PERSONAL DATA OF TAIWAN’S ENTIRE POPULATION FOR SALE

A May 2020 media report disclosed that a Taiwanese database containing personal data from over 20 million citizens (Taiwan’s entire population) was posted for sale on the Dark Web. According to researchers, the source of the leak is governmental and originates from the Department of Household Registration, under the Ministry of Interior.

The sale offer was posted on May 19, 2020 in an English language underground Dark Web marketplace. The seller indeed claimed the database contains data of the entire country’s citizens and attached a sample where one can see each line in the database is arranged by full name, landline number, ID number, home address and sex. The seller has offered to sell the database for US$ 2,500.

Taiwan’s Population Database for Sale
Source: Verint Luminar

NOT THE FIRST TIME WE’VE SEEN SUCH AN OFFER

Although this database leak was defined by the above reports as unique, this is not the first time we have seen an offer for a database consisting of personal information for the entire population of Taiwan. In Chinese sources, such offers have appeared since August 2018 at least. Our findings, detailed below, may imply the database offer is in fact a resell of a previous database offered several times in the past in Chinese underground sources. These findings show the flow of data from one underground arena to another and stress the importance of multi-language monitoring across various sources to get a full picture of the origins of leaked databases.

THE TAIWANESE DATABASE ON THE CHINESE DARK WEB

Our first indication of a Taiwanese population database was in August and September 2018. In August 2018, an offer appeared on the Chinese Darknet marketplace to sell a Taiwanese population database consisting of the full names, landline numbers, gender and home addresses of 21,141,314 people.

Taiwan’s Population Database for Sale, August 2018
Source: Chinese Dark Web marketplace

About a month later, an actor who has offered several other major database leaks on the same Chinese language Darknet marketplace (including the Marriott database), offered a full database of the Taiwanese population, consisting – according to him – of approximately 25 million lines of data, claiming the data was updated to September 2017.

Taiwan’s Population Database for Sale
Source: Chinese Dark Web marketplace

Since then, similar offers have occasionally appeared in both the Darknet marketplaces and other underground chat groups operating on Telegram.

SIMILARITIES BETWEEN LEAKED SAMPLES SHARED ON THE DARK WEB

According to our research, the last time a similar offer was published was January 2020, when an actor on a Chinese Darknet marketplace offered a 25 million line Taiwanese population database containing – once more by that order: full names, landline telephone numbers, ID numbers, home addresses and sex. The actor also attached a short sample to prove the authenticity of the database. According to the marketplace’s inner data, this transaction was completed twice, meaning two different actors have purchased the database since. Of note, the same actor also offered the same database in April 2019, attaching a similar sampler. The two screenshots below show the two offers, from January 2020, and April 2019.

Offer to Sell Taiwan’s Full Population Database, Containing ~25 million Lines, January 2020. Source: Chinese Dark Web Marketplace
Similar Offer from the Same Actor, April 2019
Source: Verint Luminar

The two samples attached to the offers – the two Chinese posts from April 2019 and January 2020 and the English post from May 2020 – show different names but look strikingly similar. The pattern of the data is identical, and it is arranged in the exact same order: full name, landline number, ID number, home address and sex. Furthermore, the current seller admitted he obtained the data in 2019, which is in line with the date the same offer was published on a Chinese marketplace.

All the above leads us to conclude the current offer of the Taiwanese population database is an attempt to resell the same database leaked in the past in Chinese underground platforms. As the asking price for the data sold on the Chinese platform was merely US$ 200, whereas he offered the same database for US$ 2,500, we believe it is highly probable this actor acquired the database on the Chinese marketplace and then tried to make an easy profit from actors operating on other platforms who do not have access to the Chinese marketplace and/or cannot read Chinese.

THE SELLER HAS OTHER ACTIVITIES ON THE DARK WEB

According to our analysis, the seller was seen operating under the same nickname on a Chinese Telegram underground chat group, a Russian Clearnet hacking and fraud forum, and two English-language Darknet forums.

In all instances, he offered credit card user data from China Industrial Bank containing over 460,000 lines. In one of the offers seen below and posted on the English-language forum, the actor quoted a price of US$ 380 for the database.

The China Industrial Bank Credit Card User Database offered on a Chinese Underground Telegram Group
A Similar Offer by the Same Actor Posted on an English-language Darknet Forum for US$ 380
Source: Verint Luminar

BUY IN ONE LANGUAGE, RESELL (FOR A NICE PROFIT) IN ANOTHER

As in the case of the Taiwanese population database, the China Industrial Bank database offered by this actor appeared before in Chinese underground platforms. In March 2020, the offer was posted on a Chinese Darknet marketplace for US$56 (see first screenshot below.) According to this marketplace’s inner data, it was sold 21 times. A month later, in April 2020, it was also offered on a Chinese-language underground Telegram group (see second screenshot below.) This demonstrates a similar modus operandi by this actor, and presumably by many other actors who operate across various, multi-language platforms: acquiring databases in one language (Chinese) and reselling them at higher prices on platforms in other languages.

The Chinese Industrial Bank Database offered on a Chinese Darknet Marketplace, March 2020
The Same Database offered on a Chinese Telegram Group, April 2020. Source: Chinese Darknet Marketplace

DDoS Attacks for Hire: How the Gambling Crave Fuels Cybercrime in China

ddos-attack-Banner-DDos_1920x960-1024x512

The Forbidden Fruit – Gambling in China

Many card and board games are believed to have originated in Ancient China. Some of these games involved betting and gambling and they have been an inherent part of the Chinese leisure culture for centuries.

This changed when the Communist Party seized power in 1949, declaring gambling a “corrupt, feudal practice” and hence strictly banned by law.

