Initial Preparations for #OpIsrael 2017

During the past week, we detected indications for initial preparations for the upcoming #OpIsrael campaign scheduled for April 7, 2017. SenseCy identified several event pages on Facebook that were opened explicitly to organize cyber-attacks. The number of participants in all the event pages that we found is relatively low (approximately 160 Facebook users). Continue reading “Initial Preparations for #OpIsrael 2017”

The Life Cycle of a Data Breach

2016 has witnessed an exponential growth in data breach incidents. These incidents led to the compromise of various user details, including email addresses, passwords, usernames, full names, phone numbers and much more. These login credentials, which in many cases were reused on multiple platforms and services, were stolen from social network websites, such as LinkedIn, Tumblr, VK, gaming platforms, adult content websites, and Continue reading “The Life Cycle of a Data Breach”

The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants

Written by Mickael S. and Tanya K.

Last week, SenseCy analysts happened upon a new sample of Shade ransomware, also known as Troldesh, which uses a no_more_ransom extension for encrypted files. This ransomware is far from famous, lacking the glorious Continue reading “The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants”

Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)

While monitoring closed platforms that propagate an Islamic State agenda, we detected an initial interest in hacking lessons, focusing on spam and phishing methods. Many discussions in the technical sections of closed platforms affiliated with the Islamic State deal with the implementation of Continue reading “Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)”

Office 365 Administrator Accounts Traded on the Darknet

In early September 2016, a new advertisement appeared on various Darknet platforms, promoting a new hidden service. The service, dubbed Open Hacking Lab (OHL), offers three categories of products: hacking tools and resources, hacked credentials and services. While numerous hidden services on the Darknet sell hacked credentials, this is the first time we have observed the sale of administrator credentials for Office 365 accounts.

hacking-lab
Screenshot of the Open Hacking Lab platform

Microsoft Office 365 is a software package that includes cloud services, sold to corporates and private customers. The organizational package includes email, storage, social network, SharePoint and other services provided via cloud. Acquiring administrator’s access to organization that use Office 365 will provide a potential attacker with access to sensitive organizational information and may even lead to the threat actor gaining full control over the organization network.

Currently, 12 accounts are being offered for sale, with prices ranging from $15 for a logistics company account to $100 for a law firm. For each company, the seller provides a short description of the company, its country of origin, and which data the buyer will gain access to. Eight of these companies are based in the U.S., two in Europe and two in Canada.

office-365-darknet
Office 365 accounts for sale on a Darknet platform

The operator of the hidden service is a well-known actor in several communities on the Darknet; he is considered credible and he possesses high technical skills. The hidden service owner also runs a Twitter account dedicated to the service, where he updates about the platform and its products.

Cyber Intelligence From the Deep Web – An Interview with SenseCy CEO Gadi Aviran

Below is a shortened version of an interview with SenseCy CEO, Gadi Aviran. The full interview is available in vpnMentor Blog.

Gadi Aviran is a man of many talents. Formerly the head of the technical intelligence analysis desk at the IDF (Israeli Defense force), Aviran has been involved in technical terror intelligence analysis for over a decade, serving as one of Israel’s leading authorities in the field of Explosive Ordnance Disposal (EOD) and in Disposal of Improvised Explosive Devices (IEDs). Since his retirement from the military, Aviran has founded a number of companies that all deal with different aspects of OSINT/WEBINT intelligence, including SenseCy, where he currently serves as CEO. In this rare interview he talks about cyber intelligent from the detective’s perspective, and explains why successful cyber intelligence can never be done by machines only.

vpnMentor: Please tell us about your personal background and the companies you’re involved in.

Lets not start in the middle ages, we’ll start when I got out of the military and founded a company which ended up being Terrogence in 2004. Terrogence took it upon itself to look for intelligence in the open web, but use a different methodology than what most of the companies out there are doing. Normally, a company would set up crawlers to collect all the data they can, and then look through the data to find those pieces of information that are important for them, but like a needle in the hay, it’s a long and insufficient process.

At Terrogence, we decided to answer questions instead, meaning, we ask our clients what kind of information are they interested in, and use assumed identities or ‘virtual humant’ in order to penetrate and infiltrate closed areas within the web to find the answers.

As time went by, we developed our own technology, which supports us very much in doing what we do. We incorporated a new technological company called “Webintpro”, which provides software solutions for intelligence gathering, while Terrogence remained a service provider.

