SenseCy 2015 Annual Cyber Threat Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.

The following is an excerpt from the report. To receive a copy, please send a request to: info@sensecy.com

Executive Summary

2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.

Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.

Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).

Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.

Insights

The following are several of our insights regarding activities in different cyber arenas this past year:

Islamic Hacktivism

During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.

Trade on Russian Underground Forums

The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.

Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.

Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.

Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.

Exploits and exploit kits on the Russian underground
Exploits and exploit kits on the Russian underground

The English-Language Underground

Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.

The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.

Sales of hacking tools in the English-language underground
Sales of hacking tools in the English-language underground

The Iranian Underground

With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.

One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.

Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.

That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.

Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum
Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum

ISIS – Cyber-Jihad

On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.

Ashley Madison Hack – Review and Implications

On July 12, 2015, the IT-systems of Ashley Madison (owned by Avid Life Media), a Canada-based online dating service for married people, were hacked. The attackers, who call themselves Impact Team, released a message claiming they had taken control over all of the company’s systems and extracted databases containing client details, source codes, email correspondence and more.According to the message, the attack occurred in response to Ashley Madison‘s exposure of its clients – although the company offered and charged clients for a full profile deletion, this, in fact, was never carried out. Impact Team demanded that Ashley Madison and another website owned by Avid Life Media (ALM) cease their activity and shut down in 30 days, otherwise all stolen data would be published.

One month later, on August 16, 2015, Impact Team realized its threats – a link for downloading the data was posted on a password-protected hacking forum on the Darknet. The leaked data contained details of 37 million Ashley Madison users. Additionally, the attackers released data, containing mostly internal company information, in two additional stages.

The message containing the link for downloading the data stolen in the Ashley Madison hack
The message containing the link for downloading the data stolen in the Ashley Madison hack

The Attack

The infiltration vector used by the attackers is not known. According to ex-Ashley Madison CEO, the attack was performed by a provider or a former employee who possessed legitimate login credentials. Apparently, as in an APT attack, Impact Team had access to the company systems for a long period of time. They stated that they had collected information for years and that the attack started long before the data was exposed.

In an email interview with members of Impact Team, they said “they worked hard to make a fully undetectable attack, then got in and found nothing to bypass – Nobody was watching. No security. The only thing was a segmented network. You could use Pass1234 from the internet to VPN to root on all servers.

The Leaked Data

Despite the fact that Ashley Madison maintained a low security level on its systems, the clients data was stored with many more precautions – full credit card data was not stored, but instead only the last four digits, in accordance with the company’s declared policy. Nevertheless, information about payments that contained names and addresses of the clients were stored and later used by cybercriminals.

The passwords of Ashley Madison‘s clients were encrypted using a bcrypt algorithm, which is considered to be extremely strong. Another security measure taken by the company was the separation of databases for email addresses and passwords. However, an error in one of the exposed source codes enabled the decryption of 11 million passwords in only 10 days. A security researcher decrypted another 4,000 “strongly encrypted” passwords, due to the fact that they were widely used passwords.

The ten most common Ashley Madison cracked passwords encrypted in a bcrypt algorithm
The ten most common Ashley Madison cracked passwords encrypted in a bcrypt algorithm

Moreover, Ashley Madison saved IP addresses of its users for as long as five years. Thus, almost every user behind each profile can be identified.

The Consequences

The release of the data led to numerous discussions on hacking forums regarding ways to exploit the data. Some hackers focused on extortion schemes, while others offered to initiate spear-phishing attacks based on the leaked data.

Darknet forum member explains how to look for users by their corporate email address
Darknet forum member explains how to look for users by their corporate email address

In other attack reported by TrendMicro, hackers distributed email messages allegedly from Impact Team or law firms. They asked for money in exchange for removing the recipient’s name from the leak or for initiating a class action lawsuit against Ashley Madison.

A fraud email message allegedly sent by Impact Team
A fraud email message allegedly sent by Impact Team

Besides financial damage, according to press publications, three people committed suicide after the leaked data was released.

Moreover, not only its clients, but the company itself suffered damage because of the exposure of confidential information. Exposure of internal correspondence of Ashley Madison‘s executives revealed the company’s improper business activity, such as hacking into its competitors systems, creating fake profiles on its website and more. Finally, Ashley Madison’s financial losses are estimated at more than 200 million dollars, since the company was about to launch an initial public offering later this year.

