On October 12, 2016, Anonymous Italia launched a cyber offensive against the Polizia Penitenziaria (the Italian penitentiary police) to protest against the “unjust” acquittal of all those involved in the trial of Stefano Cucchi’s, a young Italian citizen who died in 2009 under still unclear circumstances a week after being remanded in custody by the Italian police for alleged drug dealing. Continue reading “Anonymous Italia Robs the Police (Again)”
The Mirai IoT Botnet has made a lot of headlines in recent weeks. While the botnet itself was analyzed and discussed by a number of security researchers and companies, none addressed the threat actor behind the recent attacks and the leak of Mirai source code. Such an analysis can provide useful insights into Continue reading “Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai”
Hacktivists are threatening to launch #OpClosedMedia, a month-long cyber campaign against websites and platforms of “mainstream media,” on September 22, 2016, for failing to inform the public about the real news.
The campaign’s official target list includes the websites of the BBC, The Daily Mail, The Independent, Reuters, Channel One (Russia) and others.
Thus far, participants have claimed responsibility for hacking several websites related to the media sector from around the world, but they also claimed to have hacked other websites with a loose connection to this sector.
This is not the first time that the media sector has been targeted by hacktivists. In June 2016, the Ghost Squad Hackers group launched the #OpSilence campaign against prominent news agencies, such as Fox News and CNN, protesting against what they called the “silence and lies” regarding the Palestinian situation. However, it seems that the Ghost Squad Hackers are not involved in this campaign.
In conclusion, popular news platforms and the media sector in general are targeted by hacktivists who wish to shut them down. Only time will tell if they will succeed or not.
The #OpSafePharma is a hacktivist campaign targeting the Italian healthcare and pharma industries, protesting their treatment of ADHD. Hacktivists affiliated with Anonymous Italia perform DDoS attacks and leak information stolen from databases of websites related to the abovementioned sectors. The campaign, which started in March 2016, was relaunched at the beginning of June following a decrease in the number of attacks against Italian targets in the past month.
On August 21, 2016, Anonymous Italia and its affiliated hacktivist collective AntiSec-Italia, relaunched the campaign, this time dubbed #OperationSafePharma, targeting four different healthcare-related Italian institutions with website defacement attacks and substantial data leakages. The outcomes of the operation, namely the screenshots of the defaced websites and the addresses of the downloadable data leakages, uploaded on dedicated file sharing platforms, were announced on the social media outlets of AntiSec-Italia, specifically on their Facebook page and Twitter account.
The Data Leakage
The hacktivists leaked approximately 2.5 GB of data, stolen from the databases of two prominent Italian healthcare institutions, and provided links to file-sharing platforms where they uploaded the dumps.
We acquired the leaked databases and, upon verification, we assess that they mostly contain internal communications, as well as a great volume of personal data relating to the in-house personnel of the two healthcare institutions, mainly CVs of the physicians and administrative executives working in the facilities. We did not find any indications that medical records of patients treated in these healthcare facilities were disclosed or compromised during the data leakage. Notably, the most recent documents we detected within the stolen files are dated August 5, 2016.
The group defaced four distinct websites, explaining in a public statement – recycled from previous operations – the rationale underpinning the protest.
Our assessment is that this latest iteration of #OperationSafePharma originates more from a one-time opportunity window that the hacktivist group AntiSec-Italia spotted in vulnerable websites associated with Italian medical centers and hospitals, than a concerted effort by multiple Anonymous-affiliated collectives to launch a massive hacktivist campaign against the Italian healthcare sector as a whole. We base this assumption on the analysis conducted using our automated SMA (Social Media Analytics) toolset, which indicated a spike in the activity of the attackers.
Nonetheless, the achievements of the operation, in particular the exfiltration of sensitive databases belonging to prominent Italian healthcare institutions, display noteworthy technical capabilities by the initiators of the offensive.
As yet, we have not identified any preparations for future hacktivist campaigns against the Italian healthcare or financial sector, nonetheless we continue to monitor Italian hacktivist threat actors on a daily basis.
We have been closely monitoring Cerber ransomware since it first emerged on a Russian password-protected forum, offered as-a-service for members only.
At present, Cerber ransomware constitutes a sophisticated malware threat to organizations. (it was responsible for more than 25% of the total number of ransomware infections recorded worldwide in June 2016, according to Microsoft). Files encrypted by Cerber are currently non-decryptable.
On August 23, 2016, a member of the same closed forum where Cerber ransomware is traded posted a detailed analysis of the loader that the malware uses to install itself. According to his post, he did this after hearing that the loader is very useful and capable of installing any malware without detection. His conclusion was that the loader does not employ any extraordinary methods to install the ransomware, but its tremendous advantage of being fully undetectable by AV programs is due to the usage of several rare code functions that are difficult to emulate.
