Blog        Forum        Spam        Check & Secure                      
Articles > REPORT on Cyber Security Alerts processed by CERT-RO in 2014

REPORT on Cyber Security Alerts processed by CERT-RO in 2014

Main findings and conclusions

The objective of this report is to analyze cyber security alerts collected and processed by CERT-RO in 2014, in order to obtain an overview of the relevant events to risk assessment on cyber security IT infrastructure and electronic communications in Romania, located within the competence of CERT-RO.

During the reporting period, ie 01.01 - 31.12.2014, CERT-RO received notifications (alerts) as follows:

  • Total number of alerts processed: 78.769.993 (automatic: 78.767.749, manually collected alerts: 2.244)
  • Total number of unique IPs extracted from all alerts: 2.481.648

Total number of unique IPs allocated to organizations in Romania is 10.021.888, decreasing from 2013 when there were 13.5 million.

By cyber security alert, in the context of this document, we mean any signal containing an IP address or a URL (website), concerning a possible cyber security incident or event, that involves or may involve systems that belong to legal or non-legal persons part of the national cyberspace.

Based on data collected, we identified the following:

  • 24% of all unique IP addresses allocated to Romanian cyberspace (2.4 million) were involved in at least one cyber security alert processed by CERT-RO. In 2013, 16% (2.2 million) of unique IPs assigned to the national cyberspace have been involved in at least one cyber security alert.
  • 54% of the received alerts targeting systems configured improperly (misconfigured), insecure or vulnerable, providing various insecure services over the Internet, were used by attackers to conceal their identity and launch cyber attacks on other targets. In most cases, these systems are not compromised, their simple use is enough (ie DNS open resolver, open SNMP, NTP open, etc.); this trend is observed by the increasing number of alerts that have targeted business type network equipment (routers, firewalls, etc.) or home user (wireless routers, webcams, smart TV, smartphone, etc.) as against to other operating systems, increase highlighted in subsection 3.1.4.
  • 46% of alerts target systems in Romania, victims of attackers who managed to takeover resources in botnet networks (zombie) by exploiting technical vulnerabilities and infect systems with various types of malware. Botnet networks represent the most important problem existing in national cyberspace because these compromised computers can be used in the development of cyber attacks on other targets in Romania or from the outside of our country.
  • 10.759 .ro domains have been reported to CERT-RO as being compromised during the year 2014, a 5% increase as opposed to 2013, during which 10.239 domains were reported. From 710.000 domains registered in Romania in December 2013, the number represents about 1.5% of all .ro domains.

Following the above findings, the next conclusions can be drawn:

  • cyber security threats on national cyberspace continues to diversify;
  • most of the received alerts are related to infected systems with various malware forms that are part of different botnet networks and computer systems configured improperly (misconfigured) or unsecured;
  • either of the two types of the above mentioned systems can be used with the role of "proxy" for carrying out other attacks on targets outside the country, thus representing potential threats to other systems connected to the Internet;
  • network devices and household equipment (wireless routers) or devices that are part of the Internet of Things (IoT) (webcams, smart TV, smartphones, printers, etc.), when connected to the Internet, are the targets of attackers and their vulnerabilities are exploited by attackers to access the network in which they are used or to launch attacks on other targets in the Internet;
  • entities in Romania have been the target of complex targeted attacks called APT (Advanced Persistent Threat) launched by groups that have the ability and motivation to persistently attack a target in order to obtain certain benefits (usually access to sensitive information);
  • Romania can no longer be considered just a generating cyber security incidents country, analysis of present data showing the intermediate / transit nature of connected systems that are part of the national cyberspace.

Despite the technical aspects that make it impossible to identify the exact number of devices or people affected that are behind the over 2.4 million IP addresses or 78 million alerts reported to CERT-RO, it is important to remember that these cover about 24% of the national cyberspace (reported on the number of IPs assigned to RO) and, therefore, there are remedial measures necessary, involving all entities with technical or legal responsibilities.

Types of alerts processed by CERT-RO

CERT-RO collects data regarding cyber security incidents, events or alerts from several sources, as follows:

  • Alerts collected and transmitted via automated systems (eg: honeypots). Those types of alerts are sent only by specialized organizations, such as CERT’s or other security companies, which have in their possession cyber security incident detection systems. The number of these kinds of alerts is significantly higher than other types and can reach values around 500,000 daily alerts.
  • Individual alerts, reported by various entities – individuals or legal persons from Romania and abroad. The number of this kind of alerts reaches 5-10 daily;
  • Information collected by CERT- RO, from various sources. These sources includes various information collected from public or restricted sources, such as specialized websites or security companies, about specific vulnerabilities, cyber security threats or incidents.

