How to Avoid 2020 Online Shopping Threats

The shopping season is upon us and as in previous years, cybercriminals are preparing multiple ways to target the online shopping community, including phishing attempts to steal financial details, malspam campaigns distributing malware and more. In fact, while examining the credit card trade in the Dark Web during 2019, we discovered that the highest number of stolen cards offered for sale on dedicated marketplaces was in November 2019 with over 32M cards, although we should take in consideration that there are duplications of data, since it is likely that cybercriminals will try to sell the stolen data in multiple marketplaces.

In this post we will provide you with some tips for ensuring a secure shopping spree and we will also take a look at recent attacks and how attack groups operate to target online shoppers and vendors.

Are you shopping online this season? Here are essential Do’s and Don’ts for you:

  • Be extra aware of phishing attacks, especially with emails requesting you to verify or update your account details, register to get a free item or a coupon, etc.
  • Verify the URL address of the platform you are about to buy from – make sure the URL address of the official website of the desired brand.
  • Check that the platform you are shopping on to purchase goods is secured – look for an HTTPS URL, a trusted certificate, etc.
  • Do not open attachments sent from unknown sources, especially ones requesting to enable macro or editing permissions in order to open them.
  • Avoid clicking on ads of any kind, especially during the shopping season.
  • Do not download apps from unofficial App stores, especially shopping-themed apps.
  • Check apps permissions and update your mobile operating system on a regular basis.
  • Use 2FA or OTP protocols if provided by the service vendor.

What you see isn’t always what you get: Scam Websites and Fake Domains

Fake domains of popular brands can be used in spam or phishing campaigns that are carried out via mail, SMS, social media platforms and more. In last year’s shopping season, 124,000 suspicious domains were detected, abusing names of 26 brands. The most targeted brands were Apple, Amazon and Target.

This year, we researched how many domains with the word “Amazon” were registered during the first week of November 2020. We detected over 600 of recently registered domains with no official connection to Amazon in their registration details. Although it seems that many of them are not yet “operational”, as they do not lead to an active website, some of them sure look suspicious, for example: verification-amazonservices.com (detected as a phishing website via several AVs), account-verificationamazon.com, amazon-login-verify.com (detected as suspicious by one AV) and even amazon-black-friday.com (first created in 2010 and is being re-registered each year since then).

Scam websites usually use a similar web design and interface to the legitimate online shopping platforms, and therefore it is recommended to check the website’s domain or URL address before purchasing goods using your credit card.

A fake website of Taobao, a Chinese online shopping platform (the upper one) and the legitimate website (bottom)

Keep your systems updated to avoid E-skimming attacks (AKA: Magecart attacks)

E-skimming is one of the most popular ways these days to carry out credit card fraud. Cybercriminals usually exploit a vulnerability in the e-commerce or online payment platform (usually in third parties’ components), in order to inject a malicious code that will capture the user’s credit card data and send it the its operators. Once they hold the data, cybercriminals will probably sell it in the Dark Web or use it to make additional purchases.

Magecart is the name given for this type of attack and to cybercriminals that usually target platforms running outdated versions of Magento (while exploiting flaws, such as CVE-2017-7391 and CVE-2016-4010 in Magento) and use a malicious JavaScript code embedded into the compromised platform. In fact, Magecart attacks are so common that in September 2020, it was reported that approximately 2,000 e-commerce platforms were targeted in one weekend.

Additional ways to carry out e-skimming attacks are by accessing the e-commerce network, using administrative credentials. These can be obtained via phishing, brute-force attacks, or a cross-site scripting attack that redirects users to a malicious website with a JavaScript code. Access to networks of online shopping platforms are also traded on Dark Web forums, allowing threat actors to gain access to databases containing users’ details.

Cybercriminal offers access to a shopping platform on the Dark Web. This can be also used for e-skimming attacks. Source: Verint LUMINAR

Of note, nation-state groups were also spotted using this attack vector in the wild. In July 2020, researchers found that the North Korean group Lazarus was behind a serial of Magecart-style attacks against multiple e-commerce stores around the world.

Therefore, it is vital for organizations that operate online payment platforms to keep them updated and secured. We really can’t stress this enough. It is also recommended to use tools that will help detect such malicious injections and monitor suspicious activities in order to block them on time.

The spamming season: Spam campaigns are used for malware distribution

In the shopping season of 2018, a massive spam campaign distributing Emotet, targeted online shoppers worldwide, especially in North and Latin America and the UK. Emotet is an infamous malware, active since 2014, that was first detected as a banking Trojan, but these days it is often used as a downloader or a dropper for additional Trojans or even ransomware. It is usually distributed via worldwide spam campaigns and malicious attachments that request users to unable Macros. During last year’s shopping season, approximately 130 million malware attacks and ~640,000 ransomware attacks were detected in the US. Based on what we’ve seen in the past few years, it is expected that malware operators will try to lure victims via shopping-themed emails and malicious attachments.

The world goes mobile: The rise in malicious mobile apps

Each year, malicious shopping-themed apps target unaware users during the shopping season, which is why it is recommended to download mobile apps from official platforms and to check the reviews. However, in January 2020, a new Trojan dubbed “Shopper” was spotted leaving fake applications reviews on Google Play, on behalf of the infected device’s owner, leaving users with no trust in apps rating. The Trojan was also detected turning off the Google Play Protect feature, in order to download additional apps without safety checks, using the victim’s Google or Facebook account to register to popular shopping and entertainment apps, spreading advertisements, etc. Infections were spotted worldwide, including in Russia, Brazil and India.

