Latin America Battles Human Rights Online

Following centuries of struggle, Latin American countries succeeded in gaining independence in the course of the 19th and 20th centuries. Notwithstanding, it is a well-known fact that today there is no equal financial distribution between the different classes in Latin American society.

In an attempt to overcome these significant class differences and protect the lower classes in Latin American countries, many human rights groups were created. However, this post refers to very different groups that are fighting for their rights in a more modern way – from behind a computer screen.

Most of these groups have a very similar agenda and they know that the best way to succeed lies in garnering the assistance of hacktivists from all over the continent and even further afield.

Via the computer, they are calling out to the people to protest against government laws and restrictions. Take, for example, the case of #4octrodealadictadurawhere Anonymous exposes police brutality and violence against unarmed protesters.

Violent Clashes
Police arrests protestors
Protestors document the violence
Protestors document the violence

Their main activity is hacking and defacing important websites. Sometimes they even leak information from databases. Their targets are mostly webpages affiliated with the government, politicians and candidates, and large enterprises such as railroad companies, newspapers and local authorities.

Almost all of the groups identify with Anonymous. One of the more prominent of these groups is Anonymous Peru, which claims to be striving for a country with no corruption, and calls to protect the human and civil rights of the citizens of Peru. The group created #OpIndependenciaPeru  and claims to have attacked government websites on Peruvian Independence day on July 28, 2014. During this operation, they alleged that they leaked candidate information, defaced ISP in Argentina and hacked a Peruvian government website.

Anonymous Peru Twitter

Another notable group is MexicanH Team from Mexico. The group identifies with Anonymous Mexico and is very popular (with over 21,000 followers on Twitter). The group launched #OpTequilatargeting Mexico’s Independence Day on September 15, 2014. During the campaign, the group hacked the website of the presidency (using an XSS vulnerability). They also leaked government email addresses, usernames and passwords.

XSS vulnerability in the president website
Database leakage

The latest hacktivist group to capture attention is TeamHackArgentino. The goals of this group are to show that the government’s politics are as bad as the security of their websites, and to demonstrate the fact that they posted an archive of their attacks on two different websites.

TeamHackArgentino Twitter
TeamHackArgentino Twitter

In conclusion, all of these groups help each other to fight against their governments, in an effort to rouse them and make them aware of the unjust acts being perpetrated against the people of Latin America, especially the poor.

WhatsHack: WhatsApp in Cyberspace

WhatsApp Messenger is an instant messaging subscription service. In addition to text messaging, users can send each other images, video and audio media messages, as well as location data. As of September 2014, WhatsApp is the most popular global messaging app, with 600 million users. Aside from regular users, more underground communities like to use this application. WhatsApp activity is more complicated to monitor by a third party than regular phone messages and some online services. WhatsApp has proven to be a fast, reliable and inexpensive service for sharing various kinds of information.

The cyber underground is also seeking new platforms for chatting and sharing information. Lately, we have identified an increasing number of hacker-affiliated groups using WhatsApp services. These groups offer members chat services, hacking tips, cyberattack coordination and more. Members from numerous countries, including Bangladesh, Pakistan, Indonesia and others, expose their phone numbers to connect to such groups.

Facebook hacktivist post
Facebook hacktivist post

There are several manuals describing how to access other WhatsApp accounts. One post shared two different methodologies to do just that: spoofing with the help of Mac number, and using spy software. This post received over 738,000 views over a two-week period.

WhatsApp hacking guide
WhatsApp hacking guide

In addition to spy methodology, you can find various tools, such as WhatsApp Hack Spy Tool, WhatsAppSniffer, WhatsApp Xtract, WhatsApp Conversation SPY Hack Tool and more. You can also use third party spyware. These tools can be used for Android, iPhone and BlackBerry devices. Tools provide such features as tracking all voice notes, viewing all user chat logs, updating profile pictures, sending messages to contacts, changing profile status and more, depending on the tool.

WhatsApp hacking tools
WhatsApp hacking tools

The dissemination of such tools is becoming common also on social networks, such as Facebook, Twitter and LinkedIn. A Facebook page titled “WhatsApp Hack Spy Tool” has 390 members, mostly from India, Italy, France and the U.S. This page also has a related Twitter account with more than 3,500 followers. Another Facebook page titled “WhatsApp Hack Sniffer Spy Tool” has over 13,500 members, mostly from Turkey and India. Furthermore, advertisement for the tool can also be found on LinkedIn.

