The objective of this report is to analyze cyber security alerts collected and processed by CERT-RO in 2014, in order to obtain an overview of the relevant events to risk assessment on cyber security IT infrastructure and electronic communications in Romania, located within the competence of CERT-RO.
During the reporting period, ie 01.01 - 31.12.2014, CERT-RO received notifications (alerts) as follows:
Total number of unique IPs allocated to organizations in Romania is 10.021.888, decreasing from 2013 when there were 13.5 million.
By cyber security alert, in the context of this document, we mean any signal containing an IP address or a URL (website), concerning a possible cyber security incident or event, that involves or may involve systems that belong to legal or non-legal persons part of the national cyberspace.
Based on data collected, we identified the following:
Following the above findings, the next conclusions can be drawn:
Despite the technical aspects that make it impossible to identify the exact number of devices or people affected that are behind the over 2.4 million IP addresses or 78 million alerts reported to CERT-RO, it is important to remember that these cover about 24% of the national cyberspace (reported on the number of IPs assigned to RO) and, therefore, there are remedial measures necessary, involving all entities with technical or legal responsibilities.
CERT-RO collects data regarding cyber security incidents, events or alerts from several sources, as follows:
The nature of the reported alerts, as well as the quantity of available data for each of the categories requires a different approach for each case.
Alerts sent by automated systems require automatic processing. In this case, the received data it resumes to lists of IPs detected as doing malicious or suspicious activities over the Internet, and some extra details about the suspicious activity (timestamp, incident type, used ports, the attack etc.).
Most of these alerts are automatically processed by CERT-RO and are sent to the ISPs who own the networks that contain the system which triggered the alert. Most of the time, in this type of alerts, CERT-RO has no exact information about the real user behind the IP address, so the identification process is passed to the internet service provider (ISP). Also, the ISP has the responsibility to forward the alert to the real client.
Although this type of alerts does not provide details about the target, they provide an overview of the types of cyber threats that are affecting Romanian cyber infrastructures. Individual alerts as well as the alerts collected by CERT- RO, are considerably reduced in number, but the reported information about the incident is much more accurate and relevant (the affected organization, the source of the attack and the vector of attack).
In most of the cases, the data is collected by CERT-ROs analysts from the affected entities, along with incident reporting. Statistically speaking, these types of alerts are valuable, because they reflect better the state of national cyber security.
The number of alerts received by CERT-RO in 2014 has increased by 82% (78.767.749) as opposed to 2013 (43.231.149), the increase being displayed in the table below.
Distribution of alerts based on type
The table and graph below render the distribution of the top 5 types of alerts received.
Types of malware present in the Romanian cyberspace
Identification of the type of malware was possible in 37.5% of the received alerts.
Types of systems affected by alerts
Identification of the operating system was possible in about 24.6% of all alerts.
Particularities of manually processed alerts
Along with automatic alerts, during the given period, CERT-RO analysts have taken a series of cyber security alerts directly reported by individuals or organizations from Romania or from abroad, classified as manually processed alerts.
They are considerably fewer than those received automatically, but contain more complete and relevant information about the incident, about the organization affected, like the source of the attack and the method of attack. In most cases, the data is collected from affected entities (legal or non-legal persons from Romania or abroad) by CERT-RO analysts, once the incident is reported.
Thus, during the referenced period, CERT-RO collected 2244 manually processed alerts, distributed as follows:
The remaining 9% of manually processed alerts fall into different classes and types of alerts such as botnets, spam, defacement, brute force, malware samples or dissemination of confidential data (disclosure of confidential data).
The table below retrieves top 5 most affected types of systems, extracted from the manually processed alerts by CERT-RO.
.ro compromised domains
For the given period, CERT-RO received alerts about 10.759 .ro compromised domains. From 710.000 domains registered in Romania in December 2013, the number represents about 1.5% of all .ro domains.