Conclusions

Analysis of the leaked email correspondence of Ashley Madison‘s executives demonstrates that they were fully aware of the importance of cyber security measures. In the beginning of 2012, following the cyber-attack on the Grinder mobile application, the company’s then-CTO expressed his concerns regarding passwords that were stored fully unencrypted. Later in 2012, an encryption for passwords was initiated. On another occasion, after the email correspondence leak of General Petraeus, an employee suggested implementing an encrypted email service for Ashley Madison users. Despite the severity of the hack, several measures taken by the company, such as the encryption of the users’ passwords, reduced the damage caused by the leak. Nevertheless, the encryption, even a strong one such as bcrypt, is not enough and a password complexity policy should be implemented in the organization. Using strong passwords, maintaining different and complex passwords for the high-privileged accounts of the IT systems and restricting the access to these accounts will limit the attackers’ ability to move laterally in the organization’s network and take control of it.

LogJam, Little Sister of FREAK

On May 20, 2015, researchers from the University of Michigan announced a new vulnerability in the Diffie-Hellman key exchange, called LogJam.

The vulnerability resides in the basic design of TLS itself, exposing both clients and servers, including mail servers, to a MitM attack, in which a malicious attacker can downgrade SSL-based connections to 512-bit export-grade cryptography, thus bypassing the basic security mechanism and allowing the attacker to read and modify any exposed traffic.

According to the official publication in weakdh.org, “The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top one million domains were initially vulnerable.” Moreover, the flaw exploits a vulnerability in the Diffie-Hellman TLS key-exchange protocol, rather than the RSA key exchange exploited by the FREAK vulnerability.

When a client requests a DHE_EXPORT cipher-suite instead of DHE, the server (if it supports DHE_EXPORT) will pick a small, breakable 512-bit parameter for the secret exchange.

According to a CloudFlare publication, this is the protocol flaw at the heart of LogJam “downgrade attack”:

  • A MitM attacker intercepts a client connection and replaces all the accepted cipher-suites with only the DHE_EXPORT ones.
  • The server picks weak 512-bits parameters, does its half of the computation, and signs the parameters with the certificate’s private key. Neither the Client Hello, the client cipher-suites, nor the chosen cipher-suite are signed by the server.
  • The client is led to believe that the server picked a DHE Key Exchange and just willingly opted for small parameters. From its point of view, it has have no way to know that the server was tricked by the MitM into doing so.
  • The attacker would then break one of the two weak DH shares, recover the connection key, and proceed with the TLS connection with the client.

LogJam_1

Moreover, the researchers have speculated that the LogJam vulnerability provides an explanation for how the NSA cracked VPN connections, saying “a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”

Further to the publication of the LogJam vulnerability, SenseCy monitored its popularity among known hacker groups and cyber hacktivist. A general interest was noted, with some questions on the vulnerability.

LogJam_2

So how should you approach this vulnerability?

The researchers provided some simple answers to this question:

If you run a server:

If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. Step-by-step instructions can be found here.

If you use a browser:

Make sure you have the most recent version of your browser installed, and check for updates frequently (including smartphones).

If you are a system administrator or developer:

Make sure any TLS libraries you use are up-to-date and that you reject Diffie-Hellman Groups smaller than 1024-bit.

You can check if your browser is vulnerable here.

You can download the complete research document from here.

Anthem Hack: Is the Healthcare Industry the Next Big Target?

Anthem Inc., the second largest health insurer in the US, has suffered a security breach to its databases. According to media reports, the breached database contains information from approximately 80 million individuals. Although medical records appear not to be in danger, names, birthdays, social security numbers, email addresses, employment information and more have been compromised.

Anthem described the hacking as a “very sophisticated attack,” and the company  reported it to the FBI and even hired a cyber security firm to help with the investigations. However, the extent of the stolen data is still being determined. In addition, there is no concrete information regarding the perpetrators and the modus operandi (MO) of this cyber-attack.

In February 2014 we wrote that cyber criminals are shifting their focus from the financial industry to the healthcare industry, which has become an easier target. Healthcare records contain a wealth of valuable information for criminals, such as social security numbers and personal information. This information can sometimes prove more valuable than credit card numbers, which the financial industry is working hard to protect.