LinkedIn advertisement for the tool
LinkedIn advertisement for the tool

In addition to the free tools, you can purchase more unique software, such as a tool for hacking WhatsApp, only ten copies of which were released for sale on the DarkNet for 0.0305 BTC.

The tool is sold on the DarkNet
The tool is sold on the DarkNet

The use of WhatsApp by hacktivist communities, together with the development of hacking tools and methodologies, has opened up a new platform for the cyber community. These two directions provide a fast, inexpensive and more secure way for hacktivists to interact, coordinate operations, and exchange information and mobile hacking techniques and data vulnerabilities.

#OpSaveGaza Campaign – Insights from the Recent Anti-Israel Cyber Operation

The #OpSaveGaza Campaign was officially launched on July 11, 2014, as a counter-reaction to operation “Protective Edge”. This is the third military operation against Hamas since the end of December 2008, when Israel waged operation “Cast Lead”, followed by operation “Pillar of Defense” in November 2012.

These military operations were accompanied by cyber campaigns emanating from pro-Palestinian hacker groups around the world. #OpSaveGaza was not the only recent cyber campaign against Israel, but it is the most organized, diverse and focused. During this campaign, hacker groups from Malaysia and Indonesia in the East to Tunisia and Morocco in the West have been participating in cyber attacks against Israel.

The Use of Social Networks

Hacktivist groups recruit large masses for their operations by means of social networks. Muslim hacker groups use mostly Facebook and Twitter to upload target lists, incite others to take part in cyberattacks and share attack tools.

The #OpSaveGaza campaign was planned and organized using these two social media platforms. The organizers of the campaign succeeded in recruiting tens of thousands of supporters to their anti-Israel ideology.

OpSaveGaza - Facebook Event

Attack Vectors

When examining the types of attacks perpetrated against Israeli cyber space, it appears that this campaign has been the most diverse in terms of attack vectors. It not only includes simple DDoS, defacement and data leakage attacks, but also phishing (even spear-phishing based on leaked databases), SMS spoofing and satellite hijacking (part of the Hamas psychological warfare), in addition to high-volume/high-frequency DDoS attacks.

Hackers targeting Israeli ISPs
Hackers targeting Israeli ISPs

Furthermore, these attacks have been much more focused as the attackers attempt to deface and knock offline governmental websites, defense contractors, banks and energy companies. Simultaneously, a large number of small and private websites were defaced (over 2,500) and several databases were leaked online.

Pro-Palestinian hackers defacing Israeli websites
Pro-Palestinian hackers defacing Israeli websites

Motivation and the Involvement of other Threat Actors

The motivation for waging cyberattacks against Israel during a military operation is clear. This is not the first time that a physical conflict has had implications on the cyber sphere. However, we believe that other factors are contributing to the cyber campaign. In July 2014, the Muslim world observed the month of Ramadan, a holy month in Muslim tradition. There are two significant dates in this month – “Laylat al-Qadr” (the Night of Destiny), the night the first verses of the Quran were revealed to the Prophet Muhammad; and “Quds Day” (Jerusalem Day), an annual event held on the last Friday of Ramadan and mentioned specifically by Iran and Hezbollah. We identified an increase in the number of attacks, as well as their quality, surrounding these dates.

Last year, several days before “Quds Day” a hacker group named Qods Freedom, suspected to be Iranian, launched a massive cyber operation against Israeli websites. In other words, we believe that not only hacktivist elements participated in this campaign but also cyber terrorism units and perhaps even state-sponsored groups from the Middle East.

The Islamic Cyber Resistance (ICR) leaking an internal database
The Islamic Cyber Resistance (ICR) leaking an internal database

To summarize, this campaign was far better organized than the recent cyber operations we experienced in 2009 and 2012 alongside physical conflicts with Hamas. We have seen changes in several aspects:

  • Improvement in attack tools and technical capabilities
  • Information-sharing between the groups (targets, attack tools, tutorials)
  • The involvement of hacker groups from Indonesia in the East and Morocco in the West.
  • Possible involvement of cyber terrorism groups
  • Well-managed psychological warfare and media campaign by the participating groups

The scope and manner in which this campaign was conducted shows improved capabilities of the perpetrators, which is in-line with Assaf Keren’s assessment of the evolution of hacktivist capabilities.

