The Healthcare Sector is Targeted by Cybercriminals More than Ever

The healthcare sector has recently become a desirable target for cyber crooks. According to Symantec ISTR report statistics, healthcare was the most breached sub-sector in 2015, comprising almost 40% of all the attacks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.

1
Top 10 Sub-Sectors Breached by Number of Incidents According to Symantec ISTR report

Only lately, this concept has started to be challenged, revealing the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and during the last few months, we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.

Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.

The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.

While monitoring closed Deep-Web and Darknet sources, SenseCy analysts recently noticed a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, we came across several occurrences indicating extensive trade of medical records and access to servers where this data is stored.

The first case, in May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.

Although the seller did not mention the origin of the credentials he was selling, he claimed that local administrator privileges could be received on the compromised system. He also specified that 45 users from the medical personnel were logged into the system from the workstation he hacked.

The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.

2
An excerpt of the sale thread posted on a Darknet forum

 

3
Screenshot allegedly taken on the hacked workstation

Just a few weeks later, in June 2016, our analysts detected another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.

4
One of the sales posts on a Darknet marketplace
5
Screenshot posted by the seller as a proof of hacking into a medical organization

Before long, we again discovered evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.

The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data:

  1. Implement a strong password policy, because many hacks are a result of brute-force attack. Strong passwords and two-factor authentications to log into organizational systems should be the number one rule for medical organizations.
  2. Deploy suitable security systems.
  3. Instruct the employees to follow cyber security rules – choosing strong and unique passwords, spotting phishing email messages, avoiding clicking on links and downloading files from unknown sources, etc. Consider periodic training for employees on these issues to maintain high awareness and compliance with the rules.
  4. Use Cyber Threat Intelligence (CTI) – to keep up with the times regarding the current most prominent threats to your organization and industry.
  5. Keep all software updated.

Handling a Ransomware Attack

A recent wave of ransomware attacks has hit countries around the world, with a large number of infections reported in the United States, the United Kingdom, Germany and Israel. It appears that the attackers have no specific target, since the attacks have struck hospitals, financial institutions and private institutions, indicating that no specific industry has been targeted.

In Israel, two types of ransomware were identified in the most recent attacks: the familiar TeslaCrypt and the new ransomware, Locky.

The Evolution of Ransomware

The vigorous usage of ransomware tools by cybercriminals and their success in this area has led to the development of new ransomware and the constant upgrading of known models. During the past several months, researchers have reported on the development of ransomware that is capable of file encryption without Internet connection, i.e., they do not communicate with their C&C servers for the encryption process.

New ransomware tools that were reported are Locky ransomware, whose modus operandi resembles the Dridex banking Trojan, and a new version of CTB-Locker that attacks web servers.

Additionally, RaaS (Ransom-as-a-Service) offers are becoming popular on closed DeepWeb and Darknet forums. These services allow potential attackers to easily create ransomware stubs, paying with profits from future successful infections. Recently, we identified a new RaaS dubbed Cerber ransomware, which is offered on a Russian underground forum. Previously it was ORX-Locker, offered as a service via a platform hosted on an .onion server.

1
The ransom message presented by the Cerber ransomware

Ransomware Distribution

The majority of the distribution vectors of ransomware stubs involve some kind of social engineering trap, for example, email messages including malicious Office files, spam messages with nasty links or malvertising campaigns exploiting vulnerable WordPress or Joomla websites with an embedded malevolent code. The distribution also takes advantage of Macro commands and exploit kits, such as Nuclear or Angler. Sometimes browser vulnerabilities are exploited, as well as stolen digital certificates.

In November 2015, attempts to deliver ransomware to Israeli clients were identified. In this case, the attackers spoofed a corporate email address and tried to make recipients believe the email was sent from a company worker.

