security incidents among the millions of false
positives. As a result majority of SMBs end up shelving those platforms while their
security posture remain highly vulnerable.

31. Alex Deac
Cybercrime-as-a-service
In 2016 we expect this type of for-hire services to flourish. In fact not only the scale
of the underground market on Dark Web it’s worrisome, rather the diversification
of them. We predict that criminal groups will expand their services in multiple types
of attack vector especially in DDoS, Spearphishing, and Ransomware. It is crucial
to highlight that 2016 will be dominated by identity theft and banking fraud. While
stolen credit cards value only $4 per piece on the underground market, an
individual’s date of birth (DOB) is sold for about $11. Moreover a combination of
credit card number, SSN, and DOB belonging to same individual commends $30.
– more and more attacks will be launched by hiring
professional hackers to execute them. While in 2015 we’ve continued to observe
disgruntled employees and customers reaching out to underground market to
retaliate, this year we expect companies to hire “professionals” to take down
competitors’ websites and e-commerce portals. ‘DDoS for Bitcoin’ aka DD4BC
group is the most notable example that uses DDoS attacks for extortion. Luckily
Europol in collaboration with authorities in Bosnia and Herzegovina, Germany,
France, Japan, Romania, Switzerland, UK and US dismantled the group in a recent
operation. We expect more groups to launch similar for-hire DDoS campaigns.
In addition DDoS attacks are expected to employ “multi-vector” technique which
targets simultaneously infrastructure, applications, and services that could lead to
catastrophic losses. The size of attacks will also grow to an average of 150-400
Gbps, and expected by 2018 to reach 1Tbps. Another trend is to use smaller scale
DDoS to cover other attack vectors such as APT and banking Trojans.
FORECAST 1 - Reflective DDoS or DRDoS using common
Internet protocols such as NTP, DNS and DNSSEC will also be
largely employed by cyber crooks. Finally the length of those
attacks will increase from an average of half a day in 2015 to up
to 10 days for 2016.
– The last 5 years showed an ascendant trend in using
ransomware as part of cyber-extortion. 2016 will mark new heights in
development of ransomware. Windows will continue to be the most targeted
platform followed by Android due to their extensive market penetration.
Moreover Mabouia marked the first serious threat against Apple OSX. An

32. Alex Deac
increasing trend will be using ransomware against IoT especially against smart TVs
which became the norm. We additionally expect to see the first waves of
ransomware targeting networked medical devices such as insulin dispensers,
pacemakers and more.
While ransomware targets both individual home-users and corporations, 2016 will
mark an explosion of using this vector against corporations. As noted in a recent
report the damages due to CryptoWALL 3.0 surpassed $300 million in 2015 with
enterprise-specific ransomware constituting a very attractive target. Even tough
industry best practices and other resources advices for up-to-date backups this
avenue is not a very effective measure against ransomware.
FORECAST 2 - development of next generation of enterprise-
grade crypto-lockers capable of taking down large organizations’
networks
– underground cybercrime markets will offer customized
campaigns against potential victims. Enterprises are largely exposed this attack
vector. Sophisticated Spearphishing schemes can also lead to largest financial
and reputational damages. In contrast with financial industry that has additional
mechanisms in place to prevent this (e.g. Separation of Duties, security awareness
training) retail and others are more vulnerable due to the lack of effective
countermeasures. Considering the facts that 90 - 95% of all successful cyber-
attacks start with a phishing email. Even worst an estimate of 156 million emails
are sent each day, with16 million make it through the mail gateways, and 800,000
of them are opened and phishing links are clicked. But wait, it gets worst out of
the total about 80,000 share toxic information.
This attack vector remains the most favorite among criminals due to relatively low
level of technical effort and also as one of the most effective in tricking victims. In
fact there are many ways of compromising computers via Spearphishing. The
most common are embedding malicious URLs within the body of the message
and attachments containing malware. A novel strategy is embedding malicious
URL links within the attachment which easily bypass endpoint security and anti-
malware engines. Spearphishing continues to be the tool-of-choice during the tax
season in US and is expected to play a major role in the 2016 presidential elections.