In 2013, at least twice as many individuals were affected by healthcare data breaches than in the previous year, owing to a handful of mega-breaches in the industry. According to a cyber security forecast, published at the end of 2013, the healthcare industry was likely to make the most breach headlines in 2014. However, it appears that 2014 was the year in which American retailers suffered massive data breaches (Home Deopt, Staples, Kmart, and of course Target at the end of 2013).

We should consider the Anthem hack as a warning sign for all of us – the healthcare industry might be the prime target for cyber criminals in 2015. We already know that PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on black markets continue to rise. Such underground marketplaces are being used as a one-stop shop for identity theft and fraud. Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Here at SenseCy, we monitor on a daily basis the usage of breached medical information on Underground forums and the Darknet platforms.

We believe that this industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.

SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.

Turkish Hacking Group Cyber Warrior’s e-Magazine : TeknoDE

Cyber Warrior is one of the biggest hacker groups in Turkey. The group was established in 1999. Their first significant cyber-attack was in 2003, when they launched a massive operation against 1,500 U.S. websites in protest against the American invasion of Iraq and a specific incident where Turkish military personnel in northern Iraq were captured and interrogated by the U.S. Army.

Turkish Hacking Group Cyber Warrior
Turkish Hacking Group Cyber Warrior

Cyber Warrior (CW) comprises teams for strategy, intelligence, logistics, R&D and a dedicated unit for waging cyber-attacks named Akincilar. In recent weeks, for examples, Akincilar has attacked official government websites of countries that discriminate against their Muslim populations, in their opinion.

Additionally, CW has been active developing cyber tools and improving others. They even write instructional manuals on cyber security and have established a Cyber Academy, where they provide online training.

In September 2014, the group published their first monthly e-Magazine. The magazine is published on their online platforms and it includes cyber news items from the IT world, new technologies, cyber security, hacking news, programming and more.

September 2014 issue of TeknoDE
September 2014 issue of TeknoDE

In their first issue, they featured a cryptography contest with the top prize of a book, mug and mouse pad.

Cryptography Contest
Cryptography Contest

In their October issue, they reviewed the recently discovered Shellshock vulnerability, shared information on how to locate a lost mobile phone and discussed ways to hack into Gmail accounts, and aircraft and satellite systems.

October 2014 issue of TeknoDE
October 2014 issue of TeknoDE

A couple of weeks ago, they produced the November 2014 issue, featuring articles about credit card frauds, new Android malware and interviews with Cyber Warrior founders.

November 2014 issue of TeknoDE

 

Currently, the magazine is in Turkish and it increases awareness of the Cyber world for users, while promoting an interest in cyber security among them.

Members of the website and readers of CWTeknoDE will not only be motivated to hack, but with this magazine they will have chance to learn more about the cyber world, and methods and vulnerabilities.

Related Posts


Did Turkish Hackers Actually Hack the Israeli “Iron Dome”? on August 18, 2014 by Sheila Dahan

Turkish Government Bans Twitter and Hijacks IP Addresses for Popular DNS Providers on March 31, 2014 by Sheila Dahan

RedHack – A Turkish Delight on February 5, 2014 by Sheila Dahan

Spotlight on the Russian Underground Infrastructure

The media is in an uproar at present, reporting on one cyber incident after another. Adobe, Target, Neiman Marcus, Home Depot, JP Morgan – these breaches are just the tip of the iceberg in the cybercrime arena. The Russian underground forums serve as fertile ground for planning cybercrime-motivated breaches worldwide – programming the malicious software, distributing it and sharing knowledge about the most profitable usage, selling the stolen data (such as credentials, etc.). Let us take a deeper look at the internal structure of these forums and the norms of behavior there.

Registration

While many forums have free registration, others require payment (Cybercriminals will never miss an opportunity to profitJ). Some of the forums that ask for registration fees do not contain useful information, and the fee is merely a farce, while for others, the fee is a means to keep poor or noob hackers away from the “big guy discussions.” Some of the forums ask potential candidates to fill out a detailed registration form, clarifying exact capabilities/programming languages they know, while others go one step further and send different hacking tasks to the applicants, demanding proof of their professional level. Many forums have strict policies about filtering out the registrants and very few people are accepted.

Registration page in one of the underground forums
Registration page in one of the underground forums

Communication

When it comes to personal contacts between the seller and buyer, the first choice is the Jabber messenger. Sometimes, one of the sides will request an OTR (Off-the-Record, allowing private conversation using encryption and elimination of all traces of the conversation) protocol for Jabber. Besides, exchanging messages via PM (private message) – the private mailbox on each forum is another popular means of communication. Users wishing to connect via Jabber are sometimes asked to authenticate themselves via private message beforehand – indicating the high level of confidentiality and security concerns.

