Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/19/2018
05:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cyberattacks in Finland Surge During Trump-Putin Summit

Attackers targeted IoT devices like they did during Trump's June meeting with North Korea's Kim Jong-un, but this time China was the top-attacking nation.

President Donald Trump's recent meeting with Russian counterpart Vladmir Putin in Helsinki proved to be as much a magnet for cyberattackers as his Singapore meeting with Korean leader Kim Jong-un in June.

As with the previous attacks, the ones in Finland appear to be mostly attempts to break into weakly protected Internet of things (IoT) devices to be used to spy on targets of interest in Finland. The main difference was that instead of the attacks mostly emanating from Russia, this time a majority of attacks came from networks in China.

F5 Networks, which was the first to report on the Singapore attacks in June, this week reported a similar big spike in malicious traffic directed at targets in Finland in the days leading to the Trump-Putin summit.

As in Singapore, the Finland attacks targeted ports and protocols used by IoT devices, such as SIP port 5060, which is associated with VoIP phones and videoconferencing systems, and SQL port 1433 and Telnet port 23, for remote administration of IoT devices. "Nation-states, spies, mercenaries, and others don't need to dress up as repairmen to plant bugs in rooms anymore," F5 Networks said in its report. "They can just hack into a room that has vulnerable IoT devices."

Researchers at F5 Networks also noted some differences among the attacks. SIP port 5060, for instance, was the top targeted port in the Singapore attacks, while in Finland it was SSH port 22 — typically used for secure remote administration — followed by SMB port 445. Other ports and protocols targeted this time around that were not targeted in June included HTTP port 80, MySQL port 3306, port 8090 (often used for Web cameras), and RDP port 3389.

"The ports being attacked are popular ports overall," says Sara Boddy, threat researcher at F5 Networks. "We expect to see attacks against 3306 and other popular database ports and data services like TCP/9200. This is due to data being made public that should have remained private," she says. What is interesting is the different targeting by different threat actors. "Perhaps attackers coming out of Russia prefer SIP attacks — as we saw in Singapore — versus SSH attacks out of China, like we saw in Finland."

China was not the only country where attack traffic spiked during the Trump-Putin meeting in Helsinki. Italy and Germany also had noticeable spikes. In typical weeks, Italy and Germany rank 13th and 14th in the list of top-attacking countries in Finland. In the days preceding the meeting, the volume of attack traffic put them in the fourth and seventh spots, respectively, F5 Networks said. Attack traffic from the US dropped slightly from usual but was still enough to keep the country in second spot, behind China. Meanwhile, Russia-based threat actors hit the brakes somewhat in that period, dropping the country from its usual third most-attacking country status to fifth.

Given the timing and targeting, it is safe to assume that a combination of state-sponsored actors and other malicious threat actors are behind the attacks, Boddy says. "Everyone has a stake in the game — from adversaries wanting to spy, to friendlies that also want to know what's going on, to hacktivists who want a lead on a story," she said. 

Distant as such attacks might seem, businesses need to pay attention. The attacks highlight the importance for enterprises to secure all Internet-connected infrastructure from rack servers in a data center to security cameras, wireless access points, phone and videoconferencing systems, entertainment systems, HVAC systems, and vending machines, Boddy notes.

At a minimum, security means protecting remote administration to your devices or restricting them to a specified management network, always changing default vendor passwords, and staying properly patched, she says.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13552
PUBLISHED: 2019-09-18
In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may allow arbitrary file deletion and remote code execution.
CVE-2019-15301
PUBLISHED: 2019-09-18
A SQL injection vulnerability in the method Terrasoft.Core.DB.Column.Const() in Terrasoft Bpm'online CRM-System SDK 7.13 allows attackers to execute arbitrary SQL commands via the value parameter.
CVE-2019-5042
PUBLISHED: 2019-09-18
An exploitable Use-After-Free vulnerability exists in the way FunctionType 0 PDF elements are processed in Aspose.PDF 19.2 for C++. A specially crafted PDF can cause a dangling heap pointer, resulting in a use-after-free. An attacker can send a malicious PDF to trigger this vulnerability.
CVE-2019-5066
PUBLISHED: 2019-09-18
An exploitable use-after-free vulnerability exists in the way LZW-compressed streams are processed in Aspose.PDF 19.2 for C++. A specially crafted PDF can cause a dangling heap pointer, resulting in a use-after-free condition. To trigger this vulnerability, a specifically crafted PDF document needs ...
CVE-2019-5067
PUBLISHED: 2019-09-18
An uninitialized memory access vulnerability exists in the way Aspose.PDF 19.2 for C++ handles invalid parent object pointers. A specially crafted PDF can cause a read and write from uninitialized memory, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerabi...