ISTANBUL: On April 11-14, Kaspersky Lab held its annual Cyber Security Weekend for the Middle East, Turkey and Africa (META) in Istanbul to explore the evolution of the threat landscape both – globally and in the region, and find out which approaches businesses need to take in order to survive. Kaspersky Lab’s Global Research & Analysis Team (GReAT) experts and invited experts discussed various topics during the event, including IoT security, blockchain technology and the rise of targeted attacks as well as threats aimed at medical infrastructure.

During the event, statistics from the Kaspersky Security Network for the first quarter of 2018 were revealed and showed an overall increase in local threats infections (malware spread in local networks, by USBs, CDs, DVDs) with Kenya taking the first place with 61.8 percent of its users infected, followed by 58.6 percent in Nigeria, 50.8 percent in Oman, and 55.6 percent in both Egypt and Lebanon. Turkey reported the lowest number of local threat infections with 46.2 percent.

The statistics for the same period of time also showed a noticeable overall increase in web threats with 30.2 percent of users affects by malware in Saudi Arabia, 28.8 percent in both Egypt and Oman followed by 27.4 percent in the UAE. On the other hand, South Africa had the lowest number of affected users in the META region (48.8 percent for local and 19.6 percent for web threats)

“We have seen an 8.5 percent increase in ransomware attacks in the META region in Q1 of 2018 compared to Q1 of last year, this number is not surprising, judging by the infamous success of major ransomware attacks last year. We do expect such attacks to grow and evolve in complexity and sophistication. This highlights the importance of proper security solutions backed with continuous security training to raise awareness on the dangers of such attacks,” said Mohamad Amin Hasbini, Senior Security Researcher, Global Research & Analysis Team, Kaspersky Lab.

A panel of experts from Kaspersky Lab and specially invited guests from Turkey and UAE spoke about how the blockchain affects the way people live and work nowadays. Nassar Al-Achkar, CEO of HyperChain said: “I’m honored to take part in this event and talk about blockchain. It’s important to constantly educate people on the uses of this technology as I believe it is yet another step towards a brighter more efficient future. I also salute Kaspersky Lab for their efforts in studying this technology and assessing its cyber risks.”

The discussion also briefly touched on Kaspersky Lab’s announcement about the Polys voting system which is based around blockchain technology. With organizations facing a wide range of cyberthreats that come from the outside as well as from the inside, they should have a holistic approach to cybersecurity that unites an effective IT security solution, employee education and security policies understood and followed by employees. Kaspersky Lab’s recently launched Threat Management and Defense solution gives businesses the opportunity to adopt a strategic approach to detecting complex attacks across the corporate IT infrastructure and successfully gain control and visibility of their security environment by mitigating risk in today’s digital world.

Cyberespionage campaign

During Kaspersky Lab’s Cyber Security Weekend, a new cyberespionage campaign was announced: “Operation Parliament” is targeting high profile organizations from around the world with a focus on the Middle East and North Africa. The attacks have been active since 2017 and have targeted top legislative, executive and judicial powers, including but not limited to governmental and large private entities from the region, including the UAE, Saudi Arabia, Jordan, Palestine, Egypt, Kuwait, Qatar, Iraq, Lebanon, Oman, Djibouti and Somalia – all together company experts detected victims in 27 countries.

Kaspersky Lab experts believe that “Operation Parliament” represents a new geopolitically motivated threat actor that is highly active and skilled. Attackers are also believed to have access to an elaborate database of contacts for sensitive organizations and personnel worldwide, especially of non-trained staff. Victims of the attacks include government entities, political figures, military and intelligence agencies, media outlets, research centers, Olympic foundations and large private companies.

Based on the findings, the attackers infiltrated their victims using malware that provides them with a remote cmd/powershell terminal that enables them to execute any scripts/commands and receive the result through http requests. The attacks have taken great care to stay under the radar and have used techniques to verify victims devices before infiltrating them. Kaspersky Lab products successfully detect and block attacks conducted using these techniques.

“Operation Parliament is another symptom of the continuously developing tensions in the Middle East and North Africa. We are witnessing higher sophistication and smarter techniques used by attackers and it doesn’t look like they will stop or slow down anytime soon” Said Mohamad Amin Hasbini, Senior Security Researcher, Global Research & Analysis Team at Kaspersky Lab. “The type of people and organizations targeted in this attack campaign should elevate their levels of cyber maturity in order to mitigate such attacks in the future” he added.

In order to prevent falling victim to such an attack, Kaspersky Lab researchers advises organizations to exert special attention and extra measures, including: Train staff to be able to distinguish spearphishing emails or a phishing link from legitimate emails and links.

Use not only proven corporate-grade endpoint security solution but also acombination of specialized protection against advanced threats, such as Threat Management and Defense Solution, which is capable of catching attacks by analyzing network anomalies.

Follow strict rules to avoid data leaks and deploy techniques to prevent insider threats.

Blockchain voting

Online voting appeals to many aspects of modern society – such as geographically spread communities, or progressive universities wanting to hear their students’ voices. It also appeals to global NGOs, and municipalities looking for citizen involvement in neighborhood and city-wide decision making. However, the risks of making critical choices online are also high, with large-scale online voting opening up vast opportunities for cybercriminals to fix the results.

An innovation from the Kaspersky Lab Business Incubator was announced during Kaspersky Lab’s Cyber Security Weekend. It offers a possible solution: A customizable online voting platform for non-commercial organizations, businesses and communities, which uses blockchain technology and is secured with transparent crypto algorithms.

In the modern efficiency-driven, mobile world, various limitations of offline voting have become apparent: it’s expensive, time-consuming and often inaccessible - or at least challenging - for people who aren’t physically present to cast a vote. Online voting can help overcome these challenges but this brings several uncertainties of its own: how can we secure the process? How can we make sure that our votes aren’t changed or altered by an external or internal party?