When the Reform and Opening-up policy was introduced in China in the late 1970’s and early 1980’s, the authorities have somewhat released their strong grip on gambling and card games. Gaming and carding parlors (known in Chinese as 棋牌室, literally meaning “chess and card rooms”) sprang up in every street corner and card games and private betting among groups of friends thrived. Despite this, gambling remained illegal outside the two national lotteries (the China Sports Lottery and the China Welfare Lottery) and these establishments were far from satisfying the crave.

What do you do when your Favorite Pastime is Forbidden by Law?

Travel to Casino Hubs Abroad

A partial solution was found overseas. Chinese gamblers have flocked to casinos around the globe and went to neighboring Hong Kong to participate in horse race betting. And then there was Macau – with the help of the Chinese government, the former Portuguese colony just across the border from Guangdong Province has become the world’s largest casino center, surpassing Las Vegas since 2006.

Another casino hub attracting hordes of Chinese gamblers in recent years is the Philippines, where the hosting and entertainment industry, catering to the needs of the Chinese, was booming until the outburst of Covid-19 pandemic. This is manifested in job openings in the Philippines for Chinese nationals, many of which re published in dubious online platforms, such as QQ and Telegram groups dedicated to gambling and fraud as well as in Chinese-language underground forums. Another negative side to this craze is gambling-related crime, which has escalated in the Philippines over the past years.

However, traveling abroad is not accessible to everyone in China with a crave for gambling and even those who do travel, cannot always travel as often as they’d want to. There was a market rip for solutions, and with travel restrictions following the outburst of Covid-19 pandemic, this market’s potential grew even larger.

From Casino Hubs to Online Gambling Arenas

they satisfied the Chinese gambling community for about a decade. Since then, China has outlawed online gambling as well and the active websites are also situated offshore, on servers located outside the country.

These online casinos, gaming websites and gambling arenas cause a big headache to the Chinese Communist Party. If a decade ago the authorities have largely turned a blind eye to this phenomenon, nowadays, with the clear aim to promote a “civilized, harmonious society”, China sees it as a challenge and tries to fight these online platforms. Of course, these moral considerations, important as they may be, are dwarfed by the financial problem, as online gambling is draining hundreds of millions of yuan out of the country. Yet China is finding it hard to stop websites that are registered and operated abroad, especially when the hosting counties, such as the Philippines, are not so keen on cooperating.

Enter Cybercrime

The size of the market is a huge business incentive, creating more and more actors and fierce competition. These online casinos use various methods in order to lure more gamblers onto their websites. One of these methods, is fraud. For example, one of the common frauds that takes place is when fake gambling websites pretend to be official sites of famous casinos in Macau.

But competition does not stop there. In order to gain bigger chunks of online traffic, gambling websites fight and attack one another, and their weapon is – ironically – online traffic.

chinese-gambling-website-1024x519

Chinese Gambling Website Posing as Macao’s Venetian Official Online Casino

The DDoS Fighting Ring

Chinese hackers are more than eager to lend a helping hand. As most state-sponsored cyber activities handled by patriotic hacking groups from the early 1990’s until about a decade ago, are now under the wings of the Chinese intelligence apparatus, many idle hackers have turned into cybercrime, looking for easy profit. This type of cybercrime is mostly directed inbounds.

One of the ways in which Chinese hackers are involved in the online gambling industry is by breaching online casinos and gaming websites, stealing their user data and selling it on Darknet marketplaces or offering it on designated QQ and Telegram groups.

gambling-site-database-leak

Sample from a Gambling Site Database Leak,
Offered for Sale on a Chinese Darknet Marketplace

Another way, which drives a whole underground sector of cybercrime in China, is by conducting DDoS attacks against competitors. These attacks take the gambling websites down and thus, hopefully, drive their customers to the gambling site that ordered the attack.

DDoS has also become a popular weapon for pornography websites and Darknet marketplaces, who launch DDoS attacks against each other. For example, China’s largest online marketplace on the Darknet, has experienced a large-scale DDoS attack during the summer, disrupting its activity for several weeks.

flashing-ads

Flashing Ads on a Chinese Hacking Forum, Offering Tailor-made DDoS Attacks,
among other Hacking Services

The DDoS Chain

The first step in a DDoS attack is to gain control of a large number of computers and other online devices and to turn them into bots, in order to divert huge traffic to the attacked website and thus shut it down. In Chinese hacking slang, these computers are named “broilers” or “meat chickens” (肉鸡). Members of Chinese underground hacking forums constantly offer tools for detecting these “broilers”, namely scanners that trace vulnerabilities in computers and servers. These tools allow the attacker to penetrate these vulnerable devices, implant trojans in them and hence control them remotely. The tools are referred to in Chinese as “Chicken Catchers” (抓鸡) and hackers who operate on those forums trade them between themselves.

broiler-detection

‘Broiler’ Detection Tool Offered on a Chinese Hacking Forum

In addition to buying tools to detect “broilers”, DDoS attackers can also buy these “broilers” directly, as these are sold in bulks on forums and designated QQ/Telegram groups. Based on the number of messages in forums and chat groups, of people requesting to buy “broilers”, it is quite clear they are in high demand.

The customers of the “broiler” market are in turn becoming the suppliers of DDoS attacks and offer their tailor-made services online. Whoever orders the attack can contact the attacker via private messaging, define the target and agree on a price according to the length of the attack and the nature of the attacked website. According to a report published by the Chinese tech firm Tencent, this is what the chain of custom-made DDoS attacks looks like:

DDOS-diagram-1024x595

The Offer: DDoS as-a-Service

The screenshot below, showing an offer posted on a prominent Chinese Darknet marketplace, can shed light on the how these DDoS as-a-service transactions are conducted. It also demonstrates what kind of websites are legitimate targets and which websites are off-limits, for fear of being prosecuted by the authorities. The post reads:

ddos-as-a-service

DDoS as-a-service Offer Posted on Chinese Darknet

Translation:

ddos-as-a-service-translation

Hunting Down Cybercriminals

Chinese law enforcement authorities are well aware of this problem and are relentlessly trying to crack down these cybercriminals and their activities. In late 2018, a man in his twenties from Suining County, Jiangsu Province, was arrested by local authorities, after discovering he had implanted a malicious code, which allowed him to remotely control a local server. During his investigation, he admitted to being part of a team of at least 20 hackers from all over the country that had used “broilers” in order to conduct DDoS attacks by demand.