ICQ is also used, although it is not very common and is perceived as a communication method for less experienced hackers.

Payment

On the underground, you will never see any payment method that would somehow enable identification of the parties in the transaction. Naturally, no credit cards, PayPal accounts or money transactions are accepted – only virtual currencies are used. BTC is rather popular, as well as PM (Perfect Money), LTC (Light Coins), WM (Web Money) and other virtual currencies.

Escrow System

Most of the forums maintain a well-established system of escrow services provided by an official forum member appointed by the administrator. In exchange for a reward, usually a percentage of the transaction value, he mediates between the buyer and the seller, keeping the money until the goods are supplied. He also checks that the product offered matches its description.

Reputation Score

The reputation of the members is one of the pillars of Russian underground forums. Despite the fact that each forum has its own scoring system, all have a common principle: forum members rate each other, based on the threads they post. For instance, by providing useful advice or uploading malware, the author will receive more points. Another reputation booster is the number of posts, as well as seniority on the forum that defines the status of the user: beginner, intermediate, specialist, etc. Certain threads are available only to members with a minimum numbers of posts.

Furthermore, some forums ask for monetary deposits that are displayed next to the user’s name, indicating his reliability. If monetary conflict arises, the sales thread will often be suspended until the issue is clarified. If no solution is found, the seller incurs a “ripper” status, thus losing the chance to sell anything ever again on the forum, unless he changes his nickname.

Member's profile in one of the underground forums
Member’s profile in one of the underground forums

Malware is Coming to the Trusted Software Near to You – Trade in Code Signing Certificates is on the Rise on the Russian Underground

Written by Tanya Koyfman

Instead of spending days and nights coding, crypting and modifying the malware to avoid AV detection, the underground market offers to sign it by a digital certificate issued for a legitimate entity.

While monitoring our Russian-speaking sources, we identified a Russian forum member offering code signing certificates issued by one of the largest CAs for sale.

The forum thread was opened on a Russian password-protected forum that serves as an illegal platform for cybercrime related discussions. On the forum, one can find sales of financial malware, stolen databases and exploits, as well as technical discussions regarding hacking and programming.

The post about the sale of certificates was initially published two months ago, and the topic is still updated regularly. In the first message, the post author offered one certificate for sale in exchange for almost $1000. According to the seller, the certificate can be used to sign exe files. Forum members who are interested in purchasing are requested to connect via Jabber (an instant messaging service based on XMPP protocol, highly popular among Russian cybercriminals).

The next day, the author published another post claiming that the certificate had been sold. He said that he could obtain 1-2 certificates per week, and that if there was a demand he could get his hands on also driver signing certificates.

The thread also included feedback messages from buyers, who testified that the certificates were useful in avoiding AV detection, but only for a specific malware infection. In a case of a mass distribution of malware programs, the certificate would be cancelled within days.

During the forum discussion, the seller mentioned that signing an exe file by certificate helped avoid detection by all AV pro-active detection mechanisms, except for one. He also clarified that the certificates could be used for .exe, .dll, .jar and .doc files, but not for .sys files (drivers).

To date, after almost two months of sales, at least 7-10 certificates have been sold (providing a profit of $10,000 for the seller).

The first message regarding the sale of the certificates
The first message regarding the sale of the certificates

Taking into account that the above forum member has regular access to legitimately issued certificates from one of the top five Certificate Authorities (CA) in the world, the above case is probably only the tip of a slippery slope. We may soon witness an increase in malware distribution attacks based on using genuine code signing certificates. The $1,000 paid for the certificates is an incredibly low price for the hacker to pay, compared to the large sums of money he can earn using these certificates in his attacks. While we do not know the precise origin of the certificates (a breach in an organization that purchases certificates, a breach in a reseller supplying the CA certificates or simply an “illegal” reselling or legally purchased certificates), the volume of certificates that the seller is supplying is reminiscent of the DigiNotar case.