2
RaaS offered on a Darknet forum

Handling a Ransomware Attack

Please find below our suggestions for recommended action to avoid ransomware attacks on an organization, and how to deal with an attack after infection:

Defend Your Organization from Potential Threats

  • Train your employees – since the human link is the weakest link in the organizational cybersecurity and the majority of the cases involve social engineering on one of the employees, periodical employee briefing is extremely important. Specify the rules regarding using the company systems, and describe what phishing messages look like.
  • Raise awareness regarding accepting files that arrive via email messages – instruct your employees not to open suspicious files or files sent from unfamiliar senders. Consider implementing an organizational policy addressing such files. We recommend blocking or isolating files with the following extensions: js (JavaScript), jar (Java), bat (Batch file), exe (executable file), cpl (Control Panel), scr (Screensaver), com (COM file) and pif (Program Information file).
  • Disable running of Macro scripts on Office files sent via email – in recent months, many cases of ransomware attacks employing this vector were reported. Usually, Macro commands are disabled by default and we do not recommend enabling them. In addition, we suggest using Office Viewer software to open Word and Excel files.
  • Limit user privileges and constantly monitor the workstations – careful management of user privileges and limited administrator’s privileges may help in avoiding the spread of the ransomware in the organizational network. Moreover, monitoring the activity on workstations will be useful for early detection of any infection and blocking it from propagating to other systems and network resources.
  • Create rules that block programs from executing from AppData/LocalAppData folders. Many variants of the analyzed ransomware are executed from these directories, including CryptoLocker. Therefore, the creation of such rules may reduce the encryption risk significantly.
  • Install a Russian keyboard – while monitoring closed Russian forums where several ransomware families originated, we discovered that many of them will check if the infected computer is located in a post-Soviet country. Usually, this check is performed by detecting which keyboard layout is installed on the machine. If a Russian (or other post-Soviet language) keyboard layout is detected, the ransomware will not initiate the encryption process.
  • Keep your systems updated – in many cases, hackers take advantage of outdated systems to infiltrate the network. Therefore, frequent updates of the organizational systems and implementing the published security patch will significantly reduce the chances of infection.
  • Use third-party dedicated software to deal with the threat – many programs aimed at addressing specific ransomware threats are constantly being released. One is Windows AppLocker, which is included in the OS and assists in dealing with malware. We recommend contacting the organizational security vendor and considering the offered solutions.
  • Implement technical indicator and YARA rules in the company organizations. We provide our clients with intelligence items accompanied by technical indicators. Additionally, a dedicated repository that includes ransomware indicators was launched.
    3
    A closed forum member looks to blackmail companies using ransomware

    What if I am Already Infected?

  • Restore your files – some ransomware tools create a copy of the file, encrypt it and then erase the original file. If the deletion is performed via the OS erase feature, there is a chance to restore the files, since in majority of the cases, the OS does not immediately overwrite the deleted filed.
  • Decryption of the encrypted files – the decryption will be possible if you were infected by one of these three ransomware types: Bitcryptor, CoinVault or Linux.Encoder.1. Therefore, detecting the exact kind of ransomware that attacked the PC is crucial.
  • Back-up files on a separate storage device regularly – the best practice to avoid damage from a ransomware attack is to backup all your important files on a storage disconnected from the organizational network, since some ransomware variants are capable of encrypting files stored on connected devices. For example, researchers recently reported a ransomware that encrypted files stored on the Cloud Sync folder.
  • If ransomware is detected in the organization, immediately disconnect the infected machine from the network. Do not try to remove the malware or to reboot the system before identifying the ransomware. In some cases, performing one of these actions will make the decryption impossible, even after paying the ransom.

ORX-Locker – A Darknet Ransomware That Even Your Grandmother Can Use

Written by Ran L. and Mickael S.

The bar for becoming a cyber-criminal has never been so low. Whether buying off-the-shelf malware or writing your own, with a small investment, anyone can make a profit. Now it seems that the bar has been lowered even further with the creation of a new Darknet site that offers Ransomware-as-a-Service (RaaS), titled ORX-Locker.

Ransomware-as-a-Service enables a user with no knowledge or cash to create his own stubs and use them to infect systems. If the victim decides to pay, the ransom goes to the service provider, who takes a percent of the payment and forwards the rest to the user. For cyber-criminals, this is a win-win situation. The user who cannot afford to buy the ransomware or does not have the requisite knowledge can acquire it for free, and the creator gets his ransomware spread without any effort from his side.

This is not the first time we have seen this kind of service. McAfee previously (May, 2015) reported on Tox. While Tox was the first ransomware-as-a-service, it seems that ORX has taken the idea one step further, with AV evasion methods and complex communication techniques, and apparently also using universities and other platforms as its infrastructure.