Additional malicious shopping season-themed Android apps were spotted in 2019 luring users with coupons, discounts and other shopping hacks. Some of them were detected sending sensitive information from the infected devices to their operators or containing adware used to spread malicious advertisements.

To conclude, the shopping season is open for all, including cybercriminals who are trying to maximize their gain. Awareness is the key when it comes to what shoppers can do to keep safe, whereas vendors need to take additional measures during these times to avoid financial loss, reputational damage and customer abandonment.

COULD A CYBER-ATTACK ON E-VOTING SYSTEMS AFFECT THE UPCOMING US ELECTIONS?

Yes it can. With the US elections just around the corner, we thought this would be a good opportunity to talk about cybersecurity risks of election processes, as more and more elections around the world, are turning into electronic voting (or e-voting) systems.

The first electronic voting systems for electorates were introduced in the 1960s, with the debut of the punched card systems. E-voting systems have evolved over time as technology advanced, and nowadays include Direct Recording Electronic voting machines, optical scanners, ballot marking devices, electronic poll books and online voting over the Internet.

As with all things digital, e-voting systems are too, exposed to hacking and cyber-attacks. Unfortunately, a successful interference with electronic voting, can jeopardize the democratic process and impact a nation’s fate. In this post we review the different cyber risks to be addressed when running, or considering, electronic voting processes.

FROM EXPLOITING VULNERABILITIES TO TAKING ADVANTAGE OF UNSECURED SYSTEMS

If the e-voting systems have vulnerabilities that can be exploited or if they are unsecured and exposed, malicious actors have what to gain. Hackers can launch cyber-attacks that could compromise the systems’ networks, perform supply chain attacks, place remote access software and modems on the specific e-voting system, which could provide attackers with a port of entry to the system, and more.

While exploring different systems from different vendors, we were able to establish some commonalities in the issues affecting these systems. Many of the vulnerabilities found involved exposed and unsecure ports that could be leveraged by physical attackers; the use of old, outdated and vulnerable software; some vulnerabilities pertained to the use of storage cards and disks that could allow attackers to infect the e-voting systems with malware; and finally, several vulnerabilities exploited cryptographic weaknesses.

Evaluating the risk of e-voting systems providers should be a high priority before elections.

VOTERS DATABASE – THE FRAUD AND IDENTITY THEFT JACKPOT

Another significant risk of e-voting systems is through their access to voters’ databases. A vulnerable or unsecure system can become a gateway to a voters’ database. In addition, if the voters’ database resides in an unsecure location, attackers can gain access to that database using various attack methods. The motivation for this type of fraud and identity theft, can either be in context of the election, to influence results, or in general for other cybercriminal activities.

Our analysts have identified multiple examples of discussions and demand for different voters’ databases on the Dark Web. Access to this type of cyber threat intelligence that indicates such risk to your voters’ database in advance, can help prepare and prevent potential attacks.

Post sharing North Carolina database. Source: Verint LUMINAR

VENDORS’ EMPLOYEES DATABASE – AN ENTRANCE TO TAMPERING?

In addition to vulnerabilities in the e-voting systems, election results can be affected if malicious actors gain access to an exposed or unsecure database of employees’ accounts. In such a case, hackers can use the employees’ accounts to gain access to the vendor’s internal network. With that kind of access, if the vendor is also responsible for creating ballot-definition programming files, malicious actors could interfere with how the e-voting machines apportion votes based on the voter’s selection on the touchscreen or mark on the ballot for some of its customers.

INSIDER THREAT – WHEN AN ELECTION EMPLOYEE GOES ROGUE

The concept of insider threat is not new. We have seen cyber incidents caused by a frustrated employee or an ex-employee seeking revenge. When it comes to employees with access to e-voting systems, there are additional, political motivations involved. During our investigations on the Dark Web, we see discussions about e-voting systems and we have recently come across a specific case, where a poll worker was discussing the technical details of the voting device used at his polling station, mentioning a flaw affecting the device.

Insiders with access to the e-voting systems and the technical knowledge of how these systems work or where they are vulnerable, can become a risk that should be addressed. Monitoring the Dark Web and other threat intelligence activities, can reveal insider threat.

Technical flaw in Dominion ImageCast machine discussed on Telegram by election inspector. Source: Verint LUMINAR

WHAT CAN WE LEARN FROM PAST CYBER-ATTACKS AGAINST E-VOTING SYSTEMS?

Two recent e-voting cyber incidents were the attack supposedly conducted against Russian Blockchain-based online voting systems in June 2020, and the attack against the American vendor VR Systems, ahead of the 2016 US presidential election.

According to reports, Russia’s Blockchain-based voting system was attacked amidst the voting process on the proposed constitutional amendments that took place between June 25, 2020, and June 30, 2020. On June 27, 2020, an attempt to attack the online voting system through an election observer’s node was detected. The reports did not reveal how the attack was carried out. However, although government officials confirmed the reports, they have stressed out that the attack did not result in system malfunction, and that all votes recorded on the Blockchain were valid. In addition, voters reported about other issues during the voting period.