33. Alex Deac
Two notable Spearphishing attacks were already reported in 2016. The first one
was delivering the infamous BlackEnergy malware which resulted in taking
down the energy grid in Ukraine by threat actors believed to be in connection
with Russian cyber warfare aka Sandworm Team. The second was launched
against financial department of European aerospace manufacturer FACC. The
result of the attack was siphoning out €50 million in cash by unknown actors.
FORECAST 3 – 2016 will be a record year for successful
Spearphishing campaigns. Cybercrime, nation-state sponsored
operations, APT groups, and terrorism will employ this highly
effective strategy.
Industries Targeted
Obviously 2016 will still be a year of major breaches. Many will go undetected due
to the lack of continuous monitoring, defense-in-depth strategy, and executive
team’s support. Healthcare, Financial, and Retail will be hit by Spearphishing,
Banking Trojans, and PoS malware. In the same time e-commerce will be targeted
by DDoS and DRDoS attacks, as well as web application attacks. To make the
matter worst insider attacks due to negligence, lack of awareness, and
disgruntled employees will contribute to significant reputational, legal, and
financial loses.
- The American Bar Association (ABA) stated that law firms
are major targets for cybercrime. The fact that lawyers hold immensely valuable
data such as Intellectual Property (IP), Mergers and Acquisitions (M&A) insider
information, and Personally Identifiable Information (PII) turns them into moving
targets. Due to the lack of minimum cyber hygiene lawyers, paralegals, and other
related personnel were extremely vulnerable to Cybercrime-as-a-service. Each
and every computer compromised by one or more of the tools reviewed in this
report will yield a goldmine to cybercrime rings.
While a substantial part of lawyers firms are taking some measures to safeguard
these sensitive information, still more work needs to get done. Also the lack of
direct regulation doesn’t contribute to significant improvements in the security
real. In fact most of those organizations that have started an information security
program were actually pushed by their major clients. Legal departments of large
banks leveraged their worries in requiring their law firms to enhance security and
even fall in to compliance with NIST and ISO standards.

34. Alex Deac
One of the most vulnerable facet in the law firms’ security are emails. Lawyers and
support staff are transiting an enormous volume of sensitive information many
times through their personal email accounts. As happened so many times before
email accounts provided for free-of-charge have little or no security at all. To
counter cyber threats against emails each law firm should implement a sound
information security policy and in the same time to enforce usage of corporate
email system. In addition emails containing sensitive information should be
encrypted. Lastly archived emails should be encrypted at rest to prevent any
potential leakage.
FORECAST 4 – we consider that mid-sized law firms that
employ 50 – 150 attorneys will primarily be targeted by cyber-
attacks to gain unauthorized access to Intellectual Property and
trade secrets.
– While DHS rolls in under this term 16 different
categories we would like to point out significant threats against utilities, especially
energy sector, gas and oil industry, and water and wastewater treatment.
Although breaches against these sectors don’t get the same high-profiling in the
media Kinetic Cyber-attacks can have catastrophic impact not only in
interrupting delivery but also yielding physical destruction and human casualties.
ICS-CERT publishes periodically the number of incidents against SCADA/ICS
organizations and starting with 2010 we’ve seen an ascendant trend against
industrial facilities. There is no coincidence that Stuxnet (2010) was the first
malware designed to attack ICS respectively Iranian nuclear centrifuges which
resulted in physical destruction. While 2010 marked less than 50 attacks, next year
surpassed 200 and stayed in to the upper 200s. It is crucial to note that many
incidents goes undetected due to the lack of continuous monitoring or are just
plainly not reported. While drills such as GridEx – organized by Department of
Energy every 2 years – are definitely helpful, still many energy providers elect to
not participate.
In contrast with Internet-based traffic where a plethora of vendors compete to
sell their security appliances very few adventure in to designing firewalls and other
countermeasures capable of protecting ICS/SCADA systems. To make the
situation worse just a handful of managed security providers have the ability to
monitor and respond to incidents related to industrial controls. Moreover

35. Alex Deac
weaponized malware such as Stuxnet, Duqu, Flame, Gauss, and most recent
Black Energy are capable of avoiding signature-based endpoint security.
FORECAST 5 – increased attacks against Industrial Control
Systems including Denial of Service and cyber kinetic
(SMB) – Many reports shows an increasing
trend of attacks on large organizations and also against merger and acquisitions
(M&A). While big breaches will continue to make the news headlines especially
for retail and financial industry, SMBs intrusions will go largely unreported. Criminals
takes advantage on M&A between large organizations especially when
integrating the two networks architecture. As expected the goal is financial fraud
and Intellectual Property theft. In contrast we label many SMB providing third-
party services are “low-hanging fruits” since many high profile security breaches
such in the case of Target were due to infiltrating their HVAC provider.
Moreover SMBs gets a lot less attention. While is somehow expected that cyber
criminals to go after those big retailers and banks few of the small and medium
sized enterprises consider themselves a target. However threat actors will focus
their efforts in 2016 more and more on SMBs due to their lower priority assigned to
cyber security. More often than large organization SMBs fails to determine the
cyber risk of their business. Not only SMBs are not developing a formal information
security policy and lack proper IT security budgeting and staffing, but also fail to
have a basic cyber awareness program.
We believe that SMBs from legal, financial, retail industries, and services will be the
most targeted by cyber-attacks in 2016. For this year we estimate that
organizations with approximately 150 to 1,200 employees are the most vulnerable
to Ransomware, Banking Trojans, Phishing, and DDoS attacks. Despite the fact
that Managed Security Services Providers (MSSP) are making training SMB
personnel against Spearphishing a relatively inexpensive proposition few
companies actually hires experts from outside.
Additionally MSSPs of various sizes are competing to offer a much more attractive
security posture than the one developed in house but still SMBs are hesitant in
outsourcing their defense. Sadly many enterprises in this category don’t perceive
the real extent of the damages in case of a breach. In contrast with larger
organizations that have a failsafe ensured by cyber insurance and significant
contingency funds SMBs could easily face extinction after an APT attack that

