Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry

In the past few hours, multiple reports were published about a mass-scale cyber-attack taking place in Ukraine. The attack hit multiple government resources, as well as corporate, financial and critical infrastructure systems (Kyiv subway and airport, electricity and oil companies, etc). Continue reading “Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry”

#OpIcarus Cyber Campaign – Round 5

Hacktivists recently launched the fifth phase of the #OpIcarus cyber campaign (also dubbed #OpSacred) against the financial sector around the world. This campaign was first launched in February 2016, and as in previous phases, the official target list contains mainly websites of central banks around the world. In addition, the initiators share links to download known DDoS tools, such as Continue reading “#OpIcarus Cyber Campaign – Round 5”

Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web

Since April 14th, when the Shadow Brokers leaked a new batch of files allegedly affiliated with Equation Group – an APT threat actor suspected of being tied to the NSA – Darknet forum members have been sharing the leaked attack tools and zero-day exploits among themselves. Continue reading “Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web”

Updates about the Upcoming #OpIsrael Campaign

The number of participants in the event pages of the #OpIsrael campaign, as of the first week of April 2017, is approximately 600 Facebook users – a very low number of supporters compared to the same period in previous campaigns. In general, the response on social networks to the #OpIsrael campaign over the years since 2013 is constantly declining. Continue reading “Updates about the Upcoming #OpIsrael Campaign”

Initial Preparations for #OpIsrael 2017

During the past week, we detected indications for initial preparations for the upcoming #OpIsrael campaign scheduled for April 7, 2017. SenseCy identified several event pages on Facebook that were opened explicitly to organize cyber-attacks. The number of participants in all the event pages that we found is relatively low (approximately 160 Facebook users). Continue reading “Initial Preparations for #OpIsrael 2017”

The Life Cycle of a Data Breach

2016 has witnessed an exponential growth in data breach incidents. These incidents led to the compromise of various user details, including email addresses, passwords, usernames, full names, phone numbers and much more. These login credentials, which in many cases were reused on multiple platforms and services, were stolen from social network websites, such as LinkedIn, Tumblr, VK, gaming platforms, adult content websites, and Continue reading “The Life Cycle of a Data Breach”

The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants

Written by Mickael S. and Tanya K.

Last week, SenseCy analysts happened upon a new sample of Shade ransomware, also known as Troldesh, which uses a no_more_ransom extension for encrypted files. This ransomware is far from famous, lacking the glorious Continue reading “The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants”

Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)

While monitoring closed platforms that propagate an Islamic State agenda, we detected an initial interest in hacking lessons, focusing on spam and phishing methods. Many discussions in the technical sections of closed platforms affiliated with the Islamic State deal with the implementation of Continue reading “Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)”

Office 365 Administrator Accounts Traded on the Darknet

In early September 2016, a new advertisement appeared on various Darknet platforms, promoting a new hidden service. The service, dubbed Open Hacking Lab (OHL), offers three categories of products: hacking tools and resources, hacked credentials and services. While numerous hidden services on the Darknet sell hacked credentials, this is the first time we have observed the sale of administrator credentials for Office 365 accounts.

hacking-lab
Screenshot of the Open Hacking Lab platform

Microsoft Office 365 is a software package that includes cloud services, sold to corporates and private customers. The organizational package includes email, storage, social network, SharePoint and other services provided via cloud. Acquiring administrator’s access to organization that use Office 365 will provide a potential attacker with access to sensitive organizational information and may even lead to the threat actor gaining full control over the organization network.

Currently, 12 accounts are being offered for sale, with prices ranging from $15 for a logistics company account to $100 for a law firm. For each company, the seller provides a short description of the company, its country of origin, and which data the buyer will gain access to. Eight of these companies are based in the U.S., two in Europe and two in Canada.

office-365-darknet
Office 365 accounts for sale on a Darknet platform

The operator of the hidden service is a well-known actor in several communities on the Darknet; he is considered credible and he possesses high technical skills. The hidden service owner also runs a Twitter account dedicated to the service, where he updates about the platform and its products.

Cyber Intelligence From the Deep Web – An Interview with SenseCy CEO Gadi Aviran

Below is a shortened version of an interview with SenseCy CEO, Gadi Aviran. The full interview is available in vpnMentor Blog.

Gadi Aviran is a man of many talents. Formerly the head of the technical intelligence analysis desk at the IDF (Israeli Defense force), Aviran has been involved in technical terror intelligence analysis for over a decade, serving as one of Israel’s leading authorities in the field of Explosive Ordnance Disposal (EOD) and in Disposal of Improvised Explosive Devices (IEDs). Since his retirement from the military, Aviran has founded a number of companies that all deal with different aspects of OSINT/WEBINT intelligence, including SenseCy, where he currently serves as CEO. In this rare interview he talks about cyber intelligent from the detective’s perspective, and explains why successful cyber intelligence can never be done by machines only.

vpnMentor: Please tell us about your personal background and the companies you’re involved in.