The team had been involved in more than a hundred DDoS attacks, harming or controlling more than 200,000 websites and earning more than 10 million yuan along the way. Members of the team were arrested across China, yet this only emphasized the magnitude and popularity of the DDoS and DDoS as-a-Service markets, and the success of taking down this cybercriminal operation was merely a drop in the ocean.

Changes in the Threat Landscape under the Global Influence of COVID-19

In this report, Verint’s Cyber Threat Intelligence Group (powered by SenseCy) presents an analysis of how the COVID-19 global outbreak changed the threat landscape and how in the case of cyber threats too, the curve has flattened and the number of COVID-19 related cyber incidents, is in decline.

Key Findings

  1. The peak of the curve was in the second half of March 2020, after which we see a decline in the number of COVID-19 related malicious activities.
  2. Malspam and phishing/spear-phishing have been the most popular attack vectors between the 1st of March and 18th of April – used in 66.6% of the campaigns analyzed.
  3. The healthcare industry is the most targeted industry when it comes to COVID-19 related attacks, with over 20% of campaigns targeting healthcare organizations.
  4. Out of the four most popular vulnerabilities exploited, one dates back to 2012 (CVE-2012-0158).

To read the full report, click here.

The New SMBGhost Wormable Vulnerability is Gaining Popularity in The Dark Web

smbg_cover_1920x960-1024x512

On March 10, 2020, details about a zero-day vulnerability (CVE-2020-0796) affecting the Microsoft Server Message Block (SMB) protocol, were accidentally exposed by security companies. SMB is a network communication protocol responsible for granting shared access to files, printers and serial ports between the different devices on the network.

In this blog post we reveal some of the activities we identified in the dark web and explain why this specific vulnerability has the potential to become a “wormable” attack that can spread fast.

The CVE-2020-0796 vulnerability, which received the moniker SMBGhost, is a buffer overflow vulnerability that exists due to an error in the way the vulnerable protocol handles a maliciously crafted compressed data packet. It could be exploited by a remote, unauthenticated attacker to execute arbitrary code and gain control over vulnerable systems.

In addition, researchers noted the vulnerability could be exploited in a “wormable” attack, in which an attacker could easily and quickly move from one victim on the network to another. In this aspect, this vulnerability resembles the “wormable” CVE-2017-0144 vulnerability, which also affected an earlier version of the SMB protocol (SMBv1) and was exploited during the massive WannaCry and NotPetya ransomware outbreaks in 2017, using the EternalBlue exploit allegedly developed by the NSA and leaked by the Shadow Brokers hacking group in April 2017.

Will the SMBGhost vulnerability lead to cyber-attacks in the magnitude of WannaCry and NotPetya? We don’t know yet. What we do know is that the world is currently in a very different and much more vulnerable place, with the Coronavirus outbreak sending millions of employees to work remotely, in a much less secure environment. The balance between risk and security has shifted.

Time To Patch SMBGhost

As the vulnerability only affects SMBv3, which is the latest version of the SMB protocol that exists only in recent versions of the Windows operation system, only Windows 10 and Windows Server 2019 versions of the OS are vulnerable, and specifically the following builds of both OS versions: 1903 and 1909.

The vulnerability was patched by Microsoft shortly after its publication, with the release of a security update on March 12, 2020.

Users are urged to install the relevant security update issued by Microsoft. However, if installing the patch is currently not possible, the company advises to disable SMBv3 compression using the following PowerShell command:

powershell-command

PowerShell Command

Unfortunately, prioritizing patching is always a challenge. Considering the fact that most IT departments in any organization nowadays, are currently occupied by ensuring employees are able to work remotely, in order to maintain business continuity, it is possible that patching will not be a first priority.

Discovered PoC Exploits

Since the vulnerability was made public, various repositories connected to the vulnerability have been created on GitHub. Many of these contain scanner scripts for detecting vulnerable systems.

In addition, several repositories containing PoC exploits for the vulnerability were also identified. One such repository contains a PoC written in Python that supports SMBv3.1.1. This PoC targets Windows 10 systems running the 1903/1909 build.

According to our analysis, this PoC triggers a buffer overflow and crashes the kernel, but could be modified into a remote code execution exploit. We identified additional similar PoC exploits on GitHub, all of which would eventually cause the targeted system to crash. However, none of the exploits we observed allow remote code execution.

poc-description-1024x424

Description of the PoC

Dark Web Discussions

Right after details of the SMBGhost vulnerability were published, discussions about the vulnerability emerged on different Dark Web platforms, where the vulnerability is also dubbed CoronaBlue (possibly a paraphrase on the EternalBlue exploit and the current Coronavirus pandemic outbreak). At first, we mainly observed the sharing of publicly available reports about the vulnerability.

news-reports

News Reports about the SMBGhost Vulnerability Shared on a Russian Dark Web Forum (Source: Verint LUMINAR)

However, threat actors soon started expressing their interest in a working PoC. For instance, on March 11, 2020, a member of a hacking-related Discord channel asked how many GitHub repositories containing fake exploit codes for CVE-2020-0796 exist (since it is not uncommon to find fake repositories allegedly containing exploit codes circulating on the Web after a new zero-day vulnerability is revealed). One of the replies he got was that it “would be good” to have a working PoC, and another member shared a link to a scanning tool for tracking vulnerable systems, which is publicly available on GitHub. That same scanner was also shared on a Russian forum, and an additional scanner on GitHub was shared in a Persian Telegram channel. Furthermore, our researchers have found multiple discussions in different underground forums, where users are trying to find exploit kits for the CVE-2020-0796 SMBv3 vulnerability.