First, he posted the full obfuscated code of the loader, explaining parts of it:
- Another part of the code creates a Desktop shortcut, probably also as an anti-emulator measure (the post writer comments that in his opinion AV would quickly detect it).
- The next part of the code is obfuscated – a HEX code which is divided and deobfuscated using XOR.After deobfuscation, we can see that the code contains anti-emulation.
- Then a random string is created and a path from %TEMP% environment obtained for it.
- The next stage involves downloading the malicious file from an URL address and saving it in the system.
- A parameter is added to the header to block AV bots and researchers: setRequestHeader(‘cerber’,’true’)
- If the malicious payload was downloaded properly, it is executed.
- Finally, the Eval alternative is launched.
Summarizing the analysis, the post author concludes that the advantages of the loader are a good implementation of the payload download and execution and errors control. The disadvantages he mentions are weak implementation of obfuscation and anti-emulation, and low level of usability functionality. He also attached an AV scanner report from August 23, showing a detection rate of 15/40.
Several days later, on August 27, 2016, the same forum member posted that he had analyzed the latest version of the loader and was surprised by the fact it is totally undetectable by AV programs. Moreover, this version is capable of installing payloads from several alternative URL addresses and it uses improved debugging. This version does not use anti-emulation at all, but employs a unique method that totally blocks the AV syntax emulation.
Below is a description of the main techniques used by the loader to remain undetected:
- Replacement of the Eval function (even though it is a simple technique, it is used extensively by JS packers and therefore cannot be detected by AV as malicious).
- The part of the code that avoids emulation is an array that contains random data, with the first element being the important one. The functions Math.floor and Math.random always output only the first element in the array and AV cannot properly emulate them. Full undetectability is achieved by using these two functions.
The emulator will always output one single value and will never reach the part of the array when the right value is located. As a result, the emulator cannot perform the calculations, a critical error occurs and the AV programs are unable to identify the loader as a malicious file.
The post author attached an AV scanner report showing a 0/35 detection rate (as of August 27, 2016).
The healthcare sector has recently become a desirable target for cyber crooks. According to Symantec ISTR report statistics, healthcare was the most breached sub-sector in 2015, comprising almost 40% of all the attacks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.
Only lately, this concept has started to be challenged, revealing the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and during the last few months, we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.
Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.
The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.
While monitoring closed Deep-Web and Darknet sources, SenseCy analysts recently noticed a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, we came across several occurrences indicating extensive trade of medical records and access to servers where this data is stored.
The first case, in May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.
Although the seller did not mention the origin of the credentials he was selling, he claimed that local administrator privileges could be received on the compromised system. He also specified that 45 users from the medical personnel were logged into the system from the workstation he hacked.
The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.
Just a few weeks later, in June 2016, our analysts detected another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.
Before long, we again discovered evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.
The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data:
- Implement a strong password policy, because many hacks are a result of brute-force attack. Strong passwords and two-factor authentications to log into organizational systems should be the number one rule for medical organizations.
- Deploy suitable security systems.
- Instruct the employees to follow cyber security rules – choosing strong and unique passwords, spotting phishing email messages, avoiding clicking on links and downloading files from unknown sources, etc. Consider periodic training for employees on these issues to maintain high awareness and compliance with the rules.
- Use Cyber Threat Intelligence (CTI) – to keep up with the times regarding the current most prominent threats to your organization and industry.
- Keep all software updated.
During May 2016, we witnessed the second phase of the #OpIcarus cyber campaign against banks around the world, launched by the Anonymous collective in February 2016. The participants carried out DDoS attacks against bank websites in various countries on a daily basis. Several cyber-attacks succeeded in shutting down the websites of central banks in Greece, Cyprus and other countries.
The initiators created two Facebook event pages and opened an IRC channel to coordinate their cyber-attacks. Approximately 2,000 participants joined the #OpIcarus event pages, but many more hacktivists expressed their support of this campaign via their social media accounts. With regard to the dedicated IRC channel, it appears not to have been as active as the campaign platforms in Facebook and Twitter.
Attacks and Tools
According to news reports, #OpIcarus participants shut down bank websites around the world on a daily basis. We cannot confirm that all of the mentioned banks websites were actually offline, due to the participant DDoS attacks, but we wish to point out several incidents that caught our attention.
A member of the Ghost Squad Hackers group dubbed s1ege took responsibly for shutting down the email server of the Bank of England. The bank did respond to this attack, but according to news reports, the bank’s mail server was offline on May 13, 2016.