Lets not start in the middle ages, we’ll start when I got out of the military and founded a company which ended up being Terrogence in 2004. Terrogence took it upon itself to look for intelligence in the open web, but use a different methodology than what most of the companies out there are doing. Normally, a company would set up crawlers to collect all the data they can, and then look through the data to find those pieces of information that are important for them, but like a needle in the hay, it’s a long and insufficient process.

At Terrogence, we decided to answer questions instead, meaning, we ask our clients what kind of information are they interested in, and use assumed identities or ‘virtual humant’ in order to penetrate and infiltrate closed areas within the web to find the answers.

As time went by, we developed our own technology, which supports us very much in doing what we do. We incorporated a new technological company called “Webintpro”, which provides software solutions for intelligence gathering, while Terrogence remained a service provider.

About 5 years ago we started receiving requests from customers, asking about threats in the cyber domain, and that’s when we started dealing with cyber security. We changed our name to SenseCy about 2 years ago due to market responses to the word ‘Terrogence’, bearing in mind that the market is mainly civilian.

vpnMentor: So what can you tell about the work of SenseCy?

SenseCy is an interesting creature. It’s very focused on the customers, providing them insights from dark and distant parts of the web. In order to do that we look into their DNA and see who’s talking about them, who’s selling their information, who’s interested in their domain, their software and their personal activities, and that gives us a very unique perspective.  There are only about 5-10 companies in the world that actually do what we do, so it’s a very interesting and very challenging business to be in.

We have been operating in the cyber domain for the past 5 years, offering very unique capabilities which attract the attention of potential customers and partners. We represent a very narrow and interesting niche in the cyber protection arena. As you know the industry had gone through a whole set of changes, but at the end of the day the answers are not sufficient; what people are interested in is not how dangerous the web is as a whole, but what are the dangers FOR THEM?

For example, if someone is interested in buying emails of your c-level personnel, or shows specific interest in your company in order to obtain information or funds from and about the company, it’s a dangerous situation for everyone involved. This is what we call a personalized threat, and if you were a target, you’d definitely want to know about it.

vpnMentor: What type of clients do you work with and what types of threats are they facing?

Our customers come from different walks of life. We have of course clients from the finance, health and insurance industries which are constantly threatened by cyber activities, but it’s a changing landscape. Finance used to be the hottest thing and get the most threats, but now we can see that the health industry is becoming a much greater target, because they have information that’s worth a lot of money.

Hackers who do it for money will find whoever’s willing to pay, and exploit them in every way they can. In some cases they may sell the information to many people, or ask their victim to pay a ransom for receiving their data back. As you probably know, ransomware is a huge business these days.

vpnMentor: Surely, money isn’t the only motive for attackers of such scale.

That’s right. Bear in mind though that the world of cyber is segmented into 3 general types of threats. I’ve already mentioned the money-driven hackers. There are also of course state sponsored threats, where we have very little visibility over what is going on. There are exceptions, for instance, in places like Iran, where state and private activities are often mixed up, but generally speaking, we do not investigate or report about state abilities because states normally don’t operate on the web, they do it in a much more private way.

The third type of threat is hacktivism, where each player has his own sources and in some cases his own malware or tools. In their eyes, they do it for “justice”.

Take Anonymous for instance, who attacked Japanese companies and government institutions, including those of Prime Minister Shinzo Abe, the Ministry of Finance, the Financial Services Agency and Nissan Motors, because they endanger dolphins and whales. It used to be that the hacktivists were relatively low key. Their technology wasn’t very advanced and relied mainly on DDOS capability, but that is completely changed now. The tools that are now being used for hacktivism campaigns are the most advanced tools that we are finding, but they are not tools that are made to make money, they are tools made to destruct.

vpnMentor: What is the difference between your work and the work of a professional hacker?

The 2 companies that came out of Terrogence only deal with open source intelligence (OSINT). A source can be a news article in the New York Times, or an Arabic newspaper, which is published online but is only available to people who understand Arabic.

The information can hide behind various doors of privacy but at the end of the day it’s all in the public domain. We don’t hack into sources of information, we don’t use backdoors into them, and we are very overt about what we do.

In addition to our business clients, we’ve also been working for many governments, meaning that what we do is legal. We are very careful not to cross the legality lines, so whenever we’re asked to do something, we look into it, and if a task’s legality is uncertain, we will not follow it through. To sum things up, we are not hackers and we’re not hacker-wanabees: We’re a business. We’ve been doing it for quite a long time and we do it well.

vpnMentor: I suppose as an intelligence provider you’d prefer to remain under the radar.

Yes our work is very tailored, we work for customers that have a name and that name is something we hold very closely. We share some of it in our blog and give lectures here and there, but generally we go into the light very little. We don’t participate in trade conferences and things like that, and it’s not where we find our customers- the customers normally come to us. The fact that I’m talking to you is not something that we normally do.

At the end of the day, it’s an industry of essence. You are not judged by how much PR you have, but by the intelligence that you provide to the customer.