162 the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet. MonCIRT participated in the information sharing campaign, raising awareness of the event and hosting a copy of the advice and links to the clean-up tools. Additionally we received and processed the sinkhole data, which we then distributed to Internet Service Providers ISPs to allow them to assist their customers who had been infected. For commercial organisations, the impact of ransomware cannot be underestimated. User education about cyber risks, along with robust security controls and a proven incident management capability, will help businesses to minimise the risk from, and impact of, crimeware like Gameover ZeuS and Cryptolocker.

2.3. Incident trends

In 2014 we was a major reporting center for incidents and vulnerabilities in private sector and established MonCIRT reputation for discretion and objectivity among business organizations, general public. As a result of connection with NDC’s monitoring system, IPS and Tsubame system and sharing of attack data we able to obtain a broad view of incident and vulnerability trends and characteristics. The MonCIRT, in conjunction with law enforcement, performed extensive analysis of the control system and historical trending data around the four dates provided by the asset owner. The team was unable to conclusively determine if the suspected employee had unauthorized access on the date of the overflow or if that access resulted in the basin overflowing. The factors that significantly contributed to the inconclusive findings included: • Each host did not record logon events • Typically, only one username was used throughout the network • A lack of network monitoring systems in place to verify the alleged activity • Logging was not enabled or was irrelevant for any of the remote access tools seen on the hosts pcAnywhere, RealVNC, NetVanta VPN client, Windows Remote Desktop • Operating system records were eliminated due to the age of reported access event. 163 In 2014 we handled incidents shown on figure 1. TYPE OF INCIDENT NUMBER PERCENTAGE Abusive content 26 13.6 Spam 21 11.1 Harassment 1 0.5 ChildSexualViolence 1 0.5 Unclassified 3 1.5 Malicious code 51 26.7 Virus 5 2.5 Worm 3 1.5 Trojan 32 16.7 Spyware 1 0.5 Dialer Unclassified 10 5.5 Information gathering 7 3.5 Scanning 5 2.5 Sniffing Social engineering 1 0.5 Unclassified 1 0.5 Intrusion Attempts 3 1.5 Exploiting of known vulnerabilities 1 0.5 Login attempts 1 0.5 Exploiting of unknown vulnerabilities Unclassified 1 0.5 Intrusions 5 2.5 Privileged Account Compromise 2 1.0 Unprivileged Account Compromise 3 1.5 Application Compromise Unclassified Availability 12 6.2 Denial-of-service attack DoS 4 2.0 Distributed denial-of-service attack 7 3.7 164 DDoS Sabotage Unclassified 1 0.5 Information Integrity 7 3.5 Unauthorized Access to Information 5 2.5 Unauthorized Modification of Information 1 0,5 Unclassified 1 0.5 Fraud 82 42.5 Unauthorized Use of Resources 3 1.5 Copyright infringement 5 2.5 Identity theft 65 33.9 Unclassified 9 4.6 In May there was a new version of a malicious mobile software. Criminals displayed to a victim a message informing her that she should install an E-Security certificate on her smartphone in order to improve the bank transactions security. When the installation was finished, the phone became infected by malware. It gave criminals the ability to send fake text messages. When the scenario with E-Security ceased to be effective, criminals invented a new scheme with fake antivirus program which allegedly was expected to prevent cases similar to E-Security. Once again it took control over victim’s phone. The malware VBKlip proved to be unique and brilliant in its simplicity. Every time a user copied a bank account number, the malicious application switched this number with another one, provided by the criminals. The application was very effective and difficult to detect. Despite a significantly lower number of incidents connected to these scenarios, they are much more dangerous in comparison to classic phishing cases and affect larger groups of people. For many of these incidents it was found that attackers gained access to the server in generally one of two ways: 1. Weak passwords on administrator accounts 2. Unpatched software, including website plugins Defending against either of these is simple and straight-forward – use strong and unique passwords for administrator accounts and ensure that all software is kept 165 patched and up-todate, including any plugins that maybe used e.g. WordPress Plugins. 2.4. New services 2.4.1. New bilingual web site in English and Mongolian