In the case of the 2016 US presidential elections, Russian threat actors were accused of hacking the systems of VR Systems, the US voting systems and software vendor, whose e-voting products are used in eight US states. These are the same Russian threat actors that were accused of hacking the computers of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the email accounts of employees involved in Hilary Clinton’s campaign. In mid-2017, a classified report prepared by the US National Security Agency (NSA), about a lasting cyber-attack campaign that targeted elements involved in the US 2016 elections, including the voting infrastructure provided by VR systems, was disclosed to the media.

To conclude, there are multiple types of threats and threat actors devoted to gaining from cyber-attacks involving e-voting systems and e-voting systems vendors. From insiders with access to such systems, through cybercriminals who trade in voter databases, to nation-state hacker groups that employ creative means to influence the democratic process of elections.

Given the fact that many of the e-voting systems are often not regularly updated and risk having vulnerabilities, these systems present a clear cybersecurity risk worldwide. Accurate, targeted cyber threat intelligence has a significant impact, when it comes to preventing e-voting systems cyber threats.

For more information, click here to learn more about LUMINAR.

ARE RUSSIAN CYBERCRIMINALS OFFERING HACKING SERVICES IN CHINA ?

On July 27, 2020, a group of threat actors published a post in the advertisement section of a prominent Chinese Darknet marketplace offering hacking services. Hacking-as-a-service offers appear frequently on Chinese underground platforms, and many actors publish these services – accompanied by varying degrees of details – on both Clearnet hacking forums and Darknet marketplaces. However, what makes this offer unique is the identification of the actors, who claim to be Russian.

WHAT INDICATES THAT THE HACKERS ARE REALLY RUSSIAN ?

  1. Several linguistic features suggest the actors are indeed non-native Chinese speakers. First, they use anachronistic vocabulary and terms rarely seen in contemporary Chinese online chatter, which is common on these forums. Two examples are the use of the term 万维网 for “World Wide Web,” and the rare version of the word “hacker” 骇客 (pronounced haike, instead of the commonly used term 黑客, pronounced heike); Second, some sentences are oddly phrased, using a combination of wrong vocabulary and/or unnatural syntax or formulation, giving the impression the text was translated from a foreign language, possibly via a machine-translation tool; Third, there are linguistic inconsistencies in the group’s posts on the forum: whereas most of the posts are written in simplified Chinese characters, used in mainland China, one is written in traditional Chinese characters, used in Taiwan and Hong Kong – this transition by the same writer is very uncommon. Furthermore, different variations of the same word or term are used simultaneously in the same post.
  2. Contact details include several Telegram, QQ and Jabber accounts, with the former two widely used by Chinese cybercriminals and hackers selling their services. However, in addition to those, they also offer their services via Yandex email service, which is rarely used outside of Russia and the former Soviet Union countries, and even less so by Chinese users. This corroborates the assumption that these actors are not Chinese, and may indeed be Russian, as they claim to be.
The post from July 27, offering “high quality hacking services”, as appeared on the Chinese Darknet marketplace. The sentence highlighted in yellow reads: “we come from Russia”. Source: Verint LUMINAR

THE THREAT ACTORS’ OFFERING

The hacking services on offer are listed in more detail in another post by the same threat actors, published on this marketplace on June 15, 2020. The list of services includes:

  • Web penetration and data extraction. The actors state they have mastered the structure and special features of the main database types, such as MySQL, MSSQL, Oracle and PostgreSQL.
  • Obtaining web shells by exploiting major vulnerabilities, such as CMS, WP and Joomla, among others.
  • Cracking of software and encrypted files; secondary packaging and unpacking.
  • Software and source code secondary development.
  • Various web security-related services, such as penetration tests, code design, vulnerability scanning, emergency response, alerts and web security training, among others.
The post from June 15 listing the services this group offers. Unlike other posts by these actors, this post was written in Traditional Chinese characters. Source: Verint LUMINAR

In addition to these two posts offering hacking and web-security services, in two other posts from May and June 2020, these actors also offer for sale, bots for boosting the number of “friends” and “followers” on social media networks, as well as SMS-bombing services and tools.

Finally, in recent months, we have noticed an increasing trend of Chinese threat actors operating on non-Chinese platforms. They typically use their linguistic skills and familiarity with Chinese underground platforms to make easy profits by offering data sold exclusively on Chinese platforms (usually Darknet marketplaces and Telegram groups) on English-language platforms outside China for a higher price. However, it is highly unusual to see non-Chinese actors actively operating on Chinese-language platforms. If the actors’ claim of being Russian is indeed correct, this is a relatively novel and unusual phenomenon worth noting.

WILL THE NEW SHAREPOINT FLAW BECOME AN ACTORS’ FAVORITE?

Attacking SharePoint servers is a popular threat, apparently because in many cases the SharePoint servers are integrated in the Active Directory service. Gaining access to the Active Directory allows attackers to gain a foothold inside the victim’s network. Furthermore, since SharePoint servers are exposed to the internet, attacks can be executed relatively easily. As an example, the CVE-2019-0604 SharePoint vulnerability, disclosed and patched in 2019, has gained popularity among threat actors, who have exploited it in different attacks since it was published. This is particularly true among nation-state actors (such as the Chinese nation-state Emissary Panda group). The vulnerability even became one of the ten most exploited vulnerabilities between 2016 and 2019, according to authorities in the US. Therefore, we estimate the new CVE-2020-1147 SharePoint vulnerability, patched in July 2020, may gain similar popularity among same threat actors, stressing the importance of applying the security update fixing this vulnerability as soon as possible.