#OpSaveGaza – Interim Summary

Written by Yotam Gutman

When the cannons roar, the muses stay silent (but the hacktivists hack).

As we reported last week, operation “Protective Edge” instigated a flurry of activity by Muslim hacktivists, targeting Israel. In the following post we will review the activities which took place so far and try to characterize them.

Attacker Types

Attackers can by divided into three types: individuals, hacktivist groups and cyber terror organizations. Individuals usually join larger campaigns by hacktivists groups and show their support on social media sites.

Hacktivist groups taking a stance make extensive use of Facebook as a “command and control” platform. The largest “event” dubbed #OpSaveGaza was created by Moxer Cyber Team, a relatively new group who probably originated from Indonesia whose event page has 19,000 followers.

Moxer Cyber Team event page
Moxer Cyber Team event page

The event included many lesser known Islamic groups, mainly from Indonesia, who did not participate in previous campaigns against Israel. Another event page by the Tunisian AnonGhost announced that the attack will include 38 groups from around the Muslim world. The campaign is planned to continue until the 14th of July.

Cyber terror organization in the form of the SEA (Syrian Electronic Army and ICR (Islamic Cyber Resistance) have not officially declared their participation in the campaign but have waged several high profile attacks, such as hacking into the IDF spokesman blog and Twitter account (SEA) and leaking a large database of job seekers (ICR).

Attacker Tools

The participants in this campaign use similar tools as previous campaigns – Generic DDoS tools, SQLi tools, shells and IP anonymization tools.

Results (Interim Summary)

#OpSaveGaza campaign included to date mainly defacement attacks (about 500 sites have been defaced), DDoS attacks of minor scale and some data dumps. Two interesting trend we’re seeing are recycling older data dumps and claiming it to be a new one, and posting publicly available information which was allegedly breached.

Summary

We estimate that these activities will continue until the hostilities on the ground subside, with perhaps more substantial denial of service or data leak attempts.

#OpSriLanka

Over the last few days, several Muslim hacker groups have hacked government and financial websites in Sri Lanka in protest against the government’s attitude toward the violent clashes between Buddhists and Muslims.

As you can see in the graph below, there were hundreds of tweets over the weekend with the related hashtag #OpSriLanka.

Twitter Activity about #OpSriLanka
Twitter Activity about #OpSriLanka

For example, one Twitter account named Global Revolution called for the hacking of the Sri Lanka central bank website.

a Tweet about hacking SriLanka central bank
a Tweet about hacking SriLanka central bank

There is also a group page on Facebook named #OpSriLanka with 1,590 members. The main targets of the group are Sri Lankan government websites and official websites of the Buddhist population in Sri Lanka. The attack tools are mostly DDoS tools for computers and Android phones.

From the Facebook Group Page
From the Facebook Group Page

List of targets:

Tools:

Mirror of a defaced website:

Additionally, on June 22, 2014, a group of hackers nicknamed Izzah Hackers leaked Sri Lankan government emails and passwords via Pastebin.

Leaked Sri Lankan emails and password
Leaked Sri Lankan emails and passwords

Sri Lanka is not alone. Muslim hacker groups are responsible for previous cyber-attacks against Myanmar (Burma) and the Central African Republic (CAR), protesting the killing of Muslims on religious grounds.

 

Recycled Fuel? OpPetrol Campaign Rerun This June

Hacktivist collective Anonymous announced a cyber campaign called #OpPetrol, planned to be executed on June 20th, 2014. This is a re-run of a similar campaign with an identical name which was launched at the same exact date last year, aimed at the international oil and gas industry at various geographies. The most prominent group seems to be AnonGhost that recently defaced hundreds of websites and leaked a large amount of credit cards details.

Image

The campaign is likely to include a mix of DDoS, defacement and data dumps. The countries that are targeted are:

  • US
  • Canada
  • England
  • Israel
  • China
  • Italy
  • France
  • Russia
  • Germany

In addition, specific Oil and Gas companies in various locations, from the Gulf to Norway are on the target list. Last year’s campaign did not cause any substantial damage and we assume this re-run will achieve similar results.

