Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/19/2018
05:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cyberattacks in Finland Surge During Trump-Putin Summit

Attackers targeted IoT devices like they did during Trump's June meeting with North Korea's Kim Jong-un, but this time China was the top-attacking nation.

President Donald Trump's recent meeting with Russian counterpart Vladmir Putin in Helsinki proved to be as much a magnet for cyberattackers as his Singapore meeting with Korean leader Kim Jong-un in June.

As with the previous attacks, the ones in Finland appear to be mostly attempts to break into weakly protected Internet of things (IoT) devices to be used to spy on targets of interest in Finland. The main difference was that instead of the attacks mostly emanating from Russia, this time a majority of attacks came from networks in China.

F5 Networks, which was the first to report on the Singapore attacks in June, this week reported a similar big spike in malicious traffic directed at targets in Finland in the days leading to the Trump-Putin summit.

As in Singapore, the Finland attacks targeted ports and protocols used by IoT devices, such as SIP port 5060, which is associated with VoIP phones and videoconferencing systems, and SQL port 1433 and Telnet port 23, for remote administration of IoT devices. "Nation-states, spies, mercenaries, and others don't need to dress up as repairmen to plant bugs in rooms anymore," F5 Networks said in its report. "They can just hack into a room that has vulnerable IoT devices."

Researchers at F5 Networks also noted some differences among the attacks. SIP port 5060, for instance, was the top targeted port in the Singapore attacks, while in Finland it was SSH port 22 — typically used for secure remote administration — followed by SMB port 445. Other ports and protocols targeted this time around that were not targeted in June included HTTP port 80, MySQL port 3306, port 8090 (often used for Web cameras), and RDP port 3389.

"The ports being attacked are popular ports overall," says Sara Boddy, threat researcher at F5 Networks. "We expect to see attacks against 3306 and other popular database ports and data services like TCP/9200. This is due to data being made public that should have remained private," she says. What is interesting is the different targeting by different threat actors. "Perhaps attackers coming out of Russia prefer SIP attacks — as we saw in Singapore — versus SSH attacks out of China, like we saw in Finland."

China was not the only country where attack traffic spiked during the Trump-Putin meeting in Helsinki. Italy and Germany also had noticeable spikes. In typical weeks, Italy and Germany rank 13th and 14th in the list of top-attacking countries in Finland. In the days preceding the meeting, the volume of attack traffic put them in the fourth and seventh spots, respectively, F5 Networks said. Attack traffic from the US dropped slightly from usual but was still enough to keep the country in second spot, behind China. Meanwhile, Russia-based threat actors hit the brakes somewhat in that period, dropping the country from its usual third most-attacking country status to fifth.

Given the timing and targeting, it is safe to assume that a combination of state-sponsored actors and other malicious threat actors are behind the attacks, Boddy says. "Everyone has a stake in the game — from adversaries wanting to spy, to friendlies that also want to know what's going on, to hacktivists who want a lead on a story," she said. 

Distant as such attacks might seem, businesses need to pay attention. The attacks highlight the importance for enterprises to secure all Internet-connected infrastructure from rack servers in a data center to security cameras, wireless access points, phone and videoconferencing systems, entertainment systems, HVAC systems, and vending machines, Boddy notes.

At a minimum, security means protecting remote administration to your devices or restricting them to a specified management network, always changing default vendor passwords, and staying properly patched, she says.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.