CVE-2020-1147:  NEW AND DANGEROUS

During July 2020, Microsoft patched a critical remote code execution vulnerability (CVE-2020-1147) affecting Microsoft SharePoint servers (CSVV score: 7.8).

The vulnerability resides in two .NET components, namely DataSet and DataTable, used for managing data sets, and stems from the fact that the software fails to check the source markup of XML file input. An attacker can exploit the vulnerability by uploading a specially crafted document to a server using a vulnerable product to process content. In addition, the vulnerability also affects the .NET Framework and Visual Studio. Since the vulnerability was disclosed, a security researcher published a technical analysis that includes an explanation on how it works, and demonstrates how even an attacker with low privileges can exploit it to execute code remotely on a vulnerable SharePoint server. Although the researcher did not provide a full PoC exploit code that can be used to deploy an attack, his analysis included a detailed explanation of the different stages required for exploiting the vulnerability, which can be used by potential attackers to build an exploit script. Of note, we observed that the researcher’s analysis was already shared on several Dark Web hacking forums.

A technical analysis regarding the new SharePoint vulnerability (CVE-2020-1147) shared on the Dark Web

Both Microsoft and the researcher emphasized the utmost importance of applying the patch as soon as possible, and stressed that the vulnerability exists in several additional .NET-based applications, and could therefore be exploited against additional products besides SharePoint, so even if an organization does not use SharePoint, it can still be affected by this vulnerability and exposed to attacks.

SHAREPOINT VULNERABILITIES GAIN POPULARITY AMONG NATION STATE ACTORS

The previous CVE-2019-0604 vulnerability in SharePoint allows attackers to execute arbitrary code remotely. The vulnerability stems from a failure to check the source markup of an application package and can be exploited by uploading a specially crafted SharePoint application package to a vulnerable version of SharePoint. The vulnerability was addressed and patched in February 2019.

We identified that mostly Chinese and Iranian state-sponsored groups exploited the previous SharePoint vulnerability (CVE-2019-0604) against multiple sectors around the world, and therefore it is highly possible the same threat actors will exploit the new vulnerability (CVE-2020-1147) as part of future campaigns. Throughout 2019-2020, we identified attacks against North America, Europe, Australia and the Middle East exploiting this vulnerability, targeting mainly government agencies, energy companies, International organizations, and academic institutions.

In May 2019, two different campaigns exploiting this vulnerability were uncovered. The first campaign, which focused on the technological and academic sectors in Canada, exploited the vulnerability to install the known China Chopper WebShell, active since 2012, mostly in the hands of Chinese threat actors. The second campaign, which targeted organizations in Saudi Arabia, also exploited the SharePoint vulnerability to install the China Chopper WebShell on all the folders on the victims’ SharePoint servers, and then distributed additional malware to collect information from the infected network.

Later, researchers discovered that the Chinese APT group Emissary Panda exploited this vulnerability to install WebShells on vulnerable SharePoint servers of government entities in two different Middle Eastern countries.

The researchers found code overlaps between the WebShells installed on the vulnerable SharePoint servers of the government entities in the Middle East and those used in the attacks against Canada and Saudi Arabia.

In December 2019, details emerged about a new data wiper malware named ZeroCleare that targeted the energy and industrial sectors in the Middle East. The malware was apparently developed by two Iranian APT groups – OilRig (also known as APT34) and xHunt (also known as Hive0081.) First, the attackers used brute-force to gain initial access to the targeted network, and then exploited a vulnerability in SharePoint to install different WebShells (such as China Chopper and Tunna) and move laterally across the network and wipe data from the disk. Although the researcher did not disclose the CVE identifier of the vulnerability, due to the similarities between this attack and the campaigns described above, we estimate this is possibly the same vulnerability – CVE-2019-0604. Either way, this attack demonstrates the popularity of SharePoint vulnerabilities among threat actors, and especially nation-state backed actors.

CYBER ATTACKS USING SHAREPOINT FLAWS DURING 2020

Even though this is a vulnerability from 2019, reports about its exploitation continued into 2020. For example, at the end of January 2020, it was reported that the UN offices in Geneva and Vienna had fallen victim to a cyber-attack that affected dozens of their servers and resulted in a data leak. The attack was described as sophisticated, and nation-state threat actors are believed to be behind it. The incident was discovered after an internal UN document was leaked to the press. According to this document, the attackers may have exploited the CVE-2019-0604 vulnerability during the attack.

In April 2020, authorities in the US and Australia issued an advisory warning regarding an increase in the exploitation of vulnerable web servers by malicious actors to install WebShells to gain and maintain access to victims’ networks. The advisory explores the most popular and common vulnerabilities exploited by threat actors to install WebShells, with one being the Microsoft SharePoint CVE-2019-0604 vulnerability. Later, in May 2020, US authorities published an advisory detailing the ten most exploited vulnerabilities between 2016 and 2019, which included the CVE-2019-0604 SharePoint vulnerability.

Finally, in June 2020, Australian authorities published an advisory alerting of an increase in cyber-attacks against Australian companies and government entities, executed by nation-state actors, supposedly from China. According to the advisory, the attackers exploited known remote code execution vulnerabilities affecting Internet-facing systems in an attempt to gain initial access and infect the victims’ network with the PlugX malware, used by multiple Chinese APT groups in the past. One of the vulnerabilities exploited by the attackers for this purpose was the CVE-2019-0604 SharePoint vulnerability.