The nature of the reported alerts, as well as the quantity of available data for each of the categories requires a different approach for each case.

Alerts sent by automated systems require automatic processing. In this case, the received data it resumes to lists of IPs detected as doing malicious or suspicious activities over the Internet, and some extra details about the suspicious activity (timestamp, incident type, used ports, the attack etc.).

Most of these alerts are automatically processed by CERT-RO and are sent to the ISPs who own the networks that contain the system which triggered the alert. Most of the time, in this type of alerts, CERT-RO has no exact information about the real user behind the IP address, so the identification process is passed to the internet service provider (ISP). Also, the ISP has the responsibility to forward the alert to the real client.

Although this type of alerts does not provide details about the target, they provide an overview of the types of cyber threats that are affecting Romanian cyber infrastructures. Individual alerts as well as the alerts collected by CERT- RO, are considerably reduced in number, but the reported information about the incident is much more accurate and relevant (the affected organization, the source of the attack and the vector of attack).

In most of the cases, the data is collected by CERT-ROs analysts from the affected entities, along with incident reporting. Statistically speaking, these types of alerts are valuable, because they reflect better the state of national cyber security.

Statistics based on incoming alerts

The number of alerts received by CERT-RO in 2014 has increased by 82% (78.767.749) as opposed to 2013 (43.231.149), the increase being displayed in the table below.

Distribution of alerts based on type

The table and graph below render the distribution of the top 5 types of alerts received.

Types of malware present in the Romanian cyberspace

Identification of the type of malware was possible in 37.5% of the received alerts.

Types of systems affected by alerts

Identification of the operating system was possible in about 24.6% of all alerts.

Particularities of manually processed alerts

Along with automatic alerts, during the given period, CERT-RO analysts have taken a series of cyber security alerts directly reported by individuals or organizations from Romania or from abroad, classified as manually processed alerts.

They are considerably fewer than those received automatically, but contain more complete and relevant information about the incident, about the organization affected, like the source of the attack and the method of attack. In most cases, the data is collected from affected entities (legal or non-legal persons from Romania or abroad) by CERT-RO analysts, once the incident is reported.

Thus, during the referenced period, CERT-RO collected 2244 manually processed alerts, distributed as follows:

The remaining 9% of manually processed alerts fall into different classes and types of alerts such as botnets, spam, defacement, brute force, malware samples or dissemination of confidential data (disclosure of confidential data).

The table below retrieves top 5 most affected types of systems, extracted from the manually processed alerts by CERT-RO.

.ro compromised domains

For the given period, CERT-RO received alerts about 10.759 .ro compromised domains. From 710.000 domains registered in Romania in December 2013, the number represents about 1.5% of all .ro domains.

Distribution of areas affected by the type of incident can be found in the table below.:

