SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.

Cyber Campaign against French Websites

In response to the recent escalations in France and the Anonymous #OpCharlieHebdo cyber campaign against Islamic extremists platforms, hundreds of French websites have been defaced by Muslim hacktivist groups (mostly from North Africa, such as the Tunisian hacker group dubbed Fallaga).

The famous hacktivist group Middle East Cyber Army (MECA) created an #OpFrance Facebook event page for organizing cyber-attacks against French websites on January 15, 2015. Another famous hacktivist group Fallaga created a similar event page that organized an anti-France cyber-attack on January 10, 2015.

MECA #OpFrance event page

MECA #OpFrance event page

Additionally, the famous hacktivist group AnonGhost has made calls on several social media platforms to hack French websites. The group also uploaded a video to YouTube, in which they explain their motive to act against French websites: “In reaction of France’s crimes against Muslims in Mali, Syria, Center Africa & Iraq, bombing mosques, killing innocents, under the banner of ‘fighting terrorism.'”

Finally, motivation to hack French websites is high and the anti-France message is quickly spreading via social media platforms.

Cyber in Chinatown – Asian Hacktivists Act against Government Corruption

Social networks are well-known tools used by activists to mobilize the masses. As witnessed during the Arab Spring and in recent incidents in Hong Kong, government opposition groups can organize dissatisfied citizens by means of a massive campaign. More closed countries, such as North Korea or China try to limit access by their citizens to international social networks such as Twitter or Facebook. We have noticed an increasing tendency toward anti-government campaigns in Asian countries and the cyber arena plays an important role in this process. We have identified this kind of activity in China, Malaysia, Taiwan, Japan and North Korea. Local cyber hacktivist groups are calling for people to unite against infringements on freedom by violating privacy rights. Hacktivists are organizing anti-government groups and events on popular social media platforms and are posting tutorials on how to circumvent the blocking of certain websites and forums in countries where such Internet activity is forbidden. Furthermore, the groups are posting provocative materials and anti-government appeals in local Asian languages, alongside to English. Thus, we can see an attempt to recruit support from non-state activists for a national struggle.

Anonymous Japan and Anonymous North Korea Facebook Posts

Anonymous Japan and Anonymous North Korea Facebook Posts

These groups are eager to reach a large number of supporters, and not only for political and psychological purposes. Together with publishing tutorials for “safe browsing” in the Internet for large masses of people the groups translate popular cyber tools for mass attacks and they disseminate instructional manuals translated into local languages on how to use these tools.

Popular DDoS Tool in Japanese

Popular DDoS Tool in Japanese

One example of exactly such an organization is Anonymous Japan – an anti-government hacking group. The group develops and uses DDoS tools and is also involved in spam activity. Furthermore, members of the group develop their own tools and publish them on Facebook for wider audiences.

#OpJapan Attack Program

#OpJapan Attack Program

Amongst the large-scale campaigns launched by this organization, you can find #OpLeakageJp – an operation tracking radiation pollution in Japan.

TweetStorm post against the Nuclear Regulatory Commission in Japan

TweetStorm post against the Nuclear Regulatory Commission in Japan

In addition to internal struggles, hacktivist groups are operating against targets in the area. One such example is operations by hacktivism groups personifying themselves with North Korean insignia and targeting sources in South Korea. Examples of such cyber campaigns are #Opsouthkoreatarget and #OpNorthKorea.

#OpJapan Attack Program

#OpJapan Attack Program

In China, we found an example of the #OpChinaCW campaign. A cyber campaign hosted by Anonymous was launched on November 2, 2014 against Chinese government servers and websites. The campaign was organized on a Facebook event page and was further spread on Twitter.

#OpChinaCW Twitter Post

#OpChinaCW Twitter Post

Hacktivists have also published cyber tools for this campaign. See below an example of a DDoS tool sold on Facebook for only US$10.

DDoS Tool for Sale

DDoS Tool for Sale

As previously mentioned, cyber activity in the Asia region is directed not only against enemy states, but also against the “internal enemy” – the government. Hacktivism groups not only organize such campaigns on underground platforms, but they also make wide use of open popular social networks to recruit supporters. Moreover, they also develop their own cyber tools.

A Creative Way to Celebrate the New Year’s Eve by the Russian Hacking Community

The second half of December is a joyful and festive time in the snowy, post-Soviet arena, culminating in the magical New Year’s Eve. Most people take vacation, and an atmosphere of playfulness and celebration can be felt in the air. The Russian-speaking hacker and malware development community is no exception, and each year the forums that serve as their main platforms are colorfully decorated for the holiday, while members post Season’s Greetings to each other.

