During November 2014, the popular hacker group AnonGhost attempted to deface academic websites from around the world.
AnonGhost was established by a famous hacker dubbed Mauritania Attacker. The group has launched many wide-scale cyber campaigns against the U.S., Israel and other countries around the world. The group’s most popular repeat campaign is #OpIsrael, which was relaunched on April 7, 2014 (one year after its inaugural launch), targeting Israeli cyber-space.
Their most recent ongoing campaign is #OpGov, where group members attempt to hack government websites in different countries. In the following image, you can see an example of the group’s intention to hack Jamaican government websites:
The group has also leaked information from databases, such as emails, passwords and personal details.
Targeting Academic Websites
Recently, we noticed that AnonGhost is focusing on academic websites in the U.S., such as Washington University, Olin College of Engineering and Utah State University. On its official Facebook and Twitter accounts, the group announced that they had successfully defaced these American academic websites. In the following images, you can see the group’s post and their tweet regarding Washington University websites:
In the following image, you can see the group’s post on Facebook listing its achievements in hacking government and academic websites:
Defaced Websites as Tools for Future Attacks
It should be noted that cyber researchers have recently warned about new methods used by hacktivist groups to attack users who visit defaced websites, using a malicious link that leads to a Dokta Chef Exploit Kit hosting website. The Dokta Chef EK takes advantage of a recently disclosed vulnerability that allows remote code execution related to the Internet Explorer browser. In the following image, you can see a defaced website with the malicious link (lulz.htm):
Banks and other financial institutions often serve as key targets for malicious activity committed in cyber space. Owing to their large-scale financial operations, banks have always attracted scammers and thieves searching for easy ways to get rich quick. The rapid development of technologies used in the different industries has shifted banking operations to a much more virtual level, opening up new, sophisticated ways for criminal actions to be perpetrated. Aside from traditional, profit-motivated cybercrime, a large part of a bank’s technical infrastructure, such as online banking services, is located on the Internet. This exposes another Achilles’ heel of banking institutions, while serving as a weapon for ideologically motivated hackers trying to undermine a bank’s reputation and normal functioning. In this blog post we will focus on threats coming from the cybercrime arena, the next one describing the hacktivism world is to be followed.
Cybercriminals act from different vectors, such as developing malware for stealing login details for banking sites and applications, extracting credit card data from hacked databases, etc. The main motivation of cyber criminals is financial profit. Subsequently, they use closed web forums and online shops to support their illegal activity and develop new fraud schemes. In most of the cases, financial institutions face one of the following three threats:
Man-in-the-Middle (MitM) Attacks
Also called web injections, this attack method is very popular among cyber criminals targeting the financial sector. If the attack is successful, the hacker manages to infiltrate the web-session between the customer (while he is surfing the bank website) and the bank. He then intercepts the messages sent between the two parts of the conversation, including credentials and classified information, and injects new messages, without arousing the suspicion of either party.
In most cases, the injections are adjusted per victim, and are delivered via banking Trojans, Zeus for example. On closed forums, injections are sold as separate modules for banking malware, or they are offered as a tailored service for cyber criminals targeting a specific bank.
Client Detail Trading
One of the most popular areas of activity on underground forums is the trading of login details to bank websites and client personal data. Typically, this data originates from computers infected with malware designed to steal data inserted into form fields on websites. The operator of the botnet comprising these infected computers will not always use all the stolen data by himself, but may sell it to ‘professionals’ who specialize in cashing out money from these hacked accounts.
A term that should be mentioned in this context is the “drop” – a person who receives the stolen money into his account – sometimes without even knowing that he is supporting illegal activity, as legends and cover stories are frequently used. Drops are usually operated by the buyers of the login details – scammers who have a stabile infrastructure for cashing out stolen money. Posts on the subject of buying and selling credentials are frequently found on closed forums.
Compromised Credit Cards
Online shops offering different kinds of credit card data for sale are very popular among those cyber criminals specializing in “carding.” These shops are very convenient for their users. They include numerous filtering options, thus matching the data to the scammers needs. Prices may vary considerably, depending on the rarity of the card and the demand for the data of the issuing bank, as well as elapsed time since the data theft.
