#OpIcarus – a War against the Global Financial Sector

During May 2016, we witnessed the second phase of the #OpIcarus cyber campaign against banks around the world, launched by the Anonymous collective in February 2016. The participants carried out DDoS attacks against bank websites in various countries on a daily basis. Several cyber-attacks succeeded in shutting down the websites of central banks in Greece, Cyprus and other countries.

Platforms

The initiators created two Facebook event pages and opened an IRC channel to coordinate their cyber-attacks. Approximately 2,000 participants joined the #OpIcarus event pages, but many more hacktivists expressed their support of this campaign via their social media accounts. With regard to the dedicated IRC channel, it appears not to have been as active as the campaign platforms in Facebook and Twitter.

From the #OpIcarus IRC Channel

Attacks and Tools

According to news reports, #OpIcarus participants shut down bank websites around the world on a daily basis. We cannot confirm that all of the mentioned banks websites were actually offline, due to the participant DDoS attacks, but we wish to point out several incidents that caught our attention.

A member of the Ghost Squad Hackers group dubbed s1ege took responsibly for shutting down the email server of the Bank of England. The bank did respond to this attack, but according to news reports, the bank’s mail server was offline on May 13, 2016.

Member of Ghost Squad Hackers claimed they shut down the mail server of the Bank of England
Member of Ghost Squad Hackers claimed they shut down the mail server of the Bank of England

In addition, according to a single news report shared on various Facebook accounts, Chase Bank ATMs stopped working on May 14, 2016, as a result of the Anonymous collective cyber activity. The Twitter account of Chase Bank’s technical support tweeted that their ATMs did not accept any deposits on this day, but they did not mention what had caused the problem. Meanwhile, the Ghost Squad Hackers group tweeted that the incident was part of the #OpIcarus campaign.

Chase Bank's technical support tweeted about a problem with their ATMs
Chase Bank’s technical support tweeted about a problem with their ATMs
Ghost Squad Hackers claim that Chase ATMs were hacked during #OpIcarus
Ghost Squad Hackers claimed that Chase ATMs were hacked during #OpIcarus

Additionally, s1ege claimed on May 18, 2016, that they had shut down a website related to the NYSE. The NYSE Twitter account tweeted that they had experienced a technical issue in one of their trading units. They did not mention what had caused the problem. Therefore, it is unclear if there is any connection to the Ghost Squad Hackers group, aside from the latter’s claim of responsibility.

A member of Ghost Squad Hackers claimed they hacked a website related to the NYSE
The NYSE announced that they had a technical issue that affected their daily activity
The NYSE announced that they had a technical issue that affected their daily activity

With regard to the attack tools, the participants used a variety of DDoS, some of which were simple online tools with no sophisticated DDoS abilities. However, there were indications that they used DDoS-as-a-Service (DaaS) platforms, such as Booters/Stressers that require payment and registration. In addition, the New World Hackers (NWH) team that took responsibility for shutting down the HSBC Bank website on January 29, 2016, supported the #OpIcarus campaign.

A call to use Booters on an #OpIcarus event page
A call to use Booters on an #OpIcarus event page

This campaign gained high popularity among hacktivists from all over the world who were motivated to DDoS bank websites protesting corruption and other issues. It is possible that the initiators will decide to engage an additional phase of this campaign, since one of them claimed in an interview that “Operation Icarus will continue as long as there are corrupt and greedy banks out there.”

Recent Trends from the Russian Underground

Being a successful hacker can be a very demanding profession. Maybe the most important trait required for this job is being innovative and keeping updated of recent trends. Just like in physical fitness – a couple of weeks away from of the gym, and you feel left out of the loop – such is the case with hacking. You take sick leave from the cybercrime scene for a brief period of time and when you return, you feel like a lot has changed. This scene is very dynamic: new threats and vulnerabilities are constantly being discovered and then patches and security updates released; new Trojans are sold on the underground and then the source code is leaked, rendering them of no interest anymore. Something is always going on.

This time, we want to draw your attention to recent trends identified on the Russian underground, from leading forums and other web-platforms.

Untitled

A Wider Variety of Crypt (Obfuscation) Services for sale on Trading Platforms

We have observed a sharp increase in threads offering crypt services for malware files lately. In the last month alone, we traced at least 20 active threads advertising crypt services for .exe or .dll files on different forums. There is a wide assortment and the prices are competitive. You can choose between a one-time service for $15 – $50 per file or a monthly subscription for a service starting at $150 for a new vendor and $500 for a well-known, time-honored service.

The main purpose of the crypt is to bypass AV, firewalls, browsers and malware detection, etc. and it is valid for 24-72 hours on average. Increased offerings of this service indicate a growing demand, which may be motivated by two main reasons: increased volume of activity linked to botnets and difficulty in bypassing security mechanisms that are becoming more sophisticated. Actually, we think it is a combination of the two – more and more cyber criminals are attracted to easy profits from running a botnet, while security firms try to fight back and refine their defense mechanisms. The crypt services happened to be in the right place at the right time to rake in the money.

More Malware Using Tor Browser

In recent months, new Tor-based malware has appeared on underground trading platforms. The newest is a TOR Android bot named “Slempo” and a TorLocker Ransomware (the first one rented for $500 per month after a connection cost of $1000 and the second one is sold for $200). Before that, we saw Atrax HTTP Tor Bot, whose admin panel is located on a TOR browser.

Using Tor hidden services provides anonymity to the botnet operator, as it is almost impossible to reveal the identities of TOR users. The disadvantage of this method is the large size of the malware files and the significant resources needed to manage such a botnet, owing to the integration of TOR.

As we see it, this may turn out to be quite an alarming trend, making the detection of botnets and their initiators that much more difficult.

Greater Focus Granted to Firmware Attacks

As previously mentioned, cyber-criminals wage a constant battle against evolving defense mechanisms. While more and more obstacles are placed in the path of the hacker seeking to access your PC, his path to firmware devices such as ATM and POS remains almost clear. The operating system of these devices is usually the common Windows XP, and due to their physical aspects (the possibility of inserting physical malware into an ATM, for instance), it is much harder to protect them.

Hackers have also discovered this vector – we were recently privy to numerous discussions about ways to attack ATMs, as well as an increasing number of POS malware for sale and download.

In our opinion, we may be witnessing a gradual shift in the main targets of cyber-criminals – from the personal PC to large-scale devices of organizations. Recent attacks executed via POS devices on Target, Neiman Marcus and other retailers merely corroborate this claim.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.