Annex – Classification of alerts processed by CERT-RO

Alert class Alert type Description
Abusive Content Spam Unsolicited electronic communication (email) of commercial nature.
Child Pornography Distribution of child pornography.
Disclosure of Personal Data Illegal publication of personal data.
Disclosure of Confidential Data Illegal publication of confidential data. Compromising data breach their confidentiality.
Botnet Botnet C&C Server Information systems used to control victims (drone, zombies) in the framework of a botnet.
Botnet Drone Network of infected systems controlled by other people / organizations than their owners.
Compromised Resources Defacement Attack on a website, generated by different methods, aimed at altering the content displayedon web pages. The attackers often replace thefirst page of your website to another page that displays false information.
Compromised Router Undermining communication equipment like a router.
Compromised Network/System Compromising a network or a computer system.
Compromised Application/Service Compromising applications / services
Compromised Website Compromised website
Cyber Attacks Brute force A method for automatic crack of passwords, used to inquire legitimate credentials of userson a computer system. In fact, by means of automatic mechanisms, a large number of combinations of passwords are generated and testedin order to find real credentials. Methodguarantees success but it is very time and resource consuming.
DDoS Affect availability of systems / computers or electronic communications services. The targetsystem is under attack by sending a largenumber of illegitimate requests that consume resources of its hardware or software, makingit unavailable to legitimate users.
Exploit Attempt Code sequences exploiting programming errors in the operating system or any other programresident in that system. In most cases, exploitsdo not cause damage, but allow an attacker to gain control over the infected system andcreating the possibility of installing othermalware.
APT Cyber attacks with a high degree of complexity, launched by groups that have the ability andmotivation to persistently attack a target inorder to obtain certain benefits (usually sensitive information).
Fraud Phishing A form of cheating in online environment is the use of techniques for handling identity ofpeople / organizations to obtain benefits orconfidential information.
Unlawful eCommerce/Services Illegal activities of products or services trade over the Internet.
Information Gathering Scanner Systems that scans the entire class of IPs from the Internet, in order to identifyvulnerable systems on which it can be released a cyberattack. Scanning phase is the early stage of most cyber attacks.
Sniffer System that intercepts packets transmitted over the network, allowing the subsequentdecoding. This method is used for finding passwords orother sensitive data about certain users. Sniffing refers to the act of intercepting TCP /IP packets.
Social Engineering This is a set of techniques used to manipulate users of information systems in order toobtain disclosure of confidential information,which can then be used to obtain undue benefits or access to the computer system withoutgiven rights.
Malware Infected IP Systems / IT services with the role of vector of infection for other systems. Systems /services virtually host, with or without the willof the administrator, various samples of malware that can infect other legitimate users.
Malicious URL Compromised websites that are hosting malware, facilitating infestation of other legitimateusers who visit those links.
Malware sample Malware sample sent for analysis.
Vulnerabilities Open Proxy Proxy servers / services that can be used by any user of the Internet. Such services areoften used by attackers to launch attacks from theInternet to different targets, keeping their identities hidden. Proxy services are oftenused to access the Internet through a single IPaddress by multiple users and devices.
Open Resolver DNS servers, unsecured, that enable the launch of recursive DNS requests to domains otherthan those served by the DNS server. These areused for DNS Amplification attacks.
Open SSDP Simple Service Discovery Protocol (SSDP) is part of Universal Plug and Play protocol that has been implemented to allow the PC tocommunicate with network devices (routers, mediaservers, smart TV, WiFi access point, etc.). By exploiting vulnerabilities of broadcast andmulticast transmission types of this service, amalicious user can launch attacks like data theft, DDoS etc.
Open SNMP Simple Network Management Protocol was developed and implemented for monitoring and management of network devices.Vulnerabilities of this service are particularly due to itsdefault settings. By exploiting specific SNMP vulnerabilities, attacks can be launched,attacks such as DoS, buffer overflow etc.
Open NetBIOS NetBIOS is an API that networked devices can use to share files and printers. Open NetBIOSis any host on which the service is operationaland exploitable.
Open Chargen Chargen is a service for testing and debugging the Internet protocol suite. Open Chargen is any hoston which the service is operational andexploitable.
Open IPMI Intelligent Platform Management Interface is an interface system for out-of-band management. Open IPMI is any host on which IPMU isfunctional and accessible service, that respondsto IPMI type pings.
Open QOTD Any host that presents a functional and exploitable service (port) Quote Of The Day.
Vulnerable NTP Any host that presents a functional and affordable Network Time Protocol service (port) toanswer Mode 6 and Mode 7 requests.

Note: The above table contains the types of cyber security alerts frequently reported to CERT-RO. Although the range of cyber threats is more varied, not all can be found in the reports received by our institution.

Regarding the security of your computer please consider the following basic rules:

  1. Check your computer for infection.
  2. Install current Service Packs and Security Updates for your system. Activate automatic updates.
  3. Check your internet browser and the embedded plugins (e.g. Java, Flash, Shockwave, Quicktime) regularly for Actuality.
  4. Install a virus scanner and update it regularly.
  5. Use a Firewall e.g. Windows built-in Firewall or a Router.

Good to know

Inform
Find out what botnets are, the damage they cause, and how they threaten the data on your computer.

Clean
Here you can find small programs and tutorials which enable you to remove a botnet infection from your computer.

Protect
In this section you will find many tips on how to protect your computer from infection.