Finally, we estimate that we will soon witness the new SharePoint vulnerability (CVE-2020-1147) exploited in different cyber-attacks and nation-state campaigns around the world.

GLOBAL RANSOMWARE ATTACKS IN 2020: THE TOP 4 VULNERABILITIES

Our team recently investigated the prominent ransomware attacks reported since the beginning of 2020 in order to draw general conclusions about these attacks and to reveal commonalities between them.  We also wanted to better understand the threat they pose and how to protect against it. While examining approximately 180 different ransomware incidents, we found that the most targeted sectors were Technology (11%), Government (10%), Critical Infrastructure (8.6%), Healthcare and Pharmaceutical (8%), Transportation (7%), Manufacturing (6%), Financial Services (5%) and Education (4%). It was also found that Sodinokibi/REvil, Maze and Ryuk are the most active ransomware strains.

A very interesting finding our investigation uncovered was that the operators behind these ransomware attacks commonly abused four notable vulnerabilities, that will be elaborately discussed in this blog post. This highlights the importance of timely installation of security updates as a defense mechanism to minimize the risk of ransomware and other malware attacks.

Here they are: The four top vulnerabilities abused in 2020 ransomware attacks (ordered from the most abused one):

  • CVE-2019-19781
  • CVE-2019-11510
  • CVE-2012-0158
  • CVE-2018-8453

Let’s take a closer look:

CVE-2019-19781

CVE-2019-19781 Characteristics

The CVE-2019-19781 vulnerability affects remote access appliances manufactured by Citrix, whose products are used by numerous organizations. The vulnerability was publicly disclosed at the end of December 2019 and fixed a month later. The vulnerability affects Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC. Successful exploitation of the vulnerability could allow an unauthenticated attacker to connect remotely and execute arbitrary code on the affected computer.

Since the vulnerability was disclosed, it was successfully exploited by threat actors in a significant number of incidents. In January 2020, security researchers reported the REvil gang leveraged the vulnerability in its attack against the Gedia Automotive Group. No technical details about the attack were disclosed, but from the information published by the attackers, it appears the company used the vulnerable products. The Ragnarok ransomware gang also exploited this vulnerability in January 2020. The attackers exploited the vulnerability to download scripts and scan the targeted system for computers vulnerable to the EternalBlue vulnerability.

In February 2020, the cloud company Bretagne Telecom reportedly suffered a cyber-attack by cybercriminals operating the DopplePaymer ransomware. The DopplePaymer gang stated it carried out the attack in the first half of January 2020, when a fix for the vulnerability had still not been released. This suggests the attackers discovered the vulnerability even earlier. At the end of March 2020, it was reported the MAZE ransomware gang had also leveraged the vulnerability in an attack on the cyber insurer company, Chubb.

In a different incident from the beginning of June 2020, it was reported that the IT services giant, Conduent, had also fallen victim to a MAZE gang ransomware attack. According to reports online, MAZE targeted a Citrix server of the company that was not patched or properly updated. On June 22, 2020, it was reported that the Indian conglomerate, Indiabulls, had suffered a cyber-attack carried out by the CLOP ransomware operators. Cyber security company Bad Packets reported that Indiabulls used Citrix NetScaler ADC VPN Gateway, which was vulnerable to CVE 2019-19781. However, the company did not confirm this vulnerability was exploited in the attack. Recently, the New Zealand CERT (CERT NZ) reported that many threat actors are leveraging this vulnerability, and the Nephilim ransomware gang may have also attempted to exploit it.

CVE-2019-11510

CVE-2019-11510 Characteristics

The CVE-2019-11510 vulnerability affects VPN Pulse Secure products. It allows attackers to remotely access the targeted network, remove multi-factor authentication protections and access the logs that contain cached passwords in plain text. Although the vulnerability has already been publicly disclosed for some time now and patched back in April 2020, many organizations have not yet patched it and remain exposed to attacks.

In recent months, the vulnerability was reportedly successfully exploited in a number of ransomware attack incidents. In two incidents, the attackers gained domain admin privileges and used an open-source remote access software, VNC, to perform lateral movement on the targeted network. Then, the attackers turned off security software and infected the system with the REvil ransomware. The most notable ransomware attack affected Travelex at the end of December 2019. The company did not patch its VPN solution, which allowed the REvil ransomware gang to carry out a successful attack that paralyzed the company’s systems for a number of weeks, persisting into 2020.

In another incident reported in April 2020, the IT systems of several hospitals and government entities in the US were infected with an unknown ransomware by nation-state threat actors. In addition, in June 2020, the operators of the Black Kingdom ransomware reportedly attempted to exploit the vulnerability as well.

CVE-2012-0158

CVE-2012-0158 Characteristics

The CVE-2012-0158 is an old vulnerability in Microsoft products, but is still one of the most exploited vulnerabilities in recent years, according to the US CERT. In December 2019, our team also reported that it is one of the top 20 vulnerabilities to be patched before 2020, based on the number of times it has been exploited by sophisticated cyber-attack groups operating in the world today. The vulnerability allows the attacker to remotely execute code on the victim’s computer through a specially crafted website, Office or .rtf document.