As part of a research project focused on exploring the potential implementations of innovative technologies such as blockchain, Kaspersky Lab Business Incubator has fostered a talented team of developers who have worked on an experimental project called Polys. This has resulted in a new commercial solution, which aims to provide anyone with the ability to conduct secure, anonymous and scalable online voting - with results that cannot be altered by participants or organizers.

Vartan Minasyan, Head of Investment and Innovation at Kaspersky Lab, comments: “In our Kaspersky Lab Business Incubator we’re supporting both internal and external teams in developing bright ideas and technologies, which can be implemented in various areas where safety and security are important. One such area is online voting and, when exploring the possible implementations of blockchain in particular, our team realized that this technology combined with the company’s cybersecurity expertise could solve key problems related to the privacy, transparency and security of online voting. We’re excited that we have been able to create a suitable environment for this internal innovation.”

Polys is based on smart contracts in Ethereum (sometimes referred to as Blockchain 2.0) which allows ballot verification and vote tallies to be performed in a decentralized manner. The main benefit is that, due to blockchain’s decentralized nature, the accuracy of voting execution can be verified by the network’s participants. The whole voting data is stored not on servers, but in information blocks on the computers of all network participants: To erase it, a hacker would have to breach all of the computers and gain access to the individual sets of data.

Blockchain also allows a voter to easily check if their vote has actually been registered correctly and any tampering of votes will automatically become evident. Blockchain transparency makes it easier to monitor votes and complete voting audits by independent parties. It also doesn’t require extra resources or the need for the physical presence of personnel.

In addition, within the Polys voting system, blockchain is encrypted and backed up with mathematical algorithms. These help to ensure anonymity, hide intermediate results and perform calculations on the encrypted data, which is something that can’t be done in other blockchain systems due to its distributed and open nature. By implementing these algorithms in the smart contract environment, using the advantages of blockchain while eliminating its limitations, Polys stands out as a distinctively innovative project.

The source code of Polys will be publicly available – allowing anyone to test, verify and explore the technology behind it. Any blockchain enthusiast, penetration tester or e-voting supporter will soon be able to find it on GitHub. Jutta Steiner, Co-founder of Parity Technologies, comments: “Parity Technologies is excited to be involved with Polys as their platform of choice for such an innovative project. Blockchain is increasingly being implemented by a vast number of industries and we believe that decentralising the voting procedure will ensure a fair process and create a high level of trust in the system.”

Polys is designed to support voting at all levels and for any number of participants. Upon a special project request, the platform can be made fully scalable with capacity for thousands of voters in international corporations, political parties, universities, global communities, NGOs, etc. This implementation can be tailored to specific requirements in terms of authorization, the interface design, and integration with other services. It is available in select regions only; interested parties can learn more about availability and pricing by filling out a contact form on the website.

In addition to the customized platform, there’s also a ready-to-use freemium service that is available for everyone. To arrange a vote, one simply has to go the website, create a poll in the Organizer Panel and fill in the voting information (such as the names of candidates or other participants, along with any extra details). The rest of the work, such as sending emails to voters and counting votes, is carried out by Polys.

Threat to healthcare

Kaspersky Lab’s researchers have discovered evidence of an emerging and alarming trend: More and more advanced cyber threat actors are turning their attention to attacks against the healthcare sector. The infamous PlugX malware has been detected in pharmaceutical organizations in Vietnam, aimed at stealing precious drug formulas and business information.

PlugX malware is a well-known remote access tool (RAT). It is usually spread via spear phishing and has previously been detected in targeted attacks against the military, government and political organizations. The RAT has been used by a number of Chinese-speaking cyber threat actors, including Deep Panda, NetTraveler or Winnti. In 2013, it was discovered that the latter - responsible for attacking companies in the online gaming industry - had been using PlugX since May 2012. Interestingly, Winnti has also been present in attacks against pharmaceutical companies, where the aim has been to steal digital certificates from medical equipment and software manufacturers.

PlugX RAT allows attackers to perform various malicious operations on a system without the user’s permission or authorization, including - but not limited to - copying and modifying files, logging keystrokes, stealing passwords and capturing screenshots of user activity. PlugX, as with other RATs, is used by cyber criminals to discreetly steal and collect sensitive or profitable information for malicious purposes. RAT usage in attacks against pharmaceutical organizations indicates that sophisticated APT actors are showing an increased interest in capitalizing on the healthcare sector.

Kaspersky Lab products successfully detect and block the PlugX malware. “Private and confidential healthcare data is steadily migrating from paper to digital form within medical organizations. While the security of the network infrastructure of this sector is sometimes neglected, the hunt by APTs for information on advancements in drug and equipment innovation is truly worrying. Detections of PlugX malware in pharmaceutical organizations demonstrate yet another battle that we need to fight – and win - with cyber criminals,” said Yury Namestnikov Makrushin, security researcher at Kaspersky Lab.

Other key findings for 2017 in the research include:

More than 60 percent of medical organizations had malware on their servers or computers.

Philippines, Venezuela and Thailand topped the list of countries with attacked devices in medical organizations.

In order to stay protected, Kaspersky Lab experts advise businesses to take the following measures:

Remove all nodes that process medical data from public and secure public web portals.

Automatically update installed software using patch management systems on all nodes, including servers.

Perform network segmentation: refrain from connecting expensive equipment to the main LAN of your organization.

Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, such as Kaspersky Threat Management and Defense solution. These are capable of spotting and catching advanced targeted attacks by analyzing network anomalies and giving cybersecurity teams full visibility over the network and response automation

By Islam Al-Sharaa