Our research team will continue to monitor the new SMBGhost vulnerability and the threat actors that express interest in the vulnerability and in obtaining a working PoC exploit for it. As several PoC exploit codes have been made available on GitHub, it is possible we will soon witness exploitation attempts. Although none of the currently available PoC codes could allow the attacker to remotely execute arbitrary code on targeted systems, these exploits could be modified to enable remote code execution, and potentially constitute a more serious threat. Furthermore, the fact this vulnerability could be leveraged in a “wormable” attack, stresses the importance and the urgency of applying the relevant patch.

Hackers Continue to Exploit the COVID-19 Pandemic in Malicious Campaigns

hackercovid_1920x960-1024x512

As the Coronavirus (COVID-19) pandemic continues to spread throughout the world, a growing number of malicious campaigns were identified, attempting to exploit the constant search for information and updates on the virus, in order to spread various types of malware.

In this blog post we share our analysis of one of the major Coronavirus related malicious campaigns and provide an overview of other campaigns. In addition, for your convenience, you will find at the end of the post a list of IoCs to implement in your security systems.

The COVID-19 Interactive Map – The Malicious Version

Security researchers have identified Russian cybercriminals selling malicious versions of the highly popular interactive map of COVID-19 cases around the world, created by Johns Hopkins Coronavirus Resource Center. In fact, these versions include infostealer malware, intended on stealing information from its victims’ computers.

john-hopkins-map-1024x349

John Hopkins Coronavirus Resource Center

sales-offer-on-russian-dark-web-forum

Sales Offer of Malicious Map in Russian Dark Web Forum
Source: Verint LUMINAR

In addition, a new malicious domain was discovered, coronavirusapp[.]site, which is offering to download an Android app that tracks the spread of the virus and also includes statistical data. However, the application is actually poisoned with CovidLock, a ransomware that changes the password used to unlock the device, thus denying the victims access to their phones. The victims are required to pay a ransom fee of US$100 in Bitcoin, or else, according to the ransom note, their contacts, pictures, videos and device’s memory will all be erased.

coronavirus-app-site

The Coronavirusapp[.]site domain.
Source: Domain Tools

Attack Methods

Security researchers have also discovered a new backdoor distributed in RAR format. The file includes an executable masquerading as a Microsoft Word file with information on COVID-19, intended to install the rest of the malware on the victim’s computer. The researchers estimate that file is being distributed via phishing emails.

A new ransomware called CoronaVirus was recently identified while being distributed through a fake website of WiseCleaner, a service offering system utilities for Windows OS. Download files on this malicious site act as downloaders for both the CoronaVirus ransomware and a stealer called Kpot. Additional campaigns utilize phishing emails with malicious attachments that supposedly include information and updates on Coronavirus, but in fact download different malware to the victims’ computers, including a banking Trojan called TrickBot, a Stealer called LokiBot and a Stealer called FormBook.

State-Sponsored Threat Actors Are Also Involved

Security researchers have also identified state-sponsored threat actors exploiting the COVID-19 panic to promote their interests and carry out attack campaigns.

  • In early March 2020, researchers discovered a campaign launched by a Chinese APT group against targets in Vietnam.
  • Another Chinese APT group attacked targets in Mongolia’s government using malicious documents that supposedly contain new information on the virus.
  • An APT group originating from North Korea has sent phishing messages to South Korean officials that ostensibly included a document detailing the reaction of the country to the pandemic.
  • Russian APT Group had sent malicious files, seemingly including updates on Coronavirus, in order to distribute a backdoor malware to targets in Ukraine.

We see that cybercriminals and state-sponsored threat actors are using the panic resulting from the Coronavirus pandemic, for phishing purposes and malware distribution. As the virus continues to spread across the world, preoccupying the global agenda, it can be estimated we will witness more campaigns exploiting the crisis.

To read the detailed analysis click here

For a list of IOCs click here

Suspicious Domains Selling Tickets to the Tokyo 2020 Olympics

Tokyothumbnail_840x620

As a cloud of uncertainty still hangs over the opening of the Tokyo 2020 Olympics due to the Coronavirus pandemic, cyber criminals are still working (remotely) on finding ways to maliciously profit from the event.

Events at the center of global attention such as major sports events and tournaments are often used by attackers to trick users into phishing scams, malware campaigns and the theft of personal and payment details.

We have been monitoring potential threats to the upcoming Tokyo 2020 Olympics for our customers and we recently discovered two suspicious domains allegedly selling tickets for the Games. In both cases, further investigation led us to find additional suspicious domains allegedly selling tickets to the Euro 2020 tournament. In this blog post you can find a summary of our findings.

tickets-tokyo2020[.]com

The domain tickets-tokyo2020[.]com was created on February 11, 2020 by a private registrant at the NICENIC INTERNATIONAL GROUP domain registrar.