This year, we witnessed a creative new idea by this community to celebrate the most important holiday in former Communist countries – a self-sponsored, cross-platform contest. Specifically, a quiz on hacking operations, scheduled to take place simultaneously on the last day of the year on several different forums.

The idea is the brainchild of one of the administrators of a leading underground forum, who started to raise money that will serve as prizes for the winners of the contest. A dedicated Bitcoin wallet has been opened for donations. Furthermore, service providers have offered free use of their products for the lucky winners.

The concept was met with enthusiasm by forum members, who proposed question topics and formats. A survey was launched on one forum, asking members to vote for the topic they would like to see in the quiz. The suggested topics involve the following areas of cybercrime: coding, spam, crypt, traffic, brute forcing, reverse engineering and administration.

A Survey launched on one forum about the topics in the quiz

A survey launched on one forum about the topics in the quiz

Several members have donated money, saying that such activity helps to develop the community and serves as motivation for achieving knowledge. Moreover, the administrators of numerous underground forums have expressed their support for the contest, indicating the expected high level of the quiz.

We look forward to discovering the names of the winners of the contest on December 31 and seeing what kind of questions are going to be asked. Meanwhile, we wish you all Happy Holidays and Happy Novy God!

2

Turkish Hacking Group Cyber Warrior’s e-Magazine : TeknoDE

Cyber Warrior is one of the biggest hacker groups in Turkey. The group was established in 1999. Their first significant cyber-attack was in 2003, when they launched a massive operation against 1,500 U.S. websites in protest against the American invasion of Iraq and a specific incident where Turkish military personnel in northern Iraq were captured and interrogated by the U.S. Army.

Turkish Hacking Group Cyber Warrior

Turkish Hacking Group Cyber Warrior

Cyber Warrior (CW) comprises teams for strategy, intelligence, logistics, R&D and a dedicated unit for waging cyber-attacks named Akincilar. In recent weeks, for examples, Akincilar has attacked official government websites of countries that discriminate against their Muslim populations, in their opinion.

Additionally, CW has been active developing cyber tools and improving others. They even write instructional manuals on cyber security and have established a Cyber Academy, where they provide online training.

In September 2014, the group published their first monthly e-Magazine. The magazine is published on their online platforms and it includes cyber news items from the IT world, new technologies, cyber security, hacking news, programming and more.

September 2014 issue of TeknoDE

September 2014 issue of TeknoDE

In their first issue, they featured a cryptography contest with the top prize of a book, mug and mouse pad.

Cryptography Contest

Cryptography Contest

In their October issue, they reviewed the recently discovered Shellshock vulnerability, shared information on how to locate a lost mobile phone and discussed ways to hack into Gmail accounts, and aircraft and satellite systems.

October 2014 issue of TeknoDE

October 2014 issue of TeknoDE

A couple of weeks ago, they produced the November 2014 issue, featuring articles about credit card frauds, new Android malware and interviews with Cyber Warrior founders.

November 2014 issue of TeknoDE

 

Currently, the magazine is in Turkish and it increases awareness of the Cyber world for users, while promoting an interest in cyber security among them.

Members of the website and readers of CWTeknoDE will not only be motivated to hack, but with this magazine they will have chance to learn more about the cyber world, and methods and vulnerabilities.

Related Posts


Did Turkish Hackers Actually Hack the Israeli “Iron Dome”? on August 18, 2014 by Sheila Dahan

Turkish Government Bans Twitter and Hijacks IP Addresses for Popular DNS Providers on March 31, 2014 by Sheila Dahan

RedHack – A Turkish Delight on February 5, 2014 by Sheila Dahan

AnonGhost Targets Universities around the World

During November 2014, the popular hacker group AnonGhost attempted to deface academic websites from around the world.

Background

AnonGhost was established by a famous hacker dubbed Mauritania Attacker. The group has launched many wide-scale cyber campaigns against the U.S., Israel and other countries around the world. The group’s most popular repeat campaign is #OpIsrael, which was relaunched on April 7, 2014 (one year after its inaugural launch), targeting Israeli cyber-space.

Their most recent ongoing campaign is #OpGov, where group members attempt to hack government websites in different countries. In the following image, you can see an example of the group’s intention to hack Jamaican government websites:

#OpGov

The group has also leaked information from databases, such as emails, passwords and personal details.