The Case of DigiNotar (July-August 2011)

DigiNotar was a Dutch Certificate Authority company owned by VASCO Data Security International. DigiNotar went bankrupt following a security breach that resulted in the fraudulent issuing of CA certificates on September 3, 2011. DigiNotar hosted a number of CA’s and issued certificates including default SSL certificates, Qualified Certificates and ‘PKIoverheid’ – government accredited certificates.

In August 2011, a rogue certificate for *.google.com signed by DigiNotar was revoked by several Internet user browsers in Iran. Fox-IT conducted an investigation of the events in their report ‘Operation Black Tulip’ and found that a total of 531 fraudulent certificates had been issued. They identified around 300,000 requests to google.com with IPs originating from Iran that used the rogue certificate before it was revoked. The attack lasted nearly six weeks.

The compromised IP users might have had their emails intercepted, and their login cookie could have been intercepted making the attacker able to enter their Gmail accounts and all other services offered by Google. Having access to the e-mail account, the attacker is also able to reset passwords of other services with the lost password button. Fox-IT further examined the hacking tools and found some of them to be amateurish and some very advanced, some were published hacking tools and some specifically developed.

Another Phish in the Sea

The rise in scamming campaigns has become a focal issue for the InfoSec world in recent years. More and more attacks have been targeting everyone from large corporates, by using specific techniques “tailored” for the target, to simple users, by spreading it to anyone available. The platforms from which the malware is spread vary from standard email messages and social networks to more complicated SMS scams.

We will attempt to describe herein the basic steps to take to determine if a suspicious email, text message or Facebook post is actually malicious – in order to stay safe from falling victim, while still being able to keep up with the latest 9GAG spam.

Source Identity

When receiving a new email or text message, check who the sender is. If the message comes from an unknown person – a source you are not expecting contact from or a strange looking email name – do not open it! Browsing social networks like Twitter can also lead you to malicious actors that will try to lure innocents and curious people.

One such example is a reservation email scam that “accidentally” sends a room reservation email to you instead of the hotel manager. The email has an attachment, purportedly containing a list of special requirements for the guests, which turns out to be a malicious element that downloads additional executable malware.

Another Phish in the Sea_1

Content

We have all heard the joke about receiving a scam email from a Nigerian prince, where the victim is asked to provide their bank account details in order to receive a large sum of money, but reality is not so far off. Attackers use sophisticated techniques to capture your attention, be it by intimidation, exploiting the latest trending topic or informing you of a transaction.

The recent iCloud hacking leak scandal has been a hot topic on the Internet, and the phishing attacks soon followed. The tweet, which tries to grab your attention by sharing a link to the alleged nude video of Jennifer Laurence, redirects visitors to a download page for a video converter. Of course, the downloaded file turned out to be adware, not to mention the fact that it forces its victims to share the malicious site on their Facebook profiles.

Another Phish in the Sea_2

Grammar

I believe that the easiest way to observe that something about a message of any kind is wrong is bad grammar. Foreign scammers who are not fluent in target audience languages encounter a barrier that they try to bypass by using online translators or just trying their luck at translating the message on their own. A poorly written letter from a formal organization or a shifty looking website should definitely raise a red flag.

Another Phish in the Sea_3

Links

Apart from the content itself, the message might also contain links. The URL that appears in the text might seem legitimate, but it is important to get a closer look at the domain name, in addition to ‘hovering’ over the link with a mouse to see if the actual web address is compatible with the one presented to you (for other fake-link-finding techniques, see our previous post).

Let’s say you received an email from the human resources department in your company – Sounds like a legitimate item to open. But what if it contains a link to download CryptoWall ransomware? In this particular situation, it is very difficult to distinguish whether this is phishing scam, but by taking a closer look at the shared link, you can notice if it redirects you to a gaming website and forces you to download a suspicious ZIP file that contains the malware.

Another Phish in the Sea_4

Attachments

Some scammers direct you to open files attached to their message. They might appear legitimate because they are Word or ZIP files, but they end up being disguised malware. Be aware of attachments you are not expecting to receive, especially executable files like .EXE, .PIF, .JAR, .BAT and .REG.

Curiosity killed the cat, and apparently also some people’s computers. An innocent-looking email suggesting that you view someone’s new photo contains an attachment called photo.zip, which unfortunately does not contain an attractive person’s selfie, but rather a Zbot Trojan.

And just like the old Japanese saying goes “Attack a man with a phish and you’ll scam him for a day; Teach a man to phish and you keep him safe for a lifetime.”

Another Phish in the Sea_5