Combining an executable, usually malicious file with a standard Word or Excel file, unbeknownst to the user, has always been an aspiration for cyber-criminals. With such an asset, they could make the victim unwittingly install the malware, without raising his suspicions or AV vendor alerts when running an executable file. For this reason, requests for such services are frequently posted on underground forums, as cyber criminals search for easy ways to spread their malware files. Occasionally, this demand meets a supply, usually highly priced due to the opportunities it provides.
On this occasion, while monitoring Russian underground forums, we came across an advertisement for an exploit that targets Microsoft Office Word via Visual Basic Scripting for Applications feature. The exploit, referred to as MacroExp v 1.0.5 by the seller, first appeared for sale two days ago (on August 11), for $1,000. The price includes the exploit builder, as well as further updates and technical support.
According to the description on the forum, the exploit binds an executable file with a .doc file, making the .exe invisible to the victim. It is compatible with all Microsoft Office Word versions (2000-2013), as well as Windows OS x86 and x64. Since the presence of the executable file is invisible, it is not detected by AV and IPS systems, or firewalls.
The disadvantage of the method, as described by the seller, is the pop-up of a macro-enabling alert required for the actual running of the executable file. He suggests overcoming this obstacle by using social engineering methods.
A week ago, CISCO reported this attack vector, detected by its researchers, in the wild. It was used in spear-phishing attacks in such industries as banking, oil, television and jewelry. The starting point involved sending a Word file written specifically for the recipient. When clicking on the document, a macro alert popped up. Once enabled, it led to the download of an executable malicious file and launched it on the victim’s computer.
It is difficult to say if the same perpetrators are behind the both attacks, or it is just the same vector that is used in the both cases. On the one hand, one of the CnC domains discovered by CISCO was registered seven years ago, which may indicate that the threat actor has been in operation since at least 2007. On the other hand, the seller connected himself to the CISCO report, claiming that the described attack is his project. Moreover, he mentioned that more than 20 clients were already using the exploit, and that this was not the first version since its release. The matter will become clearer as more cases are identified in the wild, combined with more feedback from buyers on the forum.
Screenshots of the exploit in action uploaded by the seller
Security researchers have discovered ways to take control over roughly 70% of Android devices via a Web page or apps – mostly devices that have outdated versions. Although Google releases patches approximately every four months, most of the devices will likely remain vulnerable to attack because they will not be updated.
While the iOS operating system is only installed on Apple devices and it is relatively easy to obtain updates, security updates for Android OS devices are forced to pass through the mobile network operators and carriers – a hindrance that often takes a great deal of time.
The following chart describes the patching process for an Android device, from the first discovery of a vulnerability through to the repair that ultimately reaches the end-user device. The repair process at point C is typical for every software product. The repair software represented by point C is usually the end vulnerability window shown at point A.
Points D – G represent the repair process specific to Google; whenever a patch to Android becomes necessary, Google provides an update via its open source forum. The manufacturers produce the update, vendors release it and then the user installs the updated customized version of his operating system.
It should be noted that the patch release date is not the date when these updates are actually available to users. Once Google releases an update, the manufacturer must update it to suit his material. There is a possibility that the updates may never actually become available to the user, for example, if the vendor decides that distributing the update is too expensive for him.
As a result of the window of vulnerability and the different Google and the manufacturer release dates, hackers can use reverse engineering techniques to identify and exploit the vulnerability of a device by using the information found in the original published patch, or that of any other manufacturer who may have issued the patch at an earlier date.
Clearly, the fact that Google provides a secure platform for Android is insufficient – it is also important to ensure that their patches reach their targets, Android users, within the shortest possible time, to minimize the attack window.
We recently published the first section of the terms table and felt it was insufficient, so we are following up with the second section, delving deeper into the underground cyber world of illicit trade, hacking and malware.
It is no secret that Bitcoin is under a lot of scrutiny lately.
From publicized breaches of Bitcoin trading sites, to wild fluctuations of the its value, the virtual currency that was considered a hot commodity until very recently is floundering. Perhaps the most alarming story demonstrating the instability of this currency is Mount Gox, once the largest Bitcoin exchange in the world. The site first closed, then filed for bankruptcy, and its CEO’s Twitter account was hacked. With all this controversy, the public is left wondering about the future of Bitcoin and the level of security the exchange site provides. Naturally, hackers have also taken notice and have started looking for breaches on other Bitcoin exchange sites. Alongside the flurry of phishing emails, Bitcoin mining bots and attempts to hack into Bitcon exchange sites, there is a new trend, utilizing the ability of Trojans to hijack http sessions or plain old XSS and CSRF attacks, the attackers are injecting site-specific code to users and then scan for available funds in the user accounts and steal money from the accounts.