When accessing the domain, the user is presented with a page in Russian where the official logo of the 2020 Tokyo Olympics appears. It is also stated that this website is an “authorized Ticket Reseller” for the Olympics. However, we could not find this domain in the list of authorized resellers on the official website of the 2020 Olympics. The user can change the language of the website to English and the website contains search fields, where the user can search for a specific event in the Olympics, for which they are looking to purchase tickets. At the time of publishing this post, the search option does not appear to function, thus, it is possible the website is still under development. There is also a “cart” banner where the user is supposed to be able to view the selected tickets and pay for them.

tickets-tokyo-1-1024x562

tickets-tokyo2020[.]com

This domain is hosted on the 5.45.72[.]40 IP address, together with only two more domains: ticket-mafia[.]com and euro-2020-tickets[.]com. The ticket-mafia[.]com domain was created on November 2016, and until December 20, 2019, it was registered by a private registrant at the GoDaddy domain registrar. However, on December 20, 2019, its registry was updated by a private registrant and was registered at the same domain registrar as the tickets-tokyo2020[.]com domain, NICENIC INTERNATIONAL GROUP.

The ticket-mafia[.]com domain displays a login page in Russian. It is worth mentioning that when inserting HTTPS:// before the tickets-tokyo2020[.]com domain, we were presented with the same login page of ticket-mafia[.]com. There is no option to sign up and therefore we believe it is designed for a user with preset login credentials, presumably the admin of the websites. We estimate the login page leads to a backend dashboard of some kind, although it remains unknown whether it is used for legitimate purposes or not.

login-window-small

Login Window

The euro-2020-tickets[.]com domain was created on January 6, 2020, by a private registrant and is also registered at the NICENIC INTERNATIONAL GROUP domain registrar. This website resembles the tickets-tokyo2020[.]com: it is also presented in Russian and uses the official UEFA Euro 2020 logo, it enables the user to switch the language to English and it allows users to search for a specific match. However, in this case, the search function does work. Upon selecting a match and a seat, the user can select the “order” function and enter his name, phone number and email address and move on to the payment, yet the “Go to the payment” button does not work, as of the time of publishing this post. Of note, the official UEFA Euro 2020 website specifically states that “Third-party ticketing websites and secondary ticketing platforms are not authorized to sell tickets for UEFA EURO 2020”. Thus, it appears this website is not an official Euro 2020 tickets reseller and is not authorized to offer tickets for the tournament for sale.

euro-tickets2020-1

euro-2020-tickets[.]com

In light of these findings, we estimate that the above domains were created by the same actor. Our investigation did not reveal any malicious activity associated with these domains. However, it appears that these are not official resellers of tickets for the two events. In addition, as the search function in the Tokyo 2020 domain and the payment function in the Euro 2020 domain do not work, it appears that these domains are still under development, and thus could materialize into a more serious threat in the future.

olympic2020tickets[.]com

The code of a malicious HTML file recently uploaded to the VirusTotal platform, contained a link to the olympic2020tickets[.]com domain. This domain does not appear in the official website of the Tokyo 2020 Olympics as an official and authorized reseller. The website offers users to buy or sell tickets to the 2020 Tokyo Olympics. The website also displays the logos of some of the Olympics’ official sponsors, such as Toyota, Panasonic, Visa, Alibaba Group, and more. The use of the logos of the sponsors can increase the credibility of the website in the eyes of visitors, and trick them into thinking the website is a legitimate and official ticket reseller for the Games.

olympic2020tickets-1

olympic2020tickets[.]com

Using an HTML interpreter, we discovered that the above-mentioned malicious file uploaded to VirusTotal, contains the HTML code of the main page of olympic2020tickets[.]com. In addition, the olympic2020tickets[.]com domain itself is identified as malicious by three different anti-virus engines. Our technical analysis of the website’s code did not reveal any use of a malicious JavaScript. The website provides the following phone number for contact: +4402074425560. We identified two additional similar domains, eurosportstickets[.]com and ticketsmarketplace.co[.]uk, which provide the same phone number for contact, and are also dedicated to selling tickets to various sports events and games. As can be seen in the screenshots below, the three domains resemble each other in their structure and design. In addition, eurosportstickets[.]com is identified as a phishing website by two anti-virus engines.

eurosportstickets-1-1024x524

eurosportstickets[.]com

ticketsmarketplace-1

ticketsmarketplace[.]co.uk

None of the Whois details of the three domains, reveal the identity of the registrant. However, we noticed that two of the domains, olympic2020tickets[.]com and ticketsmarketplace[.]co.uk, are hosted on the same IP address, 77.72.1.20, while eurosportstickets[.]com is hosted on the approximate 77.72.1.21 IP address.

Using the graph function of VirusTotal, we managed to establish connections between the three domains and the IP addresses they are hosted on, as can be seen below. The graph also shows how this infrastructure is related to malicious activity, and how both IP addresses are used for downloading malware, such as the Tofsee backdoor, the Artemis malware or the QRat.

mapping-1024x711

Connections Between the Domains and Their Surrounding Malicious Infrastructure

 

How Automation Turns CTI Analysts into Super Heroes

Automation_for_CTI_1050x540-1024x527

The expanding demand for Cyber Threat Intelligence (CTI) and its extensive use by organizations worldwide, places CTI analysts in a position where they are expected to have super powers. From fraud analysis, through big data analytics to classic intelligence and cyber intelligence, today’s analysts need to know it all, and at the same time combat data overflow, false positives and a ticking clock.

The Top 5 Challenges that Affect Analysts’ Daily Tasks

Diverse sources and anonymity – Required skill: Language and HUMINT capabilities

The huge amount of the data that resides in the deep and dark web platforms, arrives in a variety of languages. The analyst has to have knowledge of these languages and the slang used. Unfortunately, automated translation services are not relevant, as the analyst has to know who to talk to, how to embed himself inside the virtual community without appearing suspicious, there are subtleties that require a human being.

Financial crime grows more sophisticated – Required skill: Fraud analysis

Since financial organizations are large consumers of CTI, the analyst needs to understand the financial field, what is a BIN, how SWIFT networks work, where to find stolen credit cards, how cybercriminals monetize them etc.

Data overflow – Required skill: Big Data analytics

The CTI analyst needs to go over a large amount of data, the ability to analyze, correlate, connect and classify data-points, quickly and efficiently requires exceptional skills.

