162 the subversion of systems, with larger coordinated attacks being executed
across fairly broad swaths of the Internet. MonCIRT participated in the information sharing campaign, raising awareness of
the event and hosting a copy of the advice and links to the clean-up tools. Additionally we received and processed the sinkhole data, which we then
distributed to Internet Service Providers ISPs to allow them to assist their customers who had been infected. For commercial organisations, the impact of
ransomware cannot be underestimated. User education about cyber risks, along with robust security controls and a proven incident management capability, will
help businesses to minimise the risk from, and impact of, crimeware like Gameover ZeuS and Cryptolocker.
2.3. Incident trends
In 2014 we was a major reporting center for incidents and vulnerabilities in private sector and established MonCIRT reputation for discretion and objectivity among
business organizations, general public. As a result of connection with NDC’s monitoring system, IPS and Tsubame system and sharing of attack data we able to
obtain a broad view of incident and vulnerability trends and characteristics. The MonCIRT, in conjunction with law enforcement, performed extensive analysis
of the control system and historical trending data around the four dates provided by the asset owner. The team was unable to conclusively determine if the suspected
employee had unauthorized access on the date of the overflow or if that access resulted in the basin overflowing. The factors that significantly contributed to the
inconclusive findings included:
•
Each host did not record logon events
•
Typically, only one username was used throughout the network
•
A lack of network monitoring systems in place to verify the alleged activity
•
Logging was not enabled or was irrelevant for any of the remote access tools seen on the hosts pcAnywhere, RealVNC, NetVanta VPN client, Windows
Remote Desktop
•
Operating system records were eliminated due to the age of reported access event.
163 In 2014 we handled incidents shown on figure 1.
TYPE OF INCIDENT NUMBER
PERCENTAGE Abusive content
26 13.6
Spam 21
11.1 Harassment
1 0.5
ChildSexualViolence 1
0.5 Unclassified
3 1.5
Malicious code 51
26.7 Virus
5 2.5
Worm 3
1.5 Trojan
32 16.7
Spyware 1
0.5 Dialer
Unclassified 10
5.5 Information gathering
7 3.5
Scanning 5
2.5 Sniffing
Social engineering 1
0.5 Unclassified
1 0.5
Intrusion Attempts 3
1.5 Exploiting of known vulnerabilities
1 0.5
Login attempts 1
0.5 Exploiting of unknown vulnerabilities
Unclassified 1
0.5 Intrusions
5 2.5
Privileged Account Compromise 2
1.0 Unprivileged Account Compromise
3 1.5
Application Compromise Unclassified
Availability 12
6.2 Denial-of-service attack DoS
4 2.0
Distributed denial-of-service attack 7 3.7
164 DDoS
Sabotage Unclassified
1 0.5
Information Integrity 7
3.5 Unauthorized Access to Information
5 2.5
Unauthorized Modification of Information
1 0,5
Unclassified 1
0.5 Fraud
82 42.5
Unauthorized Use of Resources 3
1.5 Copyright infringement
5 2.5
Identity theft 65
33.9 Unclassified
9 4.6
In May there was a new version of a malicious mobile software. Criminals displayed to a victim a message informing her that she should install an E-Security
certificate on her smartphone in order to improve the bank transactions security. When the installation was finished, the phone became infected by malware. It gave
criminals the ability to send fake text messages. When the scenario with E-Security ceased to be effective, criminals invented a new scheme with fake antivirus
program which allegedly was expected to prevent cases similar to E-Security. Once again it took control over victim’s phone. The malware VBKlip proved to be unique
and brilliant in its simplicity. Every time a user copied a bank account number, the malicious application switched this number with another one, provided by the
criminals. The application was very effective and difficult to detect. Despite a significantly lower number of incidents connected to these scenarios, they are much
more dangerous in comparison to classic phishing cases and affect larger groups of people.
For many of these incidents it was found that attackers gained access to the server in generally one of two ways:
1. Weak passwords on administrator accounts 2. Unpatched software, including website plugins
Defending against either of these is simple and straight-forward – use strong and unique passwords for administrator accounts and ensure that all software is kept
165 patched and up-todate, including any plugins that maybe used e.g. WordPress
Plugins.
2.4. New services 2.4.1. New bilingual web site in English and Mongolian