In recent months, security researchers reported exploitation attempts for the CVE-2012-0158 vulnerability in COVID-19-related attacks. The researchers reported attack attempts against medical and academic organizations in Canada. One of the campaigns included infection attempts with the EDA2 ransomware, a strain of a wider ransomware family, known as HiddenTear. The attackers used an email address that resembles and imitates the legitimate address of the World Health Organization. The phishing emails sent to the targeted organizations contained malicious files designed to exploit this vulnerability to execute code remotely and infect them with the ransomware. An additional phishing campaign attempted to infect victims from the above mentioned organizations with a ransomware dubbed RASOM.

CVE-2018-8453

CVE-2018-8453 Characteristics

The CVE-2018-8453 resides in the win32k.sys component of Windows, since it fails to properly handle objects in memory. A successful exploitation can allow an attacker to run arbitrary code in kernel mode, install programs; view, change, or delete data; or create new accounts with full user rights.

The Sodinokibi/REvil ransomware was first spotted exploiting CVE-2018-8453 in 2019 in multiple attacks in the Asia-Pacific region, including Taiwan, Hong Kong, and South Korea. In July 2020, it was reported that it was exploited again by the same ransomware gang against Brazilian-based electrical energy company Light S.A. The attackers first demanded a ransom of 106,870.19 XMR (Monero), and after the deadline has passed the ransom doubled to 215882.8 XMR, which amounts to approximately $14 million.

SUMMING UP: THE PATCHING PARADOX

In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox”: common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.

PERSONAL DATA OF TAIWAN’S ENTIRE POPULATION FOR SALE

A May 2020 media report disclosed that a Taiwanese database containing personal data from over 20 million citizens (Taiwan’s entire population) was posted for sale on the Dark Web. According to researchers, the source of the leak is governmental and originates from the Department of Household Registration, under the Ministry of Interior.

The sale offer was posted on May 19, 2020 in an English language underground Dark Web marketplace. The seller indeed claimed the database contains data of the entire country’s citizens and attached a sample where one can see each line in the database is arranged by full name, landline number, ID number, home address and sex. The seller has offered to sell the database for US$ 2,500.

Taiwan’s Population Database for Sale
Source: Verint Luminar

NOT THE FIRST TIME WE’VE SEEN SUCH AN OFFER

Although this database leak was defined by the above reports as unique, this is not the first time we have seen an offer for a database consisting of personal information for the entire population of Taiwan. In Chinese sources, such offers have appeared since August 2018 at least. Our findings, detailed below, may imply the database offer is in fact a resell of a previous database offered several times in the past in Chinese underground sources. These findings show the flow of data from one underground arena to another and stress the importance of multi-language monitoring across various sources to get a full picture of the origins of leaked databases.

THE TAIWANESE DATABASE ON THE CHINESE DARK WEB

Our first indication of a Taiwanese population database was in August and September 2018. In August 2018, an offer appeared on the Chinese Darknet marketplace to sell a Taiwanese population database consisting of the full names, landline numbers, gender and home addresses of 21,141,314 people.

Taiwan’s Population Database for Sale, August 2018
Source: Chinese Dark Web marketplace

About a month later, an actor who has offered several other major database leaks on the same Chinese language Darknet marketplace (including the Marriott database), offered a full database of the Taiwanese population, consisting – according to him – of approximately 25 million lines of data, claiming the data was updated to September 2017.

Taiwan’s Population Database for Sale
Source: Chinese Dark Web marketplace

Since then, similar offers have occasionally appeared in both the Darknet marketplaces and other underground chat groups operating on Telegram.

SIMILARITIES BETWEEN LEAKED SAMPLES SHARED ON THE DARK WEB

According to our research, the last time a similar offer was published was January 2020, when an actor on a Chinese Darknet marketplace offered a 25 million line Taiwanese population database containing – once more by that order: full names, landline telephone numbers, ID numbers, home addresses and sex. The actor also attached a short sample to prove the authenticity of the database. According to the marketplace’s inner data, this transaction was completed twice, meaning two different actors have purchased the database since. Of note, the same actor also offered the same database in April 2019, attaching a similar sampler. The two screenshots below show the two offers, from January 2020, and April 2019.

Offer to Sell Taiwan’s Full Population Database, Containing ~25 million Lines, January 2020. Source: Chinese Dark Web Marketplace
Similar Offer from the Same Actor, April 2019
Source: Verint Luminar

The two samples attached to the offers – the two Chinese posts from April 2019 and January 2020 and the English post from May 2020 – show different names but look strikingly similar. The pattern of the data is identical, and it is arranged in the exact same order: full name, landline number, ID number, home address and sex. Furthermore, the current seller admitted he obtained the data in 2019, which is in line with the date the same offer was published on a Chinese marketplace.

All the above leads us to conclude the current offer of the Taiwanese population database is an attempt to resell the same database leaked in the past in Chinese underground platforms. As the asking price for the data sold on the Chinese platform was merely US$ 200, whereas he offered the same database for US$ 2,500, we believe it is highly probable this actor acquired the database on the Chinese marketplace and then tried to make an easy profit from actors operating on other platforms who do not have access to the Chinese marketplace and/or cannot read Chinese.

THE SELLER HAS OTHER ACTIVITIES ON THE DARK WEB

According to our analysis, the seller was seen operating under the same nickname on a Chinese Telegram underground chat group, a Russian Clearnet hacking and fraud forum, and two English-language Darknet forums.