Targeting Academic Websites

Recently, we noticed that AnonGhost is focusing on academic websites in the U.S., such as Washington University, Olin College of Engineering and Utah State University. On its official Facebook and Twitter accounts, the group announced that they had successfully defaced these American academic websites. In the following images, you can see the group’s post and their tweet regarding Washington University websites:

Post and Tweet

In the following image, you can see the group’s post on Facebook listing its achievements in hacking government and academic websites:

Post

Defaced Websites as Tools for Future Attacks

It should be noted that cyber researchers have recently warned about new methods used by hacktivist groups to attack users who visit defaced websites, using a malicious link that leads to a Dokta Chef Exploit Kit hosting website. The Dokta Chef EK takes advantage of a recently disclosed vulnerability that allows remote code execution related to the Internet Explorer browser. In the following image, you can see a defaced website with the malicious link (lulz.htm):a Defaced Website

Related Posts


#OpIsraelReborn Campaign launched by AnonGhost September 5, 2014 by CyInfo

#OpSaveGaza – by the Tunisian AnonGhost  July 13, 2014 by Yotam Gutman

Recycled Fuel? OpPetrol Campaign by AnonGhost leaked a large amount of credit cards details June 18, 2014 by Yotam Gutman

 

Cyber Threats to a Bank – Part 1: Cybercriminals Target Financial Institutions

Banks and other financial institutions often serve as key targets for malicious activity committed in cyber space. Owing to their large-scale financial operations, banks have always attracted scammers and thieves searching for easy ways to get rich quick. The rapid development of technologies used in the different industries has shifted banking operations to a much more virtual level, opening up new, sophisticated ways for criminal actions to be perpetrated. Aside from traditional, profit-motivated cybercrime, a large part of a bank’s technical infrastructure, such as online banking services, is located on the Internet. This exposes another Achilles’ heel of banking institutions, while serving as a weapon for ideologically motivated hackers trying to undermine a bank’s reputation and normal functioning. In this blog post we will focus on threats coming from the cybercrime arena, the next one describing the hacktivism world is to be followed.

Cybercriminals act from different vectors, such as developing malware for stealing login details for banking sites and applications, extracting credit card data from hacked databases, etc. The main motivation of cyber criminals is financial profit. Subsequently, they use closed web forums and online shops to support their illegal activity and develop new fraud schemes. In most of the cases, financial institutions face one of the following three threats:

Man-in-the-Middle (MitM) Attacks

Also called web injections, this attack method is very popular among cyber criminals targeting the financial sector. If the attack is successful, the hacker manages to infiltrate the web-session between the customer (while he is surfing the bank website) and the bank. He then intercepts the messages sent between the two parts of the conversation, including credentials and classified information, and injects new messages, without arousing the suspicion of either party.

In most cases, the injections are adjusted per victim, and are delivered via banking Trojans, Zeus for example. On closed forums, injections are sold as separate modules for banking malware, or they are offered as a tailored service for cyber criminals targeting a specific bank.

2

Examples for web injections offered for sale in Russian forums

Examples for web injections offered for sale on Russian forums

Client Detail Trading

One of the most popular areas of activity on underground forums is the trading of login details to bank websites and client personal data. Typically, this data originates from computers infected with malware designed to steal data inserted into form fields on websites. The operator of the botnet comprising these infected computers will not always use all the stolen data by himself, but may sell it to ‘professionals’ who specialize in cashing out money from these hacked accounts.

A term that should be mentioned in this context is the “drop” – a person who receives the stolen money into his account – sometimes without even knowing that he is supporting illegal activity, as legends and cover stories are frequently used. Drops are usually operated by the buyers of the login details – scammers who have a stabile infrastructure for cashing out stolen money. Posts on the subject of buying and selling credentials are frequently found on closed forums.

 Compromised Credit Cards

Online shops offering different kinds of credit card data for sale are very popular among those cyber criminals specializing in “carding.” These shops are very convenient for their users. They include numerous filtering options, thus matching the data to the scammers needs. Prices may vary considerably, depending on the rarity of the card and the demand for the data of the issuing bank, as well as elapsed time since the data theft.

Credit Cards form Home Depot breach are sold on an underground shop

Credit Cards form Home Depot breach are sold on an underground shop

Related Posts


Two New Banking Trojans Offered for Sale on the Russian Underground July 15, 2014 by Tanya_Koyfman