SenseCy 2016 Annual CTI Report

The following is an excerpt from the report. To receive a copy, please send a request to:

Executive Summary

2016 has been replete with an unprecedented volume of cyber events of varying impact and future significance. From our perspective, on account of our persistent presence and active participation in discussions taking place behind the closed doors of the top global hacking communities, we decided to address those events that carry the utmost strategic future ramifications, namely the recent explosion of IoT-driven DDoS attacks, the surge in ransomware infections and families, the worrying number of mega data breaches, and one of the most prominent and coordinated global hacktivist campaigns.

In the final quarter of 2016, we observed the materialization of a cyber threat whose early signs and probable developments we identified much earlier in numerous discussions that unfolded within password-protected hacker forums throughout the last two years – centered on the exploitability of Internet-connected device botnets as an attack vector (e.g. CCTV cameras, DVRs, routers and others) – namely the IoT-driven cyber-attacks. Against this backdrop, the publication of the IoT Botnet Mirai source code and its later distribution on a plethora of different platforms frequented by cybercriminals, alongside the instantaneous development of (possibly more dangerous) variants of this IoT malware, has most certainly enabled the launching of these DDoS offensives of unprecedented firepower (over 1 Tbps). This concerning trend afforded us advance notice of what to expect in the near future.

Following an ascending trend, which was fully unleashed in 2015, this year, ransomware infections have reached extraordinary new heights, indiscriminately targeting organizations in every sector, regardless of their size, industry, or business specifics. With regards to the sheer volume of infections, 2015’s record was already exceeded in the first quarter of 2016, with an astonishing peak of more than 56,000 infections in a month. Furthermore, 2016 has also seen a spike in the number of new ransomware families (Cerber and Locky being key) and variants. A particularly worrisome development that we detected on multiple Darknet platforms this year, is the mounting phenomenon of RaaS (Ransomware-as-a-Service) and the consequent lowering of barriers for practicing this kind of malware.

The passing year has proved to be somewhat of a turning point in terms of mega data breaches, with close to two billion personal records leaked from social network platforms (such as LinkedIn, Tumblr, VK, Myspace, etc.), IT giants (Yahoo!) online dating (AdultFriendFinder), gaming, porn (Brazzers) websites, and others, over the course of 2016. The fact that highly-skilled hacking communities, such as the Russian underground, repeatedly shared the stolen databases, or fractions of them, for free after having exploited the data to carry out cyber-attacks for years, indicates that cyber defense strategies are profoundly defective. Additionally, a substantial part of the databases that we retrieved contained passwords in cleartext form, possibly meaning that the encryption algorithms employed to store sensitive data are obsolete or not fully implemented.

In the era of information technology, traditional socio-political tensions – once addressed via conventional protest means, such as public demonstrations and labor union strikes – have now drifted into cyberspace as well. This understanding is particularly pertinent vis-a-vis hacktivist movements, chiefly epitomized by Anonymous, which exploits its members’ knowledge of computer disciplines and hacking techniques to protest against social, economic, and political issues, generally by consistently taking offline symbolic targets (websites) – through DDoS attacks, their cyberweapon par excellence – and by exposing sensitive information, stolen from their victims of choice. In 2016, the #OpIcarus cyber campaign against the global financial sector – through four iterations, with fluctuating success rates – has dominated the hacktivist landscape. Notably, we recently identified explicit indications (the opening of a dedicated closed Facebook group named #OpIcarus 2017) that the cyber campaign will possibly drag on into 2017 as well.

In conclusion, our assessment is that all these trends and concerning developments will continue to gain momentum in 2017, alongside new cyber threats that are virtually unpredictable unless you have already penetrated the gathering crossroads where the ideas are conceived, planned, and ultimately launched against the designated victims.

2016 Highlights

IoT has made a transition from being mainly a topic of theoretical and academic discourse to a vivid threat, arousing keen interest in the cyber security industry, and the cybercrime and hacker communities alike.

Three of the major DDoS attacks conducted using IoT botnets
Three of the major DDoS attacks conducted using IoT botnets

Widely viewed as “The year of data breaches,” a more appropriate name for 2016 would be “The year of belated data leaks,” as many of the databases offered for sale or shared during the past year were stolen in covert activities years before.

Leaked credentials as they appear on shared databases (left); the same credentials as they were leaked on a closed underground forum, this time, with cleartext passwords (right)
Leaked credentials as they appear on shared databases (left); the same credentials as they were leaked on a closed underground forum, this time, with cleartext passwords (right)

While the growth in ransomware families and variants cannot be ignored, a more interesting trend from 2016 is the change in the characteristics of threat actors distributing or dealing with ransomware. This threat has moved from being reserved for highly skilled threat actors to the “public” domain of hacker communities, a transition much attributed to the widespread dissemination of the RaaS model.

Number of keywords mentioned in 2016 on a prominent closed Russian forum
Number of keywords mentioned in 2016 on a prominent closed Russian forum

Many hacktivist communities have shifted their focal point from government-affiliated organizations to high-profile attacks against multinational corporations with improved cyber TTPs (Tactics, Techniques, and Procedures), while using more advanced attack tools than ever before.

Estimated success rate of the four major iterations of the #OpIcarus campaign
Estimated success rate of the four major iterations of the #OpIcarus campaign

2017 Predictions

“IoTaaS”: IoT-as-a-Service

2016 has witnessed a shift of focus among threat actors to an “as-a-service” business model. This shift was discernible across a wide range of attack tools, including ransomware, DDoS, etc. In the past months, and following the high-profile IoT-based cyber-attacks, this trend has expanded to the IoT world as well. We can assume that 2017 will present a new challenge of threat actors offering powerful IoT-based botnets for rent that have already proved to be a considerable force multiplier.

Cyber Politics

Cyber-attacks were an inseparable part of the recent U.S. presidential elections, with attacks targeting political-related agencies and online platforms on both sides. This almost unprecedented involvement of cyber activity in political affairs could have strong implications on 2017, as the trend of using cyber-attacks and malicious tools as leverage to achieve political goals is likely to continue.

Cold War 2.0

Among several cyber-attacks allegedly attributed to state-sponsored threat actors, one incident, or rather feud, was notable – the election-related cyber-attacks against American targets and their ramifications – a clear accusation by U.S. President Barak Obama, blaming Russia for the attacks and conveying a not so subtle threat regarding an American response. We assess that 2017 will witness more cyber-blow exchanges between these parties.

Migration to ZeroNet and Mobile Applications

Our presence on multiple closed sources allowed us to identify a new trend that is currently in its formation stages – a migration of many threat actors to ZeroNet, a decentralized Internet-like network of P2P users. Given this network’s advantages, especially in terms of anonymity and availability, we believe that this migration will further intensify in 2017.

Additionally, and given the fact that threat actors are aware of the presence of intelligence agencies on social networks and Dark Web platforms, 2017 will probably witness a large scale transition to closed “by-invitation-only” groups on various applications, such as Telegram, WhatsApp, etc.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s