In addition, according to a single news report shared on various Facebook accounts, Chase Bank ATMs stopped working on May 14, 2016, as a result of the Anonymous collective cyber activity. The Twitter account of Chase Bank’s technical support tweeted that their ATMs did not accept any deposits on this day, but they did not mention what had caused the problem. Meanwhile, the Ghost Squad Hackers group tweeted that the incident was part of the #OpIcarus campaign.
Additionally, s1ege claimed on May 18, 2016, that they had shut down a website related to the NYSE. The NYSE Twitter account tweeted that they had experienced a technical issue in one of their trading units. They did not mention what had caused the problem. Therefore, it is unclear if there is any connection to the Ghost Squad Hackers group, aside from the latter’s claim of responsibility.
With regard to the attack tools, the participants used a variety of DDoS, some of which were simple online tools with no sophisticated DDoS abilities. However, there were indications that they used DDoS-as-a-Service (DaaS) platforms, such as Booters/Stressers that require payment and registration. In addition, the New World Hackers (NWH) team that took responsibility for shutting down the HSBC Bank website on January 29, 2016, supported the #OpIcarus campaign.
This campaign gained high popularity among hacktivists from all over the world who were motivated to DDoS bank websites protesting corruption and other issues. It is possible that the initiators will decide to engage an additional phase of this campaign, since one of them claimed in an interview that “Operation Icarus will continue as long as there are corrupt and greedy banks out there.”
Terrogence, SenseCy and Sixgill have formed a strategic partnership to deliver next generation integrated big data analytics and cyber threat intelligence for Japanese clients. The new venture allows organizations to create their own personal collection lists and real-time threat alerts enhanced with actionable intelligence. We look forward to working together to produce high quality intelligence for our customers.
The full press release can be viewed here.
This year, #OpIsrael hacktivists focused on defacing private websites, carrying out DDoS attacks and leaking databases. Hundreds of private Israeli websites were defaced, mostly by Fallaga and AnonGhost members. Various databases containing Israeli email addresses and credit cards were leaked, but the majority were recycled from previous campaigns.
The hacktivists attacks commenced on April 5, 2016, two days before the campaign was launched, with a massive DDoS attack against an Israeli company that provides cloud services. The fact that no one took responsibility for the attack, alongside the massive DDoS power invested, may indicate that threat actors with advanced technical abilities were responsible.
On April 7, 2016, approximately 2,650 Facebook users expressed their desire to participate in the campaign via anti-Israel Facebook event pages. There are several possible reasons for the low number of participants (compared for example to the 5,200 participants in #OpIsrael 2015). One reason might be disappointment in last year’s lack of significant achievements. Another reason could be the devotion of attention to other topics, such as the cyber campaign against the Islamic State (IS), in the wake of the recent terrorist attacks in Brussels. Moreover, it is possible that anti-Israel hacktivists have abandoned social media networks for other platforms, such as IRC and Telegram.
During the campaign, we detected many indications of the use of common DDoS tools, such as HOIC, and simple DDoS web platforms that do not require any prior technical knowledge in order to operate them. Most of the DDoS attacks were directed against Israeli government and financial websites. Hacktivists claimed they managed to take down two Israeli bank websites. While this could be true, the websites were up and operational again within a short time. In addition, there were no indications of the use of RATs or ransomware against Israeli targets.
As mentioned previously, most of the leaked databases were recycled from previous campaigns. However, we noticed that almost all of the new leaked databases were stolen from the same source – an Israeli company that develop websites. Notably, during the 2014 #OpIsrael campaign, this company website appeared on a list of hacked websites.
There was no immediate claim of responsibility for the leakage of these databases, which raises many questions, since anti-Israel hacktivists typically publish their achievements on social media networks to promote the success of the campaign. Moreover, almost all of these databases were first leaked in the Darknet, but anti-Israel hacktivists do not use this platform at all. In addition, all of the data leakages were allegedly leaked by a hacker dubbed #IndoGhost, but there are no indications to suggest that this entity was involved in the #OpIsrael campaign or any other anti-Israel activity.
Finally, we detected several attempts to organize another anti-Israel campaign for May 7, 2016. As an example, we identified a post calling to hack Israeli government websites on this date. We estimate that these attempts will not succeed in organizing another anti-Israel cyber campaign.
The prominent products traded during 2015 on Russian underground forums were Ransomware programs and exploits targeting Microsoft Office. Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms. Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and Crypting malware to avoid detection were also extremely popular on Russian forums.
Check out the new Infographic from SenseCy illustrating key trends observed on Russian underground in 2015.
Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report: https://www.sensecy.com/contact