36. Alex Deac
exfiltrates their intellectual property and trade secrets or a DDoS that leaves their
clients without access to services.
FORECAST 6 – cyber-attacks against SMBs will register more
than 30 percent increase over 2015. Retail and Financial
Organizations will be the most targeted
Conclusions
Most of today’s organizations handle a massive amount of PII, financial
information, and intellectual property. If these companies were to rely solely on
the traditional approach of security based on anti-virus solutions and perimeter
firewalls, their data could quickly be exfiltrated. Moreover, APT, zero-day
vulnerabilities, and polymorphic malware - or one without available signature -
threats cannot be stopped by a static network defense.
Contrary of what other names in the industry claim, CSM services are not just a
collection of security platforms and technologies, instead TruShield believe it
requires a holistic approach. Our team emphasizes its human capabilities in
delivering CSM services including IDS/IPS Management, Next-gen Firewall
Management, Endpoint Security Management, Mail Gateway and Internet
Gateway Management, Managed Multi-Factor Authentication, Patch
Management, Vulnerability Management, and many other managed security
services.
TruShield’s unique approach in mitigating cyber threats goes well beyond the
majority of Managed Security Service Providers. Our organization combines state-
of-the-art Cyber Threat Intelligence and Continuous Security Monitoring with
Defense-in-Depth and Zero-Trust network architecture. Offered as a complete
solution or tailored one, TruShield’s adaptive security offering is one of the most
effective approaches that allows our clients to consequently block and deter
botnets, APTs, DDOS, Zero-days, fileless malware, and malicious insider threats.
We rely on a mixture of cutting edge technologies, most up-to-date cyber threat
intelligence (CTI), and super human analysis when determining criticality of each
and every single event. We ensure the most recent Common Vulnerabilities and
Exposures (CVE) reported by National Vulnerability Database (NVD) are
integrated within our tier-2 and tier-3 investigations so we can determine an
imminent cyber-attack before data exfiltration occurs.

37. Alex Deac
References
https://www.symantec.com/security_response/writeup.jsp?docid=2015-010823-3741-99&tabid=2
https://www.akamai.com/us/en/about/news/press/2015-press/xor-ddos-botnet-attacking-linux-machines.jsp
https://www.f-secure.com/v-descs/backdoor_w32_havex.shtml
http://www.securityweek.com/magento-flaw-exploited-wild-within-24-hours-after-disclosure
http://www.eset.com/int/about/press/articles/malware/article/linux-and-bsd-web-servers-at-risk-of-sophisticated-
mumblehard-infection-says-eset/
http://www.interpol.int/en/News-and-media/News/2015/N2015-038
http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-in-taiwan-uses-infamous-gh0st-rat/
https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/
http://www.volexity.com/blog/?p=158
https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf
https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/
https://www2.fireeye.com/WEB-2015RPTAPT17.html
https://apt.securelist.com/#firstPage
http://www.securityweek.com/glassrat-malware-stayed-under-radar-years-rsa
http://www.arbornetworks.com/images/documents/WISR2016_EN_Web.pdf
http://www.telegraph.co.uk/finance/newsbysector/industry/12122323/Mapped-The-worlds-most-corrupt-countries.html
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-north-american-
underground.pdf
http://www.coindesk.com/individuals-tied-to-bitcoin-ddos-group-dd4bc-captured-in-europe/
http://cybersecurityventures.com/cybersecurity-market-report/
http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
http://www.agcs.allianz.com/assets/PDFs/risk%20bulletins/CyberRiskGuide.pdf
http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report/
https://ics-cert.us-cert.gov/sites/default/files/documents/ICS-
CERT%20Incident%20Response%20Summary%20Report%20(2009-2011)_S508C.pdf
http://digitalforensicsmagazine.com/blogs/?p=1005&utm_source=hs_email&utm_medium
http://info.surfwatchlabs.com/law-firms-hunted-by-cybercriminals
http://info.wombatsecurity.com/hubfs/Ponemon_Institute_Cost_of_Phishing.pdf
http://www.facc.com/en/News/News-Press/EANS-Adhoc-FACC-AG-UPDATE-FACC-AG-Cyber-Fraud
https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-
documents/
https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-
espionage/
http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-part-2-tools-and-malware-used-and-how-
to-detect-them/
http://www.threatgeek.com/2015/10/cyber-crime-eastern-europe-and-russia-continue-to-refine-operations.html
http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf
http://www.threatgeek.com/2015/09/taming-the-tiger-domestic-and-foreign-policy-complexities-in-curbing-chinas-cyber-
espionage-campaign.html
http://www.countertack.com/ponemon-rise-of-nation-state-attacks-report
http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
http://www.csoonline.com/article/3028787/cyber-attacks-espionage/survey-average-successful-hack-nets-less-than-15-
000.html
http://blog.cloudmark.com/2016/01/13/survey-spear-phishing-a-top-security-concern-to-enterprises/
http://www.netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_093015.pdf
http://cybercampaigns.net/
http://www.mcafee.com/es/resources/misc/infographic-phishing-quiz.pdf