Recently, our analysts have come upon four different injection codes, three for Bitcoin exchanges and one for a betting site. All of these are fashioned in the same way, and are clearly written by the same author.
In the continuation of the code, the attackers change the CSS setting of the site, and replace the values of the send-to-address, send-value and the send button elements. All in all, this is a very simple and elegant code that utilizes the context in which it is run.
This is not a new method of attack – it has been widely used in the past and probably will continue to be used in the future. However, it demands a good understanding of how the exchanges work and how they fashion their web services and it is very version-specific. To the exchanges, however, this is bad news since this targeting of the users is something that they have a limited capability to defend against (unlike attacks on their servers).
The process that the exchanges are going through is very similar to what banks and e-commerce services went through when they started providing Internet services. The problem is that banks have the ability, staff and resources (and insurance) to limit transactions and work with customers on fraud cases, while Bitcoin exchanges do not have that kind of capability yet. Even if a specific attack is stopped, we will probably see more and more attacks on Bitcoin (and other currencies) users. This is just one more step in the evolution of crypto-currency to a more mature state.
The healthcare industry is advancing rapidly,linking systems and medical devices to the Internet, adopting electronic health records and implementing regulatory reforms. Tremendous technological advancements in the medical industry bring with them a greater reliance on software-controlled devices and wireless technologies. These technologies are used in any visit to the doctor and in hospital wards. Many of them connect or have the capability to connect to the Internet. Alongside the opportunities presented, the industry is also a major target for cyberattack, mostly for financial motivation. In the following post, we will present some of the cyber threats currently faced by the healthcare industry.
In today’s environment, organizations are required to take responsibility for securing their networks and computers. Alarming vulnerabilities in medical devices have caused the FDA to issue guidelines for cyber security of the medical device industry. The U.S. Health Information Technology for Economic and Clinical Health Act, for example, permits the fining of hospitals and other organizations up to $1.5 million a year for serious security incidents. Unfortunately, the industry is falling short of complying with said security standards. Last year, for example, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) performed a random audit of 20 healthcare organizations, 19 of which failed.
(Note – this blog post is an excerpt from our report: ”Cyber Threats to the Healthcare Industry”. If you are interested in receiving the full report, please write to: firstname.lastname@example.org).
Threats to the Healthcare Industry
According to security experts, cyber criminals are shifting their focus from the financial industry to the healthcare industry, today an easier and more profitable target. Healthcare records contain valuable information for cyber criminals, such as social security numbers and personal information. Credit card records sell for an average of $2, while medical records can fetch about $20 on the black market. According to the Experian 2014 Data Breach Industry Forecast, the healthcare industry is likely to make the most breach headlines in 2014, despite the fact that 2013 was a year of mega-breaches in the healthcare industry.
Identity and Information Theft
Medical identity theft occurs when someone uses an individual’s name and personal identity to fraudulently receive medical services, prescription drugs and goods, or attempts to commit fraudulent billing. Information theft can include the theft of personal information for malicious use, such as selling it on the DarkNet. According to a Ponemon Institute 2013 survey, medical identity theft claimed more than 1.84 million U.S. victims in 2013. Medical identity theft is on the rise in the U.S., where the number of victims in 2013 increased by 19%.
Medical Device Breaching
Over the last 15 years, a growing number of medical devices have become interconnected through hospital networks, the Internet, smartphones and other devices, increasing their vulnerability. This has not escaped the attention of the FDA who recently issued new guidelines to biomedical engineers, healthcare IT and procurement staff, medical device user facilities, hospitals and medical device manufacturers.
The new FDAguidelines came in response to the 2012findings of a governmental panel that revealed that computerized hospital equipment is increasingly vulnerable to malware infection that can potentially render these devices temporarily inoperable. Many of the devices run on Windows variants. They are interconnected through internal networks to the Internet and are also exposed to laptops in the hospitals, making them vulnerable to malware.