About 5 years ago we started receiving requests from customers, asking about threats in the cyber domain, and that’s when we started dealing with cyber security. We changed our name to SenseCy about 2 years ago due to market responses to the word ‘Terrogence’, bearing in mind that the market is mainly civilian.

vpnMentor: So what can you tell about the work of SenseCy?

SenseCy is an interesting creature. It’s very focused on the customers, providing them insights from dark and distant parts of the web. In order to do that we look into their DNA and see who’s talking about them, who’s selling their information, who’s interested in their domain, their software and their personal activities, and that gives us a very unique perspective.  There are only about 5-10 companies in the world that actually do what we do, so it’s a very interesting and very challenging business to be in.

We have been operating in the cyber domain for the past 5 years, offering very unique capabilities which attract the attention of potential customers and partners. We represent a very narrow and interesting niche in the cyber protection arena. As you know the industry had gone through a whole set of changes, but at the end of the day the answers are not sufficient; what people are interested in is not how dangerous the web is as a whole, but what are the dangers FOR THEM?

For example, if someone is interested in buying emails of your c-level personnel, or shows specific interest in your company in order to obtain information or funds from and about the company, it’s a dangerous situation for everyone involved. This is what we call a personalized threat, and if you were a target, you’d definitely want to know about it.

vpnMentor: What type of clients do you work with and what types of threats are they facing?

Our customers come from different walks of life. We have of course clients from the finance, health and insurance industries which are constantly threatened by cyber activities, but it’s a changing landscape. Finance used to be the hottest thing and get the most threats, but now we can see that the health industry is becoming a much greater target, because they have information that’s worth a lot of money.

Hackers who do it for money will find whoever’s willing to pay, and exploit them in every way they can. In some cases they may sell the information to many people, or ask their victim to pay a ransom for receiving their data back. As you probably know, ransomware is a huge business these days.

vpnMentor: Surely, money isn’t the only motive for attackers of such scale.

That’s right. Bear in mind though that the world of cyber is segmented into 3 general types of threats. I’ve already mentioned the money-driven hackers. There are also of course state sponsored threats, where we have very little visibility over what is going on. There are exceptions, for instance, in places like Iran, where state and private activities are often mixed up, but generally speaking, we do not investigate or report about state abilities because states normally don’t operate on the web, they do it in a much more private way.

The third type of threat is hacktivism, where each player has his own sources and in some cases his own malware or tools. In their eyes, they do it for “justice”.

Take Anonymous for instance, who attacked Japanese companies and government institutions, including those of Prime Minister Shinzo Abe, the Ministry of Finance, the Financial Services Agency and Nissan Motors, because they endanger dolphins and whales. It used to be that the hacktivists were relatively low key. Their technology wasn’t very advanced and relied mainly on DDOS capability, but that is completely changed now. The tools that are now being used for hacktivism campaigns are the most advanced tools that we are finding, but they are not tools that are made to make money, they are tools made to destruct.

vpnMentor: What is the difference between your work and the work of a professional hacker?

The 2 companies that came out of Terrogence only deal with open source intelligence (OSINT). A source can be a news article in the New York Times, or an Arabic newspaper, which is published online but is only available to people who understand Arabic.

The information can hide behind various doors of privacy but at the end of the day it’s all in the public domain. We don’t hack into sources of information, we don’t use backdoors into them, and we are very overt about what we do.

In addition to our business clients, we’ve also been working for many governments, meaning that what we do is legal. We are very careful not to cross the legality lines, so whenever we’re asked to do something, we look into it, and if a task’s legality is uncertain, we will not follow it through. To sum things up, we are not hackers and we’re not hacker-wanabees: We’re a business. We’ve been doing it for quite a long time and we do it well.

vpnMentor: I suppose as an intelligence provider you’d prefer to remain under the radar.

Yes our work is very tailored, we work for customers that have a name and that name is something we hold very closely. We share some of it in our blog and give lectures here and there, but generally we go into the light very little. We don’t participate in trade conferences and things like that, and it’s not where we find our customers- the customers normally come to us. The fact that I’m talking to you is not something that we normally do.

At the end of the day, it’s an industry of essence. You are not judged by how much PR you have, but by the intelligence that you provide to the customer.

#OpIsrael 2016 – Summary

This year, #OpIsrael hacktivists focused on defacing private websites, carrying out DDoS attacks and leaking databases. Hundreds of private Israeli websites were defaced, mostly by Fallaga and AnonGhost members. Various databases containing Israeli email addresses and credit cards were leaked, but the majority were recycled from previous campaigns.

The hacktivists attacks commenced on April 5, 2016, two days before the campaign was launched, with a massive DDoS attack against an Israeli company that provides cloud services. The fact that no one took responsibility for the attack, alongside the massive DDoS power invested, may indicate that threat actors with advanced technical abilities were responsible.