Multiple disciplines – Required skill: International relation analysis

The geo-political situation in different parts of the world has a direct effect on the cyber domain. In order to understand, analyze and assess intelligence, the analyst has to have some understanding of the relations between countries, global politics, world history and more

Variety of end-users – Required skill: Report writing

Assuming your analysts possess all the above-mentioned skills, there is still the matter of communicating their findings. All analysts’ discoveries should be shared in a report, simplifying the findings so that non-technical people will also understand the discoveries, the impact on the organization and the analyst’s recommendations and action items. With the growing shortage of skilled cyber personnel, finding a “super-analyst” who will possess all the skills listed above, seems like a mission impossible. This is why we have to look at technology solutions that can facilitate the analysts’ work. In this case – automation.

How Automation Benefits CTI Analysts

There are automated tools that take off some of the analyst’s workload, enabling the analyst to focus on specific actions and develop new skills that require the human touch.

Below we review a few automation solutions that can be easily implemented to free up substantial resources.

Collection of Data and Alert Monitoring

Collection of data from open and covert web sources, as well as existing intelligence data bases, can be fully automated. The data searched for is based on the organization’s industry, critical assets and predefined threat hunting requirements.

The process of classifying the risk and prioritizing mitigation actions, can also be automated using treat scoring algorithms that are based on the workflows and analysis processes of experienced Cyber Threat Intelligence researchers.

Domain Monitoring

Automated domain monitoring enables to expose in timely manner newly registered Whois records that can be used in a malicious way to place your business at risk. Combined with SSL monitoring and regular DNS queries, automated domain monitoring provides a more complete CTI picture.

Credit Card Monitoring and Analysis

An automated credit card monitoring tool monitors the Dark Web for any new (relevant) credit card (CC) published. Once there is a new publication detected, the tool downloads it and analyzes data such as BIN/CC number, expiration date, name of CC holder etc., removing the noise and keeping only the ones relevant to the organization. Performing this task manually is time consuming, automating this process can free up some much-needed analyst time.

Vulnerability Monitoring and CVE Prioritization

The massive amount of data, data sources and data types, creates duplicates and endless noise. Automation enables to fuse different data sources from monitored systems, CVE databases, the open, deep and dark web and more, based on specific keywords regarding vulnerabilities. The aggregated data is analyzed and then presented in a unified format with a risk score, to the analyst, saving a lot of time and providing CVE prioritization.

The developments of machine learning and innovation in automation technologies have already proven to improve productivity and resource allocation and lead to better decision making. It is quite probable that we will see more of the current challenges that analysts struggle with, become automated in the future.

Read more about the role of automation in the most common CTI use cases. Download the e-book: Building a (successful) proactive Cyber Threat Intelligence (CTI) operation

Best Hacking Tools of 2019 – The Chinese Annual Hit List

The human fondness for annual lists ranking the “best of” apparently does not skip the Chinese hacking world. A post on a prominent Chinese hacking forum, published on the afternoon of December 29, 2019, has gained much recognition and popularity both inside and outside the forum in recent weeks. The post, written by the forum’s admin and named “2019 year-end hacking tools inventory,” lists the 30 “most outstanding” hacking tools for 2019, as recommended for the forum’s members.

Starting hours after its initial publication, and continuing for several days thereafter, the post was copied to other Chinese forums, as well as to web security blogs and web security sections in popular Chinese portals. Within the forum itself, it has attracted dozens of supportive comments, most of them praising and thanking the forum’s admin for his “contribution to the community.” This post is part of a larger tendency in Chinese hacking forums, where lists of hacking tools intended for novices who use these forums as learning platforms are becoming increasingly prevalent and popular.

China_Cobalt-Strike

The original forum post, showing the first tool on the list – Cobalt Strike

A Diversified Collection

The list contains 30 tools ranked according to their “superiority”, efficiency and utility. Most of the tools on the list (22) are of non-Chinese origin, whereas the rest (8) seem to be original Chinese creations. Although the original post does not provide links for downloading the tools, most are easily traceable and accessible for downloading on the web. The non-Chinese tools are widely available either from the official or designated website of the developer or on GitHub, whereas most Chinese tools are available either on GitHub or on local Chinese web platforms.

Not all recommended tools on the list are attack tools per se. On the contrary, some are legitimate tools, published as commercial programs by established companies, aimed at increasing users’ awareness and protection levels against vulnerabilities. Others are penetration testing tools, aimed at improving users’ web security protection. However, some are primarily attack tools providing framework for conducting brute-force attacks, DDoS attacks and phishing, among other malicious activities. Furthermore, many of the ‘tamer’ tools presented in the original post, such as vulnerability scanners, penetration testing or intelligence collection tools, can be used by threat actors to detect vulnerabilities among potential victims. That point is also stressed in the description of tools inside the post, which implies the potential use of basically defensive tools as attack accessories. Although many of the non-Chinese and a few of the Chinese tools listed in the post are slightly outdated, and were originally uploaded to GitHub or other platforms well before 2019, the post demonstrates that some members of the Chinese hacking community are well-versed in the hacking world outside China and make use of platforms and tools published abroad. Moreover, a fair amount of the original Chinese tools listed in the post were also uploaded to GitHub, a non-Chinese platform, which may imply an outbound approach of some members in the Chinese web security and hacking community.

GodOfHacker – The #1 Chinese Magic Hacking Tool

Of the original Chinese tools listed, the one that grabbed the number one ranking (and third overall) is a tool named GodOfHacker. This tool was uploaded to GitHub about a year ago by a Chinese prolific user, who frequently uses slang and curse words to describe his creation’s traits. Both in the forum post and on GitHub, the program is portrayed as an all-purpose “magic-tool” for hackers, which “combines all sorts of first-class hacking techniques that cover a wide range of functions.” Its uniqueness is that all its features are available using “one-click.” The program is described as highly customized and one that possesses various powerful plug-ins that can be used to “enrich” its functions .