An example of the implications that could be caused by such systems was demonstrated by the medical-device panel from the NIST Information Security & Privacy Advisory Board, who described fetal monitors in intensive-care wards that were slowed down due to malware infection. This problem can affect a wide range of devices, such as compounders, diagnostic equipment, etc.
A report issued by the Government Accountability Office (GAO) warned mostly about vulnerabilities found in wireless implanted defibrillators and insulin pumps, but thousands of other network-connected life-saving devices are also vulnerable. Malware in medical devices is probably much more prevalent than we know, since most of it is not reported to the regulators and there are no records. The OS updating process for medical devices is an onerous regulatory process.
We believe that the healthcare industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.
SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.
Hackers are creative people. Everybody knows that. They have to be technically creative in order to outsmart security mechanisms, perform their antics and get away without being caught (sometimes). But artistic creativity? Not the first thing we associate with hacking. However, after witnessing their creative works of art, we felt compelled to share these with you.
So you are welcome to enjoy the works of the “Russian classical painters”, the “surrealist hacktivists designers” and the “Iranian masters”:
Several cyber threats pertaining to the shipping industry have been reported of late, illustrating the vulnerability of this industry – a fact that cyber criminals, terrorists and even hacktivists are already exploiting.
(Please note – this blog post is an excerpt from our report: “Cyber Threats to the Shipping Industry”. If you are interested in receiving the full report please write to: email@example.com).
Vulnerabilities of Automatic Identification System Exposed
Researchers at the Trend Micro security firm reported they had identified major security breaches in the Automatic Identification System (AIS). The AIS is a global system that identifies and tracks vessels in real time. The system periodically transmits the position, speed and heading of a vessel, among other information. It was mandated by the International Maritime Organization (IMO) in all passenger and commercial vessels over 300 metric tons. During an experiment, the researchers managed to break into the system and alter data in real time.
The breach was carried out in two phases: first they identified the main AIS Internet providers that collect and distribute AIS information, and exploited their vulnerability to manipulated data:
Modification of all ship details such as position, course, cargo, flag, speed, name, MMSI (Mobile Maritime Service Identity) status, etc.
Creation of fake vessels with the same details, e.g. having an Iranian vessel with nuclear cargo show up off the coast of the U.S.
In the second phase, they exploited flaws in the AIS communication protocol mandatory in hardware transceivers in all vessels. Using a US$200 transceiver (using Marine VHF channels 161.975 MHz and 162.025 MHz) they were able to:
Permanently disable the AIS system on a vessel, forcing the ship to stop communicating its position, and also stop receiving AIS notifications from all vessels in the vicinity.
Issue a fake CPA alert (Closest Point of Approach) and trigger a collision warning alert.
Fake a “man-in-the-water” distress beacon at any location that would also trigger alarms on all nearby vessels.
Send false weather information to a vessel, e.g. storm approaching, to route around.
Cause all ships to transmit AIS traffic much more frequently than normal, flooding the channel and blocking communications from marine authorities and other vessels in range.
This security breach allows hostile entities to alter the real-time data of vessels sailing the seas, with the potential to cause economic damage, in addition to the serious safety risks to vessels or sabotaging the activities of marine enforcement agencies (police, coastguard etc.). The security gap is particularly worrisome because it does not require expensive equipment or impressive hacking capabilities to utilize it. The threat is that terrorist organizations could exploit this vulnerability, which could lead to serious physical consequences and even the paralysis of maritime traffic in a particular area.
Cyber Attack Breaches Port Security; Container Hijacked
On October 16, 2013, Europol announced it had exposed a network of drug traffickers who recruited hackers to breach IT systems in the port of Antwerp, Belgium. The purpose of the breach was to allow hackers to access secure data giving them the location and security details of containers (that contained smuggled drugs worth billions of dollars), allowing the traffickers to send in truck drivers to steal the cargo before the legitimate owner arrived.
The operation (which took place over a two-year period) went undetected by the port authorities and shipping companies involved. It was apparently uncovered with the recent arrests of members of the “Silk Road” website who sold drugs on the DarkNet in the U.S. The investigation was carried out by a team from Europol that in a related series of raids managed to confiscate containers holding cocaine and heroin worth hundreds of millions of dollars.
