How Hackers Use Social Media Networks to Put Your Organization at Risk

SenseCy’s teams monitor underground and password-protected forums and communities in many languages – Russian, Arabic, Persian, Chinese, Portuguese, English, and more. By gaining access to the Deep Web and Darknet, we identify suspicious activity and new hacker tools and enable our clients to mitigate or eliminate cyber threats.

Hacker communities on social networks continue to evolve. More and more communities are creating Twitter accounts as well as pages and groups in popular social networks such as Facebook and VKontakte (a Russian social network) to share information, tools, and experience.

In the past, hackers came together on social networks to hold operational discussions, share targets, and join forces for DDoS attacks, but less to upload or download hacking tools. Since this is changing, we are now monitoring hacking tools offered for download on Twitter, Facebook, and VKontakte.

Source code published on Twitter
Source code published on Twitter

These hacker communities can be classified into three main categories:

  1. Open public groups and accounts that make common, well-known tools available.

    Open Facebook group of well-known Arab hackers
    Open Facebook group of well-known Arab hackers
  2. Closed, secret groups sharing rare or sector-related tools or programs in a specific language.

    Secret Facebook group from Southeast Asia
    Secret Facebook group from Southeast Asia
  3. Groups sharing or even selling self-developed tools.
    Facebook post in closed Asian hacker group
    Facebook post in closed Asian hacker group

    A prominent example is the self-developed DDoS tool created by hacker group AnonGhost for the #OpIsrael cyber campaign, which is expected to take place on April 7, 2015. This tool uses three flooding methods, TCP, UDP, and HTTP and can operate through a proxy if needed. AnonGhost posted its new tool on its official Facebook page with a link to a tutorial on YouTube, and soon it was widely distributed among hacktivists through social media.

    From AnonGhost's official Facebook Page
    From AnonGhost’s official Facebook Page

    We regularly monitor trends and developments in social networks, since they are becoming the preferred platform for groups of hackers to share and improve attack tools. SenseCy also takes part in these communities, which gives us the edge in preventing attacks in real time. We continue to track new trends and developments to detect cyber threats for our clients.

SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.

#OpSaveGaza – Interim Summary

Written by Yotam Gutman

When the cannons roar, the muses stay silent (but the hacktivists hack).

As we reported last week, operation “Protective Edge” instigated a flurry of activity by Muslim hacktivists, targeting Israel. In the following post we will review the activities which took place so far and try to characterize them.

Attacker Types

Attackers can by divided into three types: individuals, hacktivist groups and cyber terror organizations. Individuals usually join larger campaigns by hacktivists groups and show their support on social media sites.

Hacktivist groups taking a stance make extensive use of Facebook as a “command and control” platform. The largest “event” dubbed #OpSaveGaza was created by Moxer Cyber Team, a relatively new group who probably originated from Indonesia whose event page has 19,000 followers.

Moxer Cyber Team event page
Moxer Cyber Team event page

The event included many lesser known Islamic groups, mainly from Indonesia, who did not participate in previous campaigns against Israel. Another event page by the Tunisian AnonGhost announced that the attack will include 38 groups from around the Muslim world. The campaign is planned to continue until the 14th of July.

Cyber terror organization in the form of the SEA (Syrian Electronic Army and ICR (Islamic Cyber Resistance) have not officially declared their participation in the campaign but have waged several high profile attacks, such as hacking into the IDF spokesman blog and Twitter account (SEA) and leaking a large database of job seekers (ICR).

Attacker Tools

The participants in this campaign use similar tools as previous campaigns – Generic DDoS tools, SQLi tools, shells and IP anonymization tools.

Results (Interim Summary)

#OpSaveGaza campaign included to date mainly defacement attacks (about 500 sites have been defaced), DDoS attacks of minor scale and some data dumps. Two interesting trend we’re seeing are recycling older data dumps and claiming it to be a new one, and posting publicly available information which was allegedly breached.

Summary

We estimate that these activities will continue until the hostilities on the ground subside, with perhaps more substantial denial of service or data leak attempts.