Where Does All the Data Go?

Written by Gal Landesman

We have recently learned of numerous data breaches targeting the healthcare industry that have exposed electronic personal healthcare information (ePHI). Just this month, a Chicago doctor’s email account, holding information on 1,200 patients, was accessed; a stolen laptop and flash drive jeopardized 2,500 patients’ data in Michigan; the investigation of the California Sutherland Healthcare Services data breach revealed that data pertaining to 338,700 individuals has been compromised; and La Palma Inter-community Hospital announced an old case of data breach involving one of their employees who accessed personal information without permission.

We are hearing about such incidents on an almost daily basis. Symantec even named 2013 the year of “Mega Breach”, with more than 552 million identities exposed this year. According to Symantec, the healthcare sector suffered the largest number of disclosed data breaches in 2013. They blame it on the large amount of personal information that healthcare organizations store and the high regulation standards requiring them to disclose data breaches. Still, the healthcare industry is one of the most impacted by data breaches this year.

Targeted data includes health insurance information, personal details and social security numbers. What could really happen if a patient’s personal data falls into the wrong hands?

Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Attackers could make fraudulent insurance claims, obtain free medical treatment or addictive prescription drugs for personal use or resale.

Cyber criminals are definitely eyeing medical records. These records can fetch about $60 apiece on the black market, according to Norse-Sans that published a detailed report on the issue this February, claiming that such records are even more valuable than credit card information because they present criminals with greater opportunities for exploitation, such as insurance and prescription fraud. Norse-Sans identified a large volume of malicious traffic in their analysis of healthcare organization traffic.

Another example of interest was published by the Wall Street Journal, days before the Norse-Sans report, featuring valuable network information of healthcare facilities that was dumped on 4shared.com (a file-sharing site), including firewall brand, networking switch, Internet addresses of wireless access points, blueprints of the facilities, locations of PCs and printers and encryption keys, usernames and passwords that could be used for network access.

Here at SenseCy, we successfully traced the usage of breached medical information on Underground forums and the DarkNet. The following are some examples of prescription drugs for sale on the Underground:

Someone is offering Clonazepam (Klonopin), which affects chemicals in the brain, for sale:

Clonazepam

Another vendor offers different drugs, including ADDERALL-IR, a psychostimulant pharmaceutical drug, and Percocet, a narcotic pain reliever (containing opioid):

ADDERALL-IR

Information for sale:

Info_for_Sale

Info_for_Sale_2

Original prescriptions for sale:

Prescriptions

Prescriptions_2

 

 

#OpIsrael Birthday Campaign – Summary

Written by Hila Marudi, Yotam Gutman and Gilad Zahavi

The #OpIsrael Birthday campaign took place as scheduled on April 7 and involved thousands of participants from all over the Muslim world, from Indonesia in the East to Morocco in the West.

#OpIsrael Birthday logo
#OpIsrael Birthday logo

It seems that the bulk of the activity focused on leaking data obtained from various breached databases. Some of the data published was simply a recycling of older data dumps, but some was new and included email addresses, passwords and personal details.

Hundreds of government email addresses were leaked and posted on Pastebin. In addition, private password-protected website databases were also leaked. The Islamic Cyber Resistance Group (ICRG), affiliated with Hezbollah and Iran, leaked hundreds of Bar-Ilan University email addresses and defaced a sub-domain of the University’s website.

Data leaked from Bar-Ilan University
Data leaked from Bar-Ilan University

Summary of the groups participating in the campaign:

Group name Group Details Activity
AnonGhost Tunisian, the campaign instigator Defaced hundreds of sites, developed and distributed an attack tool named “AnonGhost DDoSer”, leaked email addresses
AnonSec Pro-Palestinian Muslim group Leaked government email addresses, defaced websites and launched DDoS attacks
Fallaga Tunisian Built web-based attack tools and shells, launched DDoS attacks against government sites
Security_511 Saudi group Launched DDoS attacks against government sites and leaked government email addresses
Izzah Hackers Pro-Palestinian Muslim group Launched DDoS attacks against websites and leaked email addresses
Hacker Anonymous Military Pro-Palestinian Muslim group Launched DDoS attacks against government sites, leaked government email addresses and defaced websites
Moroccan Agent Secret Moroccan Group Defaced websites and leaked email addresses

According to the campaign’s official website, approximately 500 Israeli websites were defaced by AnonGhost, most of which were SMBs and private websites.