GodOfHacker

Screenshot of the 1st section of the program “the comprehensive section for fucking websites”

The program is divided into several sections or columns, each with numerous features. The first section is called “Comprehensive Section for Harming [or, using the original word “fucking”] Websites”, and its features are as follows, to name a few:

  • Performing one-click attacks or one-click zero-day attacks based on domain names or IP defined by the attacker.
  • Carrying out one-click attacks by choosing a specific vulnerability defined by the attacker.
  • Defacement, DDoS, knocking down websites’ backend, gaining full admin rights and implanting Trojans, all by one-click.
  • Knocking down batches of web pages on either Baidu or Google, getting free access online.
  • Stealing QQ accounts/numbers, using QQ virtual coins, using [website] membership rights, making free phone calls and charging phone/SIM cards.
  • Gaining access to intranets, surpassing the Great Firewall of China (the Chinese government’s Internet censorship tool), gaining access to gambling arenas in Macao and an IP location finder.
  • Damaging educational systems, “mining” for vulnerabilities, publishing vulnerabilities, reading internal memory, all be one-click.

The second section is called “Cracking” and features the following functions:

  • One-click cracking and source-code reversing based on file type.
  • One-click code annotation (AI), system activation, system penetration and POC generator (for penetration testing purposes).
  • One-click mobile application cracking, gaming and localization [into Chinese].

The third section features several functions related to Hacker CTF (“Capture the Flag”), a game designed to provide a tutorial environment for students of hacking techniques. The fourth section provides features related to WiFi, including one-click WiFi scraping, WiFi middle-man attacks and access to mobile devices’ picture galleries. In addition, this section also has features such as one-click fake-base station [FBS] attacks (where devices connected to a cellular network are made to connect to it to gather information from those devices), WiFi eavesdropping and WiFi phishing. The fifth section, named “Hardware,” features functions such as harming ATMs, harming unmanned machines, stealing bank cards and charging them and other types of cards.

The tool contains several plug-ins (including using txt and exe files as plug-ins) and supports various languages, such as C/C++, Java, Python, Ruby, JavaScript, php and more.

GodOfHacker-2

The plug-in section of the program, showing how a certain IP address is entered by the user and then given the option to conduct tests in English, Chinese or Japanese or to perform brute-force attacks against the site’s backend

The Top 20 Vulnerabilities to Patch before 2020

Published first in Dark Reading by Kelly Sheridan.

In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox” – common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches.

Verint’s Cyber Threat Intelligence (CTI) Group analyzed the top 20 vulnerabilities that are currently exploited by attack groups worldwide. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.

Key Findings:

  • 34% of the attacks exploiting these vulnerabilities, originated in China
  • 45% of the vulnerabilities affect Microsoft products
  • Vulnerabilities from as early as 2012 (!) are still used to carry out successful attacks

According to the National Vulnerability Database (NVD), since 2016 we have seen an increase of ~130% in the number of disclosed vulnerabilities, or in other words there is an average of ~45 new vulnerabilities per day as can be seen in the graph below. Additional statistics reveal that almost 60% of all vulnerabilities are classified as ‘Critical’ or ‘High’.

NVD_data

Recent threat intelligence gathered by Verint and Thales Group about 66 attack groups operating globally, revealed that advanced threat actors leverage old vulnerabilities that are left unpatched. To make things even more complicated, according to a recent study by Ponemon Institute for ServiceNow60% of breaches were linked to a vulnerability where a patch was available, but not applied.

So, How Can We Clean Up The Mess?

Operational Threat Intelligence – Each CVE is given a severity score. However, these scores do not necessarily represent the actual risk for the organization. For example, CVE-2018-20250 (WinRAR vulnerability) has a CVSS (Common Vulnerability Scoring System) base score of 7.8 (‘High’) in NVD and 6.8 (‘Medium’) in ‘CVE Details’. This vulnerability has been exploited by at least five different APT groups, from different locations, against targets in the U.S., South East Asia, Europe, and The Middle East and against a wide range of industries, including Government Agencies, Financial Services, Defense, Energy, Media and more. This information clearly indicates the criticality of the vulnerability and the urgency for immediate patching.

Other contextual data that should influence your patching prioritization process is what vulnerabilities are currently discussed in the Dark Web by threat actors, or which exploits are currently developed? Threat intelligence is key when we try to determine what vulnerabilities are critical to our organization. Maintaining a knowledge base of exploited vulnerabilities according to the attack groups leveraging them, provides a solid starting point for vulnerability prioritization. In addition, having information about the attack groups – for example their capabilities, TTPs and the industries and countries they target – helps to better evaluate the risk and prioritize patching activities.

The Top 20 Vulnerabilities to Patch Now

Verint’s CTI Group constantly monitors different intelligence data sources and create daily CTI feeds, which include the latest daily cyber activities. The analysis below is based on over 5,300 feeds and other intelligence items the group has analyzed in the past 2.5 years, covering over 800 CVEs.