The breach of the port and shipping companies’ computer systems began with a spear-phishing attack, i.e. sending innocent-looking emails with malicious contents to employees of transportation companies working in the port of Antwerp. When the ring members saw that this channel had become blocked by enhanced IT security, they physically broke into the companies’ offices and installed KVM (keyboard, video and mouse) switches to enable remote access to the computer systems. The KVM switches were assembled and prepared in a professional manner and included miniature PCs concealed inside electrical power strips, external hard drives, as well as keyloggers disguised as USB keyboard port converters. Although some of this equipment was designed simply to steal login credentials, the hackers appear to have used wireless cards to study and possibly control the logistics systems in real time. The group then sent its drivers to the port and provided them with all the necessary certificates and release codes to retrieve the containers.
It’s getting kind of hard to ignore all the buzz surrounding bitcoins these days. The cryptocurrency, which allows users to convene peer-to-peer (P2P) monetary transactions with a significant degree of anonymity, has exploded in value, currently hovering around $900 per bitcoin, leading many to speculate about the long-term viability and implications of cryptocurrencies in general. However, lost amid the debate is serious discussion over the next logical step in the evolution of encrypted P2P currencies: the eventual weaponization of the cyber-coin.
Bitcoinitself has already become a favorite among cyber-criminals. Whether laundering money, selling drugs (remember Silk Road?) or procuring the services of a hit man, the ability to anonymously carry out monetary transactions over the Internet has made online crime both easy and relatively risk free. This, and the fact that at least 2,600 stores accept bitcoins worldwide (as do the Sacremento Kings basketball team) according to Robert J. Samuelson of the Washington Post, has led to the massive inflation in Bitcoin’s value, and has attracted investors looking for an easy payday.
Like any good idea, Bitcoin has also attracted numerous imitations, which have resulted in cryptocurrencies ranging from the very serious to the Bizarre. For example, Litecoin is a cryptocurrency almost identical to Bitcoin that purports to incorporate three main improvements over the Bitcoin software. In contrast, the Dogecoin plays off the popularity of the “Doge” meme, which was rated 2013’s meme of the year, while the Coinyecryptocurrency uses the likeness of rapper and pop-culture icon Kanye West to market its brand (West’s lawyers are still attempting to shut the coin down). According to Carlotte Lyton of the Daily Beast, there are at least 71 types of crypto currencies out there, some of which are suspiciously reminiscent of the old Wall Street pump-and-dump scheme.
Enter Allahcoin. This P2P Islamic currency offers similar software to Bitcoin, but with a couple of modifications. One new feature is that for every Allahcoin mined, 10% will be donated to the Muslim Brotherhood foundation. This coin not only offers a brand new cryptocurrency, but an easy and anonymous way for users to donate to their favorite Islamist organization!
The Muslim Brotherhood does not fit the traditional definition of a terrorist organization. However, it may not be long before jihadist groups with ties to the Brotherhood, or similar-minded groups, catch on to the advantages of the nascent crytocurrency technology. Although, like criminals, fundraising and money laundering are the most obvious benefits for such groups, it is possible that terrorists could one day weaponize their own crypto currency.
How would a weaponizedcryptocurrency work? It is hard to say exactly, but current abuses of alternative cryptocurrencies may hint at an answer. For instance, some currencies are designed suspiciously similar to pump-and-dump schemes. An attacker could disperse a virus-laced currency in an identical fashion at the investment scheme’s pump phase. After sufficiently spreading the currency, the attacker could activate a trigger, spreading a virus through users’ virtual wallets. Depending on the type of attack, the virus could expose users’ identities, neutralize their virtual wallets, rip off their accounts, or steal information from their networks. In a worst case scenario, terrorists may target tech contractors and infect their computers and online accounts via the currency, thus increasing the possibility of the virus transferring to their clients’ networks (similar to how the Stuxnet virus may have been transferred to an Iranian nuclear facility, according to Ralph Langner writing in Foreign Policy).
Just as P2P file sharing through software such as Limewire and eMule eventually became natural habitats for the spread of viruses, it is likely that cryptocurrencies will one day be weaponized. The question is not if, but when the first attacks will occur, who will be behind them, and how much damage will they cause.