Conclusion

According to our analysis, we have not witnessed a dramatic change since the previous OpIsrael campaign that took place on April 7, 2013. We can think of at least two reasons for that:

  • The level of awareness and readiness in large organizations (but also in small ones) has improved and is improving each day.
  • During this campaign we have not seen attacks waged by nation-state actors such as the Syrian Electronic Army, the Izz ad-Din al-Qassam Cyber Fighters and others.

It appears that the attackers focused on attacking government sites and leaking databases. In addition, the number of authentic dumps containing email addresses, passwords and personal details was much bigger than the last campaign.

However, under the surface we have been noticing in recent weeks an emerging and concerning trend. We know that hacktivist groups and terrorist organizations try to develop their own capabilities. Those groups are also share information between themselves (guide books, scripts, tutorials). Lately we even have identified exchange of capabilities between Russian cyber criminals and anti-Israeli hackers and hacktivists.

The next phase, and we are not there yet, might be the purchase of advanced cyber weapons by terrorist organizations. It can be only a matter of time until terrorist groups (al-Qaeda for example) use sophisticated tools to attack critical infrastructure systems. If this happens, the results of the next OpIsrael campaign would be completely different.

OpIsrael – Happy Birthday! My, You’ve Grown Big…

AnonGhost announced a cyber-attack against Israel on April 7, 2014, one year after the last #OpIsrael campaign. To date, more than 6,000 Facebook users have joined different anti-Israel Facebook event pages, and many groups, such as Fallaga, AnonSec, Gaza Hacker Team, Indonesian Cyber Army, and more have declared their support. As you can see, the participants come from all over the world, but mainly North Africa, the Middle East and Southeast Asia. The rest usually use American proxy servers. According to our analysis, most participants are between the ages of 17 and 34.

One of the Campaign Official Images
One of the Campaign Official Images

The campaign has an official dedicated website, designed by the famous hacker Mauritania Attacker from AnonGhost, as well as a new Twitter account. The official website features online notifications about hacked Israeli websites and a list of campaign participants.

The Official Website of the Campaign
The Official Website of the Campaign

The main targets are government and financial websites, alongside defense industries. Recently, however, we have noticed an increasing focus on hacking government websites in Israel.

Moreover, we have identified publications of leaked emails and passwords belonging to thousands of Israelis. Our investigation also revealed intentions to hack and spam smartphones using assorted viruses.

All in all, the scope of the upcoming cyber-campaign appears to be significant. However, we believe that mainly small and private websites will suffer from these attacks.

Gaza’s Electronic Battalion

There are many hacker groups with an anti-Israeli agenda that express their empathy with Gaza, for example the Gaza Hacker Team, Anonymous Gaza or the Electronic Battalion of Gaza (Katibat Gaza el-Electroniyya, or KGE).

On September 28, 2013, the anniversary of the “al-Aqsa Intifada”, the KGE launched the “al-Aqsa Electronic Intifada” on their Facebook page. They uploaded an official video to YouTube inviting hackers from all over the world to attack Israel, proposing official and financial websites as targets. Many hackers showed their support via social networks and several news websites reported on the upcoming attack. They did not manage to hack any important target, although the group uploaded images from an Israeli database, claiming that they belonged to Israeli soldiers.

KGE invites hackers to join al-Aqsa electronic Intifada
KGE invites hackers to join al-Aqsa electronic Intifada

The KGE has different platforms, such as a Facebook page, YouTube channel, Pastebin account, Google+ and a website (currently offline). According to their Facebook group page, they have over 600 members and supporters. One of them is Nasser Isam (nicknamed Neso), a hacker from Gaza who administers one of the group’s pages on Facebook.

Neso Isam's Facebook page
Neso Isam’s Facebook page

We found an image on Facebook of a tool called “KGE Doser”. This may indicate that the group has the ability to develop hacking tools. The group has not mentioned new targets recently, although they have promised to wage cyber attacks in the near future. Who knows when we will hear from them again?