In all instances, he offered credit card user data from China Industrial Bank containing over 460,000 lines. In one of the offers seen below and posted on the English-language forum, the actor quoted a price of US$ 380 for the database.

The China Industrial Bank Credit Card User Database offered on a Chinese Underground Telegram Group
A Similar Offer by the Same Actor Posted on an English-language Darknet Forum for US$ 380
Source: Verint Luminar

BUY IN ONE LANGUAGE, RESELL (FOR A NICE PROFIT) IN ANOTHER

As in the case of the Taiwanese population database, the China Industrial Bank database offered by this actor appeared before in Chinese underground platforms. In March 2020, the offer was posted on a Chinese Darknet marketplace for US$56 (see first screenshot below.) According to this marketplace’s inner data, it was sold 21 times. A month later, in April 2020, it was also offered on a Chinese-language underground Telegram group (see second screenshot below.) This demonstrates a similar modus operandi by this actor, and presumably by many other actors who operate across various, multi-language platforms: acquiring databases in one language (Chinese) and reselling them at higher prices on platforms in other languages.

The Chinese Industrial Bank Database offered on a Chinese Darknet Marketplace, March 2020
The Same Database offered on a Chinese Telegram Group, April 2020. Source: Chinese Darknet Marketplace

Best Hacking Tools of 2019 – The Chinese Annual Hit List

The human fondness for annual lists ranking the “best of” apparently does not skip the Chinese hacking world. A post on a prominent Chinese hacking forum, published on the afternoon of December 29, 2019, has gained much recognition and popularity both inside and outside the forum in recent weeks. The post, written by the forum’s admin and named “2019 year-end hacking tools inventory,” lists the 30 “most outstanding” hacking tools for 2019, as recommended for the forum’s members.

Starting hours after its initial publication, and continuing for several days thereafter, the post was copied to other Chinese forums, as well as to web security blogs and web security sections in popular Chinese portals. Within the forum itself, it has attracted dozens of supportive comments, most of them praising and thanking the forum’s admin for his “contribution to the community.” This post is part of a larger tendency in Chinese hacking forums, where lists of hacking tools intended for novices who use these forums as learning platforms are becoming increasingly prevalent and popular.

China_Cobalt-Strike

The original forum post, showing the first tool on the list – Cobalt Strike

A Diversified Collection

The list contains 30 tools ranked according to their “superiority”, efficiency and utility. Most of the tools on the list (22) are of non-Chinese origin, whereas the rest (8) seem to be original Chinese creations. Although the original post does not provide links for downloading the tools, most are easily traceable and accessible for downloading on the web. The non-Chinese tools are widely available either from the official or designated website of the developer or on GitHub, whereas most Chinese tools are available either on GitHub or on local Chinese web platforms.

Not all recommended tools on the list are attack tools per se. On the contrary, some are legitimate tools, published as commercial programs by established companies, aimed at increasing users’ awareness and protection levels against vulnerabilities. Others are penetration testing tools, aimed at improving users’ web security protection. However, some are primarily attack tools providing framework for conducting brute-force attacks, DDoS attacks and phishing, among other malicious activities. Furthermore, many of the ‘tamer’ tools presented in the original post, such as vulnerability scanners, penetration testing or intelligence collection tools, can be used by threat actors to detect vulnerabilities among potential victims. That point is also stressed in the description of tools inside the post, which implies the potential use of basically defensive tools as attack accessories. Although many of the non-Chinese and a few of the Chinese tools listed in the post are slightly outdated, and were originally uploaded to GitHub or other platforms well before 2019, the post demonstrates that some members of the Chinese hacking community are well-versed in the hacking world outside China and make use of platforms and tools published abroad. Moreover, a fair amount of the original Chinese tools listed in the post were also uploaded to GitHub, a non-Chinese platform, which may imply an outbound approach of some members in the Chinese web security and hacking community.

GodOfHacker – The #1 Chinese Magic Hacking Tool

Of the original Chinese tools listed, the one that grabbed the number one ranking (and third overall) is a tool named GodOfHacker. This tool was uploaded to GitHub about a year ago by a Chinese prolific user, who frequently uses slang and curse words to describe his creation’s traits. Both in the forum post and on GitHub, the program is portrayed as an all-purpose “magic-tool” for hackers, which “combines all sorts of first-class hacking techniques that cover a wide range of functions.” Its uniqueness is that all its features are available using “one-click.” The program is described as highly customized and one that possesses various powerful plug-ins that can be used to “enrich” its functions .

GodOfHacker

Screenshot of the 1st section of the program “the comprehensive section for fucking websites”

The program is divided into several sections or columns, each with numerous features. The first section is called “Comprehensive Section for Harming [or, using the original word “fucking”] Websites”, and its features are as follows, to name a few:

  • Performing one-click attacks or one-click zero-day attacks based on domain names or IP defined by the attacker.
  • Carrying out one-click attacks by choosing a specific vulnerability defined by the attacker.
  • Defacement, DDoS, knocking down websites’ backend, gaining full admin rights and implanting Trojans, all by one-click.
  • Knocking down batches of web pages on either Baidu or Google, getting free access online.
  • Stealing QQ accounts/numbers, using QQ virtual coins, using [website] membership rights, making free phone calls and charging phone/SIM cards.
  • Gaining access to intranets, surpassing the Great Firewall of China (the Chinese government’s Internet censorship tool), gaining access to gambling arenas in Macao and an IP location finder.
  • Damaging educational systems, “mining” for vulnerabilities, publishing vulnerabilities, reading internal memory, all be one-click.