On April 7, 2016, approximately 2,650 Facebook users expressed their desire to participate in the campaign via anti-Israel Facebook event pages. There are several possible reasons for the low number of participants (compared for example to the 5,200 participants in #OpIsrael 2015). One reason might be disappointment in last year’s lack of significant achievements. Another reason could be the devotion of attention to other topics, such as the cyber campaign against the Islamic State (IS), in the wake of the recent terrorist attacks in Brussels. Moreover, it is possible that anti-Israel hacktivists have abandoned social media networks for other platforms, such as IRC and Telegram.

1
Number of participants in the #OpIsrael campaign since 2014

During the campaign, we detected many indications of the use of common DDoS tools, such as HOIC, and simple DDoS web platforms that do not require any prior technical knowledge in order to operate them. Most of the DDoS attacks were directed against Israeli government and financial websites. Hacktivists claimed they managed to take down two Israeli bank websites. While this could be true, the websites were up and operational again within a short time. In addition, there were no indications of the use of RATs or ransomware against Israeli targets.

2
Using common DDoS tools against an Israeli website

As mentioned previously, most of the leaked databases were recycled from previous campaigns. However, we noticed that almost all of the new leaked databases were stolen from the same source – an Israeli company that develop websites. Notably, during the 2014 #OpIsrael campaign, this company website appeared on a list of hacked websites.

There was no immediate claim of responsibility for the leakage of these databases, which raises many questions, since anti-Israel hacktivists typically publish their achievements on social media networks to promote the success of the campaign. Moreover, almost all of these databases were first leaked in the Darknet, but anti-Israel hacktivists do not use this platform at all. In addition, all of the data leakages were allegedly leaked by a hacker dubbed #IndoGhost, but there are no indications to suggest that this entity was involved in the #OpIsrael campaign or any other anti-Israel activity.

Finally, we detected several attempts to organize another anti-Israel campaign for May 7, 2016. As an example, we identified a post calling to hack Israeli government websites on this date. We estimate that these attempts will not succeed in organizing another anti-Israel cyber campaign.

#OpIsrael 2016 – Intelligence Review

The #OpIsrael campaign has been repeated every year since 2013. Last year, the campaign failed to achieve his main goals, as the participants did not succeed in carrying out any significant cyber attacks against high-profile targets, such as government or financial websites. They only managed to deface private Israeli websites and leak databases (most of which were recycled from previous campaigns).

This year, we noticed that the number of the expected participants is relatively low – approximately 2,100 Facebook users have expressed a desire to participate in the campaign via dedicated #OpIsrael anti-Israel Facebook event pages. This constitutes half the number of participants that we detected in 2015 (approximately 5,200 Facebook users). There may be several reasons for this low number, one being disappointment from last year’s lack of significant achievements. Another reason could be attention devoted to other factors, such as the cyber campaign against the Islamic State (IS) following the recent terrorist attacks in Brussels.

This year we detected 13 different #OpIsrael event pages – the same number of event pages detected in 2015. The most popular page is one created by two Tunisian hacker groups dubbed Fallaga and Tunisian Cyber Resistance.

picture blog post 1
Fallaga and Tunisian Cyber Resistance #OpIsrael event page

Of note, many participants will join several event pages concurrently. Therefore, the actual number of Facebook users that wish to participate in this year’s campaign is actually less than 2,000. According to our analysis, most of the discussions about the campaign on social media networks are taking place in North Africa (Tunisia in particular) and Southeast Asia (notably in Indonesia).

picture blog post 2

We have identified additional platforms where anti-Israel hacktivists are preparing for the #OpIsrael campaign: closed and secret Facebook groups, Telegram and IRC channels and closed forums. The AnonGhost team has opened two Telegram channels for the purposes of updating and sharing information. In addition, the group has opened a dedicated website for the campaign, but it is offline at present.

We also witnessed an interesting chat on an IRC channel dedicated to #OpIsrael, where one of the conversation participants said that hacktivists affiliated with Anonymous do not have time to participate in the #OpIsrael campaign because they are preoccupied with their cyber war against targets identified with the Islamic State.

picture blog post 3
From a chat on an IRC channel dedicated to #OpIsrael

With regard to the attack vectors, we assume the attackers will attempt to carry out DDoS attacks or leak the databases of small Israeli websites (based on past experience, most of the data leakage will be recycled from previous campaigns). We also believe they will use familiar or self-developed DDoS tools, as well as malware based on njRAT, which is very popular among Arabic-speaking hacktivists.

