Recent Trends from the Russian Underground

Being a successful hacker can be a very demanding profession. Maybe the most important trait required for this job is being innovative and keeping updated of recent trends. Just like in physical fitness – a couple of weeks away from of the gym, and you feel left out of the loop – such is the case with hacking. You take sick leave from the cybercrime scene for a brief period of time and when you return, you feel like a lot has changed. This scene is very dynamic: new threats and vulnerabilities are constantly being discovered and then patches and security updates released; new Trojans are sold on the underground and then the source code is leaked, rendering them of no interest anymore. Something is always going on.

This time, we want to draw your attention to recent trends identified on the Russian underground, from leading forums and other web-platforms.

Untitled

A Wider Variety of Crypt (Obfuscation) Services for sale on Trading Platforms

We have observed a sharp increase in threads offering crypt services for malware files lately. In the last month alone, we traced at least 20 active threads advertising crypt services for .exe or .dll files on different forums. There is a wide assortment and the prices are competitive. You can choose between a one-time service for $15 – $50 per file or a monthly subscription for a service starting at $150 for a new vendor and $500 for a well-known, time-honored service.

The main purpose of the crypt is to bypass AV, firewalls, browsers and malware detection, etc. and it is valid for 24-72 hours on average. Increased offerings of this service indicate a growing demand, which may be motivated by two main reasons: increased volume of activity linked to botnets and difficulty in bypassing security mechanisms that are becoming more sophisticated. Actually, we think it is a combination of the two – more and more cyber criminals are attracted to easy profits from running a botnet, while security firms try to fight back and refine their defense mechanisms. The crypt services happened to be in the right place at the right time to rake in the money.

More Malware Using Tor Browser

In recent months, new Tor-based malware has appeared on underground trading platforms. The newest is a TOR Android bot named “Slempo” and a TorLocker Ransomware (the first one rented for $500 per month after a connection cost of $1000 and the second one is sold for $200). Before that, we saw Atrax HTTP Tor Bot, whose admin panel is located on a TOR browser.

Using Tor hidden services provides anonymity to the botnet operator, as it is almost impossible to reveal the identities of TOR users. The disadvantage of this method is the large size of the malware files and the significant resources needed to manage such a botnet, owing to the integration of TOR.

As we see it, this may turn out to be quite an alarming trend, making the detection of botnets and their initiators that much more difficult.

Greater Focus Granted to Firmware Attacks

As previously mentioned, cyber-criminals wage a constant battle against evolving defense mechanisms. While more and more obstacles are placed in the path of the hacker seeking to access your PC, his path to firmware devices such as ATM and POS remains almost clear. The operating system of these devices is usually the common Windows XP, and due to their physical aspects (the possibility of inserting physical malware into an ATM, for instance), it is much harder to protect them.

Hackers have also discovered this vector – we were recently privy to numerous discussions about ways to attack ATMs, as well as an increasing number of POS malware for sale and download.

In our opinion, we may be witnessing a gradual shift in the main targets of cyber-criminals – from the personal PC to large-scale devices of organizations. Recent attacks executed via POS devices on Target, Neiman Marcus and other retailers merely corroborate this claim.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

Don’t Forget What the Real Menace Is…

Written by Daniel Geifman

Previous posts on this blog have discussed several cases and scenarios of cyber-attacks perpetrated by hactivists with the potential to become terrorists, Anonymous affiliates, LulzSec or other individuals taking advantage of the lack of preparedness (or understanding) of state ministries, banks and industries personnel. This post will discuss the cyber-crime arena and more specifically, the threat of the web in drug trafficking and human trafficking. There is no doubt that these attacks represent a genuine menace – according to a recent report issued by Symantec, an estimated $113 billion is stolen from costumers around the world annually.

But let’s not forget that cyber-crimes can be divided into several different areas, from phishing or DDoS to more serious activities such as identity, debit and credit card number theft. In my point of view, this is not a strategic issue. These attacks, although important, have no point of comparison and social consequences compared with the use of the web for drug-and people-trafficking, as well as other painful issues, such as pedophilia. In my opinion, these are more relevant and strategic issues, which can bring any country and society to her knees.

In recent years, we have noted a tendency to place the cyber-crime topic in the spotlight, owing to mass media coverage or simply because is a new, sexy and not-very-well comprehended topic. But ordinary civilians are not the only ones to see the potential and the advantages of using the web to make their lives easier. Drug cartels in Latin America have also recognized the advantages of social networks and deep web, to save precious logistic time avoiding dangerous meetings with other dealers, sending messages and mostly, recruiting new members and attracting victims to their nets. These cartels have evolved into more than just drug producers and traffickers – they have become mafias, controlling not only the drug trafficking from Afghanistan, Colombia and Mexico to the United States and Europe, but they have also created a corruption, prostitution, kidnapping and gambling net, estimated to produce $320 billion in revenues every year, from drug trafficking alone.

Defining Priorities

Crimes ranging from phishing attacks through drug trafficking must all be fought; there is no doubt about that. But first we should define as a society what we expect in the future. At the end of the day, web or deep web is the same thing, just another communication device, not the problem itself. By fighting defacements with better anti-virus software or technicians we are not fighting a strategic battle, we are just patching up the real menace that lurks beneath.

