Introduction

The Digital Footprint Intelligence Service announces the results of research on the digital footprints of governmental, financial and industrial organizations for countries in the Middle east: Bahrain, Egypt, Iran, Iraq, Jordan, Kuwait, Lebanon, Oman, Qatar, Saudi Arabia, Sudan, Syria, Turkey, UAE, Yemen. The data presented in this report was collected through Kaspersky’s own threat research and analysis mechanism and various other open sources during Q3 2020. The exceptions are Iran, Iraq, Sudan, Syria and Yemen for which simply open source data was used. Official entities can request the more detailed results of subsequent research and analysis via dfi @kaspersky. com.

The service is designed to provide customers with its examination of their footprint in open networks and a general overview of the opportunities presented to adversaries. Assessing a company’s assets from the perspective of an attacker and their possible aims and potential opportunities were among the key considerations for cyberthreat intelligence analysts when compiling this report.

Sources of intelligence

Scope of the report of the working

There are many organizations that belong to the three key verticals- governmental, financial and industrial- across the Middle east, but this report focuses on critical organizations with vulnerabilities.

Distribution of vulnerable IP addresses by percentage

Share of vulnerabilities by country in the Middle East region

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Statistics of detected vulnerabilities on services( download)

What’s behind the statistics

Vulnerable networks Data leaks Dark web

Lack of security updates

Bad network service configuration

Management interfaces available publicly Corporate accounts in databases of leaked passwords Leaked financial data

Access to compromised infrastructure for sale

Methodological substances

Depending on the complexities involved in the exploitation and the damage cause, the seen vulnerabilities are divided into five levels 😛 TAGEND

Critical- Vulnerability that, if exploited, can compromise an infrastructure resource in one step; High- Vulnerabilities that, if exploited, will give access to infrastructure in two or more paces. Additional data( e.g. credentials) to penetrate the infrastructure may be required; Medium- Vulnerability that allow an attacker to obtain useful information about a resource that can be used to obtain restricted access: e.g. handling interfaces of various services, directory directory, protocols used to unencrypt data transfer, etc .; Low- Vulnerabilities that allow an attacker to collect information about a resource, such as logins used in the system, access as anonymous user to various services, etc .; Information- Vulnerabilities related to security flaws, such as default and start pages of web services, printer service and various software that can be used to perform DDoS onslaughts, routing protocols, etc.

Importance of vulnerability based on industry vertical

The governmental sector produces the lane in critical-level vulnerabilities, whereas service standards cybercriminal target- the financial industry- has mostly low-level vulnerabilities.

Industrial corporations fall in the middle of this spectrum, though their share of medium-level vulnerabilities still deserves attention. Most of these vulnerabilities lead to the disclosure of information about a resource that can be used to obtain limited access.

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Share of vulnerabilities across various horizontals( download)

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Share of vulnerable companies across various verticals( download)

Which companies have critical vulnerabilities?

30% of industrial companies have critical-level vulnerabilities; Every third industrial company is prone to critical-level vulnerabilities; Every second industrial and government organisation has high-level vulnerabilities; 7% of all banking the organisations of the Middle East have critical vulnerabilities.

Vulnerability that can be exploited by adversaries

Security issues in various verticals 😛 TAGEND

2% of governmental organizations in the scope of the research have Microsoft Windows 2000 in their environments; Large share of misconfigured services in industrial companies indicates a low level of information security maturity; Among the resources in the industrial sector, both old vulnerabilities( e.g. HEARTBLEED) and the latest vulnerabilities( e.g. vulnerabilities in Citrix network equipment) were found.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Vulnerabilities by categories( download)

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Vulnerable services by type( download)

Which services are vulnerable?

3% of vulnerable web servers are related to banking organisations; DBMS and FTP servers are most vulnerable in industrial companies; 3% of all disclosed remote handling interfaces belong to government bodies, placing them first worldwide.

Statistics on obsolete software in corporations of the Middle East region

Obsolete software in the region

Data leaks

Corporate reports of employees from 253 organisations( from a total of 402) were found in public dumps of compromised third-party services. This indicates that employees use their corporate emails to register on external services, for example, social media networks.

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Corporate accounts leakage in the region( download)

The highest numbers

More than 50% of those accounts are linked to banking organizations in Turkey; About 48% of such reports is in relation to industrial corporations are in Saudi Arabia.

If employees use compromised passwords for external services as well as for corporate resources, that info can be used to gain unauthorized access to those resources.

The scope of the Digital Footprint Intelligence Service is not restricted to populace sources merely- it also tracks the actions of cybercriminals on resources with limited access such as darknet meetings and stores. The analyzed data includes demand and offers for credit cards and online banking reports, insider hiring activities, the sale of compromised corporate reports and client and employee databases, ongoing rewards for top directors, etc.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Statistics on activity in darknet meetings and storages( download)

The majority of the topics and adverts detected on darknet meetings are related to bank card sales. We observed a fall in demand for bank cards in February 2020 after the festive season. The lessen was also caused by global lockdowns related to the COVID-1 9 pandemic.

Customer traffic in e-commerce has rocketed due to the coronavirus and it has naturally led to an increase in fraudulent activities such as phishing. Offerings of online banking accounts and credit cards increased on darknet meetings in May.

The nighttime web and the financial industry

Analysis of shadow activities related to the Middle East financial sector revealed that bank cards of four out of 15 countries were found on sale in darknet stores.

Bank card dumps and numbers( with/ without CVV) are in high demand among crooks. Info of this kind can be used both for stealing money, for example, by making acquisitions in online stores and for money laundering.

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Share of bank cards in darknet stores by country( download)

By Q3 2020, more than 78,000 credit cards numbers and correlating CVV/ CVV2s of Middle East banks were found in darknet stores.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Distribution of cards by kind( download)

Sales of pay cards with CVVs increased in July and August due to the opening of national borders after COVID-1 9 lockdowns were eased.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Distribution of banking cards sold by month( download)

Read more: securelist.com