Chinese Hackers Leverage World-Cup Buzz

On May 14th we brought you a report regarding hacktivists threatening to wage cyber attacks against the Brazilian government and FIFA. This time, we are publishing yet another World-Cup-related post, but from a slightly different angle.

China, the world’s most populous country, is also the world’s leader in terms of number of cellphone users. The smartphone revolution did not skip China, and oh boy did it make an impact! Chinese people love their phones. No, Chinese people are obsessed with their phones might be a more precise choice of words.

As you probably know, Chinese cities are not small (quite an understatement!), and commute time has to be killed somehow. That’s why riding the subway in China, except for being overwhelmingly crowded at times, is also just the perfect timing for many passengers to indulge in intensive game-playing! While some prefer to fiercely ride a digital motorcycle, shoot intruding aliens, or grow vegetables in a farm, others have a liking for sports games, perhaps as a compensation for rotting in front of a computer desk all-day-long. The latter will inevitably come across a bundle of World-Cup related game apps available on all application markets.

Image

World-Cup is a buzz-word, no doubt about it, and as such, it attracts not only the gamers’ attention, but the hackers’ as well, and the Chinese hackers know their onions, all right. They leverage the buzz and try to con unwary mobile users into downloading and installing infected apps. The hackers use the “repacking” method – they download a legit and innocent game app, plant a malicious code within it, and upload it once again to the app market, or to a forum. The compromised app looks just the same – it has the same icon, its name is almost identical, and the user has virtually no way of noticing any abnormality after having it installed.

Actually, this is not the first time we see this method being practiced – Chinese hackers use just the same mischief whenever a national holiday is being celebrated, a major event (be it national or international) takes place, or just when some application garners a lot of popularity.

There is a famous story in China about a farmer in the Spring and Autumn Period (approx. 771 to 476 BC) who was working in the fields, when a rabbit was running by and suddenly dashed into a tree stump. The joyful farmer brought the dead rabbit home and cooked it for dinner exclaiming that there is no need for him to work any longer, as he can simply sit by that stump and wait for more rabbits to knock dead into it. This story gave birth to the idiom 守株待兔(literally “to watch the stump and wait for rabbits”) meaning “to trust chance and luck rather than go working”. The Chinese hackers who use this “repacking” method are just modern lazy farmers, patiently awaiting unlucky mobile-users to fall prey to their hands.

Even though this post is China-focused, it is important for you to bear in mind that this “repacking” method can be easily implemented anywhere. We urge you to download applications only from official sites and app-markets, and to install an antivirus on your mobile device.

Don’t be a rabbit!

And with all that being said, we wish safe-gaming to all World-Cup enthusiasts, and good luck to all participating countries!

The “Week of Horror” Cyber Campaign

Written by Hila Marudi

The Tunisian Hackers Team has threatened to hack the U.S. financial sector during the “Week of Horror” campaign, scheduled to begin on July 5, 2014.

Week_of_Horror_Campaign

The group published an official target list and attack schedule. According to the timetable, every day during this week, another U.S. bank will be attacked by DDoS for an eight hour period.

Bank Website Date Time
Whitney Bank http://www.whitneybank.com July 5, 2014 13:00 GMT
Union Bank http://www.unionbank.com July 6, 2014 13:00 GMT
Zions Bank http://www.zionsbank.com July 7, 2014 13:00 GMT
New York Community Bank http://www.mynycb.com July 8, 2014 13:00 GMT
TCF Bank http://www.tcfbank.com July 9, 2014 13:00 GMT
Prosperity Bank http://www.prosperitybankusa.com July 10, 2014 13:00 GMT
Banner Bank http://www.bannerbank.com July 11, 2014 13:00 GMT

The group demands that the U.S. withdraw its soldiers from Islamic countries, or they will attack U.S. targets, such as airport computers. The group also demanded that the U.S. respond via the group’s Twitter account, @xhckerTN.

Press release by the group
Press release by the group