Hacking as an Artistic Expression

Hackers are creative people. Everybody knows that. They have to be technically creative in order to outsmart security mechanisms, perform their antics and get away without being caught (sometimes).
But artistic creativity? Not the first thing we associate with hacking. However, after witnessing their creative works of art, we felt compelled to share these with you.
So you are welcome to enjoy the works of the “Russian classical painters”, the “surrealist hacktivists designers” and the “Iranian masters”:

A Russian hacking forum
A Russian hacking forum
Portal of Russian hackers
Portal of Russian hackers
Another Russian hacking forum
Another Russian hacking forum
A carding shop
A carding shop
#OpUSA (May 7, 2013)
#OpUSA (May 7, 2013)
#OpPetrol (June 20, 2013)
#OpPetrol (June 20, 2013)
#OpEgypt
#OpEgypt
Iranian Cyber Army (ICA)
Iranian Cyber Army (ICA)
Ashiyane Digital Security Team (ADST)
Ashiyane Digital Security Team (ADST)

Cyber Criminals “TARGET” Point of Sale Devices

In the wake of breaches at retailers from Target through Neiman Marcus, cumulating in CNET’s publication on January 12 that at least three more retailers have been breached, we can see a renewed focus on cybercrime in the retail world, always a prime target for credit card theft. Moreover, the carding and underground crowds have become so skilled in the theft and sale of credit cards that days after the attack on Target, the stolen cards were already on sale.

Powering this trend is Point of Sale (POS) malware. In recent years, we have identified increased underground activity in the sale and development of POS malware, with Dexter and Project Hook being the most notable. Howbeit, wherever there is a need, there is a market, so the world is not limited to these specific malwares. A case in point was versions of vSkimmer, POS.CardStealer and Dump Memory Grabber that our analysts came across last month. These are all dedicated Windows-based POS malwares developed in early 2013, but prevalent to this day.

Spy.POSCardStealer

A known POS-Trojan detected by anti-viruses since January 2013. The malware builder was uploaded to the closed Russian forum exploit in December 2013. This tool was analyzed in the Xylibox.com blog in detail, revealing that it searches for Track 2 data from the magnetic strip of the credit card, which is stored in the POS device, and then sends it to the C&C.

vSkimmer POS Trojan

A POS-Trojan that was sold on the Russian underground during 2012 and early in 2013. In March 2013, the builder was uploaded to exploit.in for free download but after a short time it was deleted and uploaded again in October 2013. The Botnet based on this tool was discovered in February 2013 and was widely considered to be Dexter’s successor, with additional functions. The malware detects the card readers, grabs all the information from the Windows machines attached to them, and sends the data to a control server.

DUMP MEMORY GRABBER (Black POS)

A POS-Trojan sold in the Russian underground since February 2013 (a video of the malware in action is available upon request). The malware identifies the running process associated with the credit card reader and steals payment card Track 1 and Track 2 data from its memory. The price ranges from $1,800-$2,300 (as of April 2013).

Original post uploaded by the malware seller
Original post uploaded by the malware seller

Conclusion and Recommendations

It seems that the Target breach is poised to be the TJX of the POS world. If TJX brought about a complete rethinking of how credit cards should be processed through the enterprise back-end and in turn gave us PCI-DSS, I think that it is clear today that progress in PA-DSS and the work performed by the POS machine providers is still insufficient to protect customers. It is very likely that we will start to see technologies that are today directed against APT detection in enterprise computers being shifted to POS networks, and perhaps even developing companies and retailers taking a step back from Windows-based machines toward more dedicated, hardened operating systems. Retailers (both large and small) that wish to take action against the threat of card theft should:

  1. Contact their POS supplier and make sure it complies with PA-DSS.
  2. Ensure the POS system is fully up-to-date (and with the death of Windows XP – installed on Windows 7 and up).
  3. Ensure there are security systems (both whitelist- and blacklist-based) installed on the POS system.
  4. Install network-based security systems on the POS network connection.
  5. Be aware of the threat and how to locate and mitigate it.

“Mega Breach” – So What?

We’ve all heard that the software company Adobe (maker of Flash, Acrobat and many more) was hacked and details of 150+ million users were stolen and then circulated on Russian Darknet forums.

yourdata

So you ask yourself – so what?  How does this affect me and my organization? Do I even have an Adobe account?

Well, thechances are that your organization is using Adobe products and many have either opened an account when downloading a sample product or had one created for them by their procurement division when purchasing an Adobe license for them to use (usually without their knowledge).

First of all, let’s review what was actually stolen – a list containing (per each user) a serial number (not interesting), the user’s email (very interesting), an encrypted password (which is easy to break if you know how) and the retrieval question.

So the main risk here appears to be that a hacker will break into the account (by guessing or cracking the password), steal the credit card details and use them. Right?

Well, this is certainly possible (and happens more often than most of us think), but the real risk is email address exposure.

A large percentage of all intrusion into large organizations occur through the use of “spear-phishing”, meaning a targeted email sent to a person within the organization.  

The employee receives a credible-looking email, appearing to be sent from a business partner, conference organizer etc.

The email contains an attachment (most likely a PDF file, Excel sheet or Word doc) or a link.

Opening/clicking the link runs a malicious code that secretly installs itself, and from that moment forth, the network is open to the intruder.

Creating a spear-phishing email is easy. What was difficult until now was obtaining corporate email addresses (previously, hackers had to use social engineering to obtain these). No more! Literally millions of these addresses are now visible to all, making employees whose details have been leaked easy targets. So what needs to be done (because the breach and subsequent exposure can’t be undone)? Here are our actionable recommendations:

  • Cancel the credit card which was used to make the purchase on the site
  • Change the password of users of the Adobe site
  • Conduct a full scan of the computers for malicious files
  • Brief all employees that have leaked Adobe accounts/emails about this breach and the potential spear-phishing attempts that can follow it, and avoid opening any attachments from suspicious and unknown email addresses.

As the (even more recent) Target breach proves, we have not seen the last of these “mega information breaches”, so whenever such an incident is made public, we all need to ask ourselves – does this affect me? And, if so – what do I need to do? Remember, cyber security is not “the IT department’s problem”. We are all an important part of the solution.