Copyright © 2014-2015 CERT-RO. All rights reserved.
Alert class Alert type Description
Abusive Content Spam Unsolicited electronic communication (email) of commercial nature.
Child Pornography Distribution of child pornography.
Disclosure of Personal Data Illegal publication of personal data.
Disclosure of Confidential Data Illegal publication of confidential data. Compromising data breach their confidentiality.
Botnet Botnet C&C Server Information systems used to control victims (drone, zombies) in the framework of a botnet.
Botnet Drone Network of infected systems controlled by other people / organizations than their owners.
Compromised Resources Defacement Attack on a website, generated by different methods, aimed at altering the content displayedon web pages. The attackers often replace thefirst page of your website to another page that displays false information.
Compromised Router Undermining communication equipment like a router.
Compromised Network/System Compromising a network or a computer system.
Compromised Application/Service Compromising applications / services
Compromised Website Compromised website
Cyber Attacks Brute force A method for automatic crack of passwords, used to inquire legitimate credentials of userson a computer system. In fact, by means of automatic mechanisms, a large number of combinations of passwords are generated and testedin order to find real credentials. Methodguarantees success but it is very time and resource consuming.
DDoS Affect availability of systems / computers or electronic communications services. The targetsystem is under attack by sending a largenumber of illegitimate requests that consume resources of its hardware or software, makingit unavailable to legitimate users.
Exploit Attempt Code sequences exploiting programming errors in the operating system or any other programresident in that system. In most cases, exploitsdo not cause damage, but allow an attacker to gain control over the infected system andcreating the possibility of installing othermalware.
APT Cyber attacks with a high degree of complexity, launched by groups that have the ability andmotivation to persistently attack a target inorder to obtain certain benefits (usually sensitive information).
Fraud Phishing A form of cheating in online environment is the use of techniques for handling identity ofpeople / organizations to obtain benefits orconfidential information.
Unlawful eCommerce/Services Illegal activities of products or services trade over the Internet.
Information Gathering Scanner Systems that scans the entire class of IPs from the Internet, in order to identifyvulnerable systems on which it can be released a cyberattack. Scanning phase is the early stage of most cyber attacks.
Sniffer System that intercepts packets transmitted over the network, allowing the subsequentdecoding. This method is used for finding passwords orother sensitive data about certain users. Sniffing refers to the act of intercepting TCP /IP packets.
Social Engineering This is a set of techniques used to manipulate users of information systems in order toobtain disclosure of confidential information,which can then be used to obtain undue benefits or access to the computer system withoutgiven rights.
Malware Infected IP Systems / IT services with the role of vector of infection for other systems. Systems /services virtually host, with or without the willof the administrator, various samples of malware that can infect other legitimate users.
Malicious URL Compromised websites that are hosting malware, facilitating infestation of other legitimateusers who visit those links.
Malware sample Malware sample sent for analysis.
Vulnerabilities Open Proxy Proxy servers / services that can be used by any user of the Internet. Such services areoften used by attackers to launch attacks from theInternet to different targets, keeping their identities hidden. Proxy services are oftenused to access the Internet through a single IPaddress by multiple users and devices.
Open Resolver DNS servers, unsecured, that enable the launch of recursive DNS requests to domains otherthan those served by the DNS server. These areused for DNS Amplification attacks.
Open SSDP Simple Service Discovery Protocol (SSDP) is part of Universal Plug and Play protocol that has been implemented to allow the PC tocommunicate with network devices (routers, mediaservers, smart TV, WiFi access point, etc.). By exploiting vulnerabilities of broadcast andmulticast transmission types of this service, amalicious user can launch attacks like data theft, DDoS etc.
Open SNMP Simple Network Management Protocol was developed and implemented for monitoring and management of network devices.Vulnerabilities of this service are particularly due to itsdefault settings. By exploiting specific SNMP vulnerabilities, attacks can be launched,attacks such as DoS, buffer overflow etc.
Open NetBIOS NetBIOS is an API that networked devices can use to share files and printers. Open NetBIOSis any host on which the service is operationaland exploitable.
Open Chargen Chargen is a service for testing and debugging the Internet protocol suite. Open Chargen is any hoston which the service is operational andexploitable.
Open IPMI Intelligent Platform Management Interface is an interface system for out-of-band management. Open IPMI is any host on which IPMU isfunctional and accessible service, that respondsto IPMI type pings.
Open QOTD Any host that presents a functional and exploitable service (port) Quote Of The Day.
Vulnerable NTP Any host that presents a functional and affordable Network Time Protocol service (port) toanswer Mode 6 and Mode 7 requests.