It is also possible that there will be attempts to infect Israeli end-points with Ransomware via emails with malicious files during this campaign. In most cases, these malicious emails pose as invoices, fax notifications or fake purchase orders to deceive unsuspecting users. Moreover, attackers sometimes spoof an internal email address to alleviate the concerns of potential victims.

Top Data Breaches of 2015

2015 is coming to an end and it’s a good time to sum up the events that hit the cyber world this year. We have prepared an Infographic to review the major breaches occurred in 2015.

This timeline will be part of our annual Cyber Threat Intelligence (CTI) report, to be published in January 2016.

Major Data Breaches_2015

School Is Now in Session – The Spread of Hacking Tutorials in the Deep and Dark Web

One of the most common posts seen on hacker forums is “Hello, I’m new and I want to be a hacker.” Any aspiring hacker must learn coding, networking, system security, and the like, and increasingly, hacking forums are responding to this demand and providing tutorials for those who wish to learn the basics quickly.

Hacking forums have two main kinds of tutorial sections, one open to any forum member and the other exclusively for VIP members. In this post we will review two case studies from closed forums, one from the onion network and the other from the Deep Web.

Case Studies

The first tutorial, taken from a closed forum in the onion network, is actually four tutorials wrapped together to teach POS (point-of-sale) hacking. It includes a list of essential malware and software for POS hacking. While it starts with a basic overview of POS and of RAM (random-access memory) scraping, it very quickly dives into explanations that require an advanced understanding of hacking.

POS tutorial in the onion network
POS tutorial in the onion network

The second tutorial is a basic PayPal hacking tutorial, taken from a closed forum on the Deep Web and oriented toward noobs (beginners). It is actually more about scamming than hacking. It notes that one way to get user details is to hack vulnerable shopping sites using SQL injections and explains how to check whether the stolen user details are associated with a PayPal account. It also mentions that user details can simply be acquired from posts on the forum.

PayPal tutorial on closed forum
PayPal tutorial on closed forum

What is really interesting is that this practical forum has many tutorial sections and sub-sections (we counted six), which raises an interesting question: Why do hackers share?

Motives

There is no one answer to this question, but we can divide hackers’ motivations into four categories:

  • Self-promotion – One of the differences between regular hackers and good hackers is reputation. The most obvious way for hackers to improve their reputation is of course to perform a good hack, but they can also enhance their reputation by being part of a well-known hacking team or displaying vast knowledge, such as by publishing tutorials. It appears that Red, a junior member of the onion network forum who is not known and has a small number of posts, is increasing his value in the eyes of other forum members and site administrators by publishing tutorials, including the POS tutorial. This improved reputation can give him new privileges, such as access to the forum’s VIP sections. In most cases, tutorials shared for this reason range from beginner to intermediate level and can be understand by almost any beginner.
  • Site promotion – Commerce in hacking forums hiding deep in the Internet works like any other free market: if you have the right goods, people will come and your business will boom, but if your shop does not look successful, customers will stay away. Hacking forums, like other businesses, compete for the attention of their target audience. The PayPal tutorial was published by BigBoss, a site administrator, who was probably seeking publicity for the site. To ensure that there is a large number of tutorials on the site, the administrators publish their own from time to time. These can be very simple (as in this case) or very specialized and technical (such as those offered in closed forum sections).
  • Financial gain – As we noted, these forums are businesses, and like any business, they need to sell products in order to make a profit. They can do this by creating VIP sections with unique content (such as special tutorials) open to paying members only, as opposed to VIP sections based on reputation or Individual members also use the forums for financial gain and sell more concrete items—malware, credit cards, and the like—or more abstract items, like knowledge in the form of tutorials or lessons. In most cases the tutorials are very advanced, with extensive details, so that their creators can charge for them.
A forum member selling his knowledge
A forum member selling his knowledge
  • Knowledge sharing — Sometimes, people share their knowledge without any ulterior motive. This is usually done in a closed section of a forum and only with prime members or a group of friends. In this case, the knowledge shared varies according to the group and can be state-of-the-art or very simple.

Conclusions

In a society based heavily on information, we cannot escape the frequently rehashed concept that “knowledge is power.” As the technology world continues to evolve and the hacker community along with it, the need for “how to” knowledge is growing. Tutorials provide beginners with an effective gateway into the world of hacking and expose advanced users to new methods of operation. For us, the observers, they provide a small glimpse into developing trends, attack methods, methods of assessing hacker knowledge, and much more.