Distribution of areas affected by the type of incident can be found in the table below.:
|Alert class||Alert type||Description|
|Abusive Content||Spam||Unsolicited electronic communication (email) of commercial nature.|
|Child Pornography||Distribution of child pornography.|
|Disclosure of Personal Data||Illegal publication of personal data.|
|Disclosure of Confidential Data||Illegal publication of confidential data. Compromising data breach their confidentiality.|
|Botnet||Botnet C&C Server||Information systems used to control victims (drone, zombies) in the framework of a botnet.|
|Botnet Drone||Network of infected systems controlled by other people / organizations than their owners.|
|Compromised Resources||Defacement||Attack on a website, generated by different methods, aimed at altering the content displayedon web pages. The attackers often replace thefirst page of your website to another page that displays false information.|
|Compromised Router||Undermining communication equipment like a router.|
|Compromised Network/System||Compromising a network or a computer system.|
|Compromised Application/Service||Compromising applications / services|
|Compromised Website||Compromised website|
|Cyber Attacks||Brute force||A method for automatic crack of passwords, used to inquire legitimate credentials of userson a computer system. In fact, by means of automatic mechanisms, a large number of combinations of passwords are generated and testedin order to find real credentials. Methodguarantees success but it is very time and resource consuming.|
|DDoS||Affect availability of systems / computers or electronic communications services. The targetsystem is under attack by sending a largenumber of illegitimate requests that consume resources of its hardware or software, makingit unavailable to legitimate users.|
|Exploit Attempt||Code sequences exploiting programming errors in the operating system or any other programresident in that system. In most cases, exploitsdo not cause damage, but allow an attacker to gain control over the infected system andcreating the possibility of installing othermalware.|
|APT||Cyber attacks with a high degree of complexity, launched by groups that have the ability andmotivation to persistently attack a target inorder to obtain certain benefits (usually sensitive information).|
|Fraud||Phishing||A form of cheating in online environment is the use of techniques for handling identity ofpeople / organizations to obtain benefits orconfidential information.|
|Unlawful eCommerce/Services||Illegal activities of products or services trade over the Internet.|
|Information Gathering||Scanner||Systems that scans the entire class of IPs from the Internet, in order to identifyvulnerable systems on which it can be released a cyberattack. Scanning phase is the early stage of most cyber attacks.|
|Sniffer||System that intercepts packets transmitted over the network, allowing the subsequentdecoding. This method is used for finding passwords orother sensitive data about certain users. Sniffing refers to the act of intercepting TCP /IP packets.|
|Social Engineering||This is a set of techniques used to manipulate users of information systems in order toobtain disclosure of confidential information,which can then be used to obtain undue benefits or access to the computer system withoutgiven rights.|
|Malware||Infected IP||Systems / IT services with the role of vector of infection for other systems. Systems /services virtually host, with or without the willof the administrator, various samples of malware that can infect other legitimate users.|
|Malicious URL||Compromised websites that are hosting malware, facilitating infestation of other legitimateusers who visit those links.|
|Malware sample||Malware sample sent for analysis.|
|Vulnerabilities||Open Proxy||Proxy servers / services that can be used by any user of the Internet. Such services areoften used by attackers to launch attacks from theInternet to different targets, keeping their identities hidden. Proxy services are oftenused to access the Internet through a single IPaddress by multiple users and devices.|
|Open Resolver||DNS servers, unsecured, that enable the launch of recursive DNS requests to domains otherthan those served by the DNS server. These areused for DNS Amplification attacks.|
|Open SSDP||Simple Service Discovery Protocol (SSDP) is part of Universal Plug and Play protocol that has been implemented to allow the PC tocommunicate with network devices (routers, mediaservers, smart TV, WiFi access point, etc.). By exploiting vulnerabilities of broadcast andmulticast transmission types of this service, amalicious user can launch attacks like data theft, DDoS etc.|
|Open SNMP||Simple Network Management Protocol was developed and implemented for monitoring and management of network devices.Vulnerabilities of this service are particularly due to itsdefault settings. By exploiting specific SNMP vulnerabilities, attacks can be launched,attacks such as DoS, buffer overflow etc.|
|Open NetBIOS||NetBIOS is an API that networked devices can use to share files and printers. Open NetBIOSis any host on which the service is operationaland exploitable.|
|Open Chargen||Chargen is a service for testing and debugging the Internet protocol suite. Open Chargen is any hoston which the service is operational andexploitable.|
|Open IPMI||Intelligent Platform Management Interface is an interface system for out-of-band management. Open IPMI is any host on which IPMU isfunctional and accessible service, that respondsto IPMI type pings.|
|Open QOTD||Any host that presents a functional and exploitable service (port) Quote Of The Day.|
|Vulnerable NTP||Any host that presents a functional and affordable Network Time Protocol service (port) toanswer Mode 6 and Mode 7 requests.|
Note: The above table contains the types of cyber security alerts frequently reported to CERT-RO. Although the range of cyber threats is more varied, not all can be found in the reports received by our institution.
Regarding the security of your computer please consider the following basic rules:
Good to know