The second section is called “Cracking” and features the following functions:

  • One-click cracking and source-code reversing based on file type.
  • One-click code annotation (AI), system activation, system penetration and POC generator (for penetration testing purposes).
  • One-click mobile application cracking, gaming and localization [into Chinese].

The third section features several functions related to Hacker CTF (“Capture the Flag”), a game designed to provide a tutorial environment for students of hacking techniques. The fourth section provides features related to WiFi, including one-click WiFi scraping, WiFi middle-man attacks and access to mobile devices’ picture galleries. In addition, this section also has features such as one-click fake-base station [FBS] attacks (where devices connected to a cellular network are made to connect to it to gather information from those devices), WiFi eavesdropping and WiFi phishing. The fifth section, named “Hardware,” features functions such as harming ATMs, harming unmanned machines, stealing bank cards and charging them and other types of cards.

The tool contains several plug-ins (including using txt and exe files as plug-ins) and supports various languages, such as C/C++, Java, Python, Ruby, JavaScript, php and more.

GodOfHacker-2

The plug-in section of the program, showing how a certain IP address is entered by the user and then given the option to conduct tests in English, Chinese or Japanese or to perform brute-force attacks against the site’s backend

ARABIC-SPEAKING THREAT ACTOR RECYCLES THE SOURCE CODE OF POPULAR RAT SPYNOTE AND SELLS IT IN THE DARK WEB, AS NEW

At the beginning of July 2019, we detected that a threat actor dubbed mobeebom created a sales thread for his Android Remote Administration Tool (RAT) MobiHok v4, on a prominent English hacking forum.

A quick research revealed that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, which led us to assess, with high confidence that he is an Arab-speaker. The use of poor English in his posts reinforced this assessment. His activity on the prominent English hacking forum we monitor sparked our curiosity and we decided to take a closer look.

NEW ANDROID RAT?

MobiHok is a RAT coded in Visual Basic .NET and Android Studio, which enables full control, with extensive capabilities over the infected device. This latest release of the malware presents new features, such as a bypass to the Facebook authentication mechanism.[1]

The declared intention of the threat actor is to position MobiHok as the top Android RAT on the market. However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.[2] 

The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.

Screenshot of MobiHok’s sales thread

A DEEPER DIVE INTO MOBIHOK V4

The threat actor has been promoting the malware on multiple outlets (including on a dedicated Facebook page and a YouTube channel),[3] since January 2019.

Screenshot of MobiHok sales post from an Arabic hacking forum
MobiHok’s dedicated Facebook page

Mobeebom also runs a website, on which it is possible to purchase the RAT in a variety of options, including the possibility to acquire the entire source code for US$ 15,000. According to the screenshots displayed on the website, the malware features the following capabilities:

  • Control of the files
  • Control of the camera
  • Keylogging
  • Control of the SMS
  • Control of the contacts
  • Control of the apps
  • Control of the account/phone settings
  • Terminal
  • Bypass of Samsung security mechanisms
  • Bypass of Google Play security mechanisms
  • No “rooted” device required
  • The RAT can be bind to another APK app

To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.

 

THE DATA BREACH EPIDEMIC – KEY FINDINGS FROM VERINT’S COMPREHENSIVE CTI REPORT

In the past few years we have witnessed a growing number of significant data breaches.

The Data Breach Epidemic Report reviews the most significant data breaches that occurred in 2018 and provides our analysis of the major data leaks. It also includes key trends we identified based on ~5B leaked records detected and analyzed by our team.

KEY FINDINGS:

  1. 4,812,840,627 – Total Leaked Records In 2018
  2. 1,925,136,251 – Unique Records
  3. 24,224,940 – Organizations
  4. 53% of all leaked data comes from .com domains
  5. Distribution of “Combo Lists” is the key trend in the 2018 data leaks
  6. Leaked records by region:
  • APAC – 1.5B records
  • EMEA – 728M records
  • LATAM – 34M records
Many “Combo Lists” published in 2018 targeted specific regions, indicating leading interests of hackers’ groups

THE ANALYSIS PROCESS

In order to identify and analyze the major breaches of 2018, our analysts have been continuously monitoring activities on the Dark Web, in closed hacking communities and in other sources, to uncover indicators of breaches and data leaks.

In the report you will find a summary of the most popular ways hackers use to exploit stolen data, with real-life examples of attacks that exploited leaked records.

Want to know more? Download the report here

SOME LEAKS ARE MORE VALUABLE THAN OTHERS

Based on our analysis of the leaked data we obtained from several underground sources, we were able to identify several key trends, for example, the increasing distribution of “Combo Lists”, the demand for region specific leaks and countries that had most government data leaked.

ANALYSIS OF EXPLOITATION METHODS

The report also shares the hackers’ perspective, reviewing the most popular ways hackers use to exploit leaked data. These include credential stuffing attacks, brute force attacks, social engineering and email based-attacks. This information is valuable as it can really help organizations prioritize risk and improve their resilience and readiness against these attack methods.

THE BIGGEST DATA BREACHES OF 2018

In the report, you will find the list of the most prominent data breaches that occurred in 2018, and what we can learn from the millions of compromised records and stolen data.

Download the Full Report Here