The 20 vulnerabilities were extracted based on the number of times they have been exploited by sophisticated cyber-attack groups operating in the world today (from high to low):

No. CVE Products Affected by CVE CVSS Score (NVD) First-Last Seen (#Days) Examples of Threat Actors
1 CVE-2017-11882 Microsoft Office 7.8 713 APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), Cloud Atlas (Unknown), FIN7 (Russia)
2 CVE-2018-8174 Microsoft Windows 7.5 558 Silent Group (Russia), Dark Hotel APT (North Korea)
3 CVE-2017-0199 Microsoft Office, Windows 7.8 960 APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran)
4 CVE-2018-4878 Adobe Flash Player, Red Hat Enterprise Linux 9.8 637 APT37 (North Korea), Lazarus Group (North Korea)
5 CVE-2017-10271 Oracle WebLogic Server 7.5 578 Rocke Gang (Chinese Cybercrime)
6 CVE-2019-0708 Microsoft Windows 9.8 175 Kelvin SecTeam (Venezuela, Colombia, Peru)
7 CVE-2017-5638 Apache Struts 10 864 Lazarus Group (North Korea)
8 CVE-2017-5715 ARM, Intel 5.6 424 Unknown
9 CVE-2017-8759 Microsoft .net Framework 7.8 671 APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China)
10 CVE-2018-20250 RARLAB WinRAR 7.8 189 APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran)
11 CVE-2018-7600 Debian, Drupal 9.8 557 Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran)
12 CVE-2018-10561 DASAN Networks 9.8 385 Kelvin SecTeam (Venezuela, Colombia, Peru)
13 CVE-2017-17215 Huawei 8.8 590 ‘Anarchy’ (Unknown)
14 CVE-2012-0158 Microsoft N/A; 9.3 (according to cvedetails.com) 2690 APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Cloud Atlas (Unknown), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China)
15 CVE-2014-8361 D-Link, Realtek N/A; 10 (according to cvedetails.com) 1644 ‘Anarchy’ (Unknown)
16 CVE-2017-8570 Microsoft Office 7.8 552 APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China)
17 CVE-2018-0802 Microsoft Office 7.8 574 Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China)
18 CVE-2017-0143 Microsoft SMB 8.1 959 APT3 (China), Calypso (China)
19 CVE-2018-12130 Fedora 5.6 167 Iron Tiger (China), APT3 (China), Calypso (China)
20 CVE-2019-2725 Oracle WebLogic Server 9.8 144 Panda (China)
BONUS CVE-2019-3396 Atlassian Confluence 9.8 204 APT41 (China), Rocke Gang (Chinese Cybercrime)

The Ultimate Threat Actor Landscape – Highlights and Key Findings from The Cyber Threat Actor Handbook

Verint and Thales have recently released The Cyber Threat Actor Handbook – a comprehensive analysis of the most prominent threat actors operating in the world today.

This research is a knowledge-based operational tool for security analysts, to better understand the relevancy and risk posed by different threat actors operating globally. Each threat actor has a score, and all profiles are aligned with the MITRE ATT&CK framework and include:

  • A brief description of the threat actor and its aliases
  • Associated malware campaigns, attack vectors and TTPs
  • Most used exploits and CVEs
  • Motivation and objectives (Nation-State, Cybercrime, Hacktivism, Cyber-Terrorism)
  • Targeted sectors and geographical areas

Based on the handbook, Verint’s Cyber Threat Intelligence group has created The Ultimate Threat Actor Landscape report, which highlights the key findings from the Cyber Threat Actor Handbook.

In this blog post we present some of the key findings of the report, which is based on a thorough analysis of:

  • 490 Attack Campaigns
  • 66 Attack Groups
  • 525 Attack Tools
  • 173 MITRE Techniques
  • 98 CVEs

Who’s Behind The Attacks?

Who's behind the attacks

Inside the report we dive deep into who is behind the attacks and reveal detailed analysis of each threat actor, including the attacker’s origin, motives, attack techniques, campaigns, CVEs, tools used and more.

Where Do Threat Actors Find Us Vulnerable?

find us vulnerable

The Most Exploited CVEs

Organizations tend to procrastinate, when it comes to updating systems, even critical ones. In the report, we reveal the threat actors’ most exploited CVEs. Leveraging threat intelligence for vulnerability prioritization is key for reducing risk.

most exploited

A combination of underestimation of the risks and the required resources, are the main contributors to the slow implementation of patches (also known as the ‘Patching Paradox’).

Threat Intelligence regarding the exploitation of disclosed vulnerabilities (in 2018 alone, 16,514 vulnerabilities were disclosed), helps answer questions such as: What vulnerabilities are currently discussed and perceived as easier to exploit? Which exploits are currently developed and traded on underground sources? and Which zero-day vulnerabilities are circulating in hacking communities? The answers will help prioritize patch installation and vulnerability fixes.
Look out for our upcoming report, where we list the top 20 vulnerabilities to patch before 2020.

Which Countries Are Being Targeted?

The following map indicates the most targeted countries:

targeted countries

Which Industries Are The Most Threatened?

The following statistics indicate the most targeted sectors – based on 66 attack groups

targeted industries

Top Used Techniques (Based On The MITRE ATT&CK Framework)

Mitre attack

To Summarize…

There is a connecting line between threat intelligence about attack groups with cyber resilience, and it goes through vigorous threat actor profiling and clustering, threat hunting and accurate scoping of threats and risks.

This type of strategic and operational intelligence gives the bigger picture, looking at how threats and attack groups are changing over time. With such intelligence, you can find the answers to questions such as, who is attacking my organization, my industry, my region and why? The answers will provide clues to future operations and tactics of potential threat actors.

A single knowledge base with a contextualized analysis of all the major parameters and distinctions that define the threat actors, their motives and objectives, their targets and their modes of operation, and their technical skills, as part of an ongoing profiling process, is an essential tool for any cyber threat intelligence operation. Given the knowledge and the operational value derived from contextual analysis of threat actors’ activities and contextual-based profiling, security teams can substantially improve investigation processes and enhance the overall security resilience, with much more accurate threat hunting and risk scoping.
As security and intelligence professionals we must remember that raw data only becomes valuable once it is analyzed, to deliver targeted, context-based, actionable intelligence, according to the organization’s needs and assets, industry, location and more.

Download the Full Report Here