In the “August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015,” published on Monday (August 24, 2015), IBM mentioned TOX while predicting: “This simplicity may spread rapidly to more sophisticated but less common ransomware attack paradigms and lead to off-the-shelf offerings in the cloud.” Just one day later, a post was published on a closed Darknet forum regarding the new ORX-Locker service.

ORX – First Appearance

On August 25, 2015, a user dubbed orxteam published a post regarding the new ransomware service. The message, which was part of his introduction post – a mandatory post every new user has to make to be accepted to the forum – described the new ORX-Locker ransomware as a service platform. In the introduction, the user presented himself as Team ORX, a group that provides private locker software (their name for ransomware) and also ransomware-as-a-service platform.

ORX team introduction post in a closed Darknet hacking forum.
ORX Team introduction post in a closed Darknet hacking forum.

ORX Locker Online Platform

Team ORX has built a Darknet website dedicated to the new public service. To enter the site, new users just need to register. No email or other identification details are required. Upon registration, users have the option to enter a referral username, which will earn them three percent from every payment made to the new user. After logging in, the user can move between five sections:

Home – the welcome screen where you users can see statistics on how much system has been locked by their ransom, how many victims decided to pay, how much they earned and their current balance.

Build EXE – Team ORX has made the process of creating a stub so simple that the only thing a user needs to do is to enter an ID number for his stub (5 digits max) and the ransom price (ORX put a minimum of $75). After that, the user clicks on the Build EXE button and the stub is created and presented in a table with all other stubs previously created by the user.

ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.
ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.

Stats – This section presents the user with information on systems infected with his stub, including the system OS, how many files have been encrypted, time and date of infection, how much profit has been generated by each system, etc.

Wallet – following a successful infection, the user can withdraw his earnings and transfer them to a Bitcoin address of his choosing.

Support – This section provides general information on the service, including more information on how to build the stub and a mail address (orxsupport@safe-mail[.]net) that users can contact if they require support.

Ransomware

When a user downloads the created stub, he gets a zip file containing the stub, in the form of an “.exe” file. Both the zip and the stub names consist of a random string, 20-characters long. Each file has a different name.

Once executed, the ransomware starts communicating with various IP addresses. The following is a sample from our analysis:

  1. 130[.]75[.]81[.]251 – Leibniz University of Hanover
  2. 130[.]149[.]200[.]12 – Technical University of Berlin
  3. 171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
  4. 199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)

As you can see, some of the addresses are related to universities and others to organizations with various agendas.

Upon activation, the ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.

The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.

When the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted, and a payment instruction file will be created on the desktop.

After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted
After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted

In the payment instruction file (.html), the victim receives a unique payment ID and a link to the payment website, located on the onion network (rkcgwcsfwhvuvgli[.]onion). After entering the site using the payment ID, the victim receives another set of instructions in order to complete the payment.

ORX-Locker payment platform which has a dedicated site located on the onion network.
ORX-Locker payment platform, which has a dedicated site located on the onion network.

Finally, although some basic persistence and anti-AV mechanisms are present, the malware still has room to “grow.” We are certain that as its popularity grows, more developments and enhancements will follow.

YARA rule:

rule ORXLocker
{
meta:
author = “SenseCy”
date = “30/08/15”
description = “ORXLocker_yara_rule”

strings:
$string0 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 34 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 64 2e 25 64 2e 25 64 2e 25 64 3a 25 64 2e 20 28 25 64 29 2c 20 72 65 71 75 65 73 74 20 72 65 6a 65 63 74 65 64 20 62 65 63 61 75 73 65 20 74 68 65 20 63 6c 69 65 6e 74 20 70 72 6f 67 72 61 6d 20 61 6e 64 20 69 64 65 6e 74 64 20 72 65 70 6f 72 74 20 64 69 66 66 65 72 65 6e 74 20 75 73 65 72 2d 69 64 73 2e}
$string1 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 35 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 64 2e 20 28 25 64 29}
$string2 = {53 4f 43 4b 53 35 3a 20 73 65 72 76 65 72 20 72 65 73 6f 6c 76 69 6e 67 20 64 69 73 61 62 6c 65 64 20 66 6f 72 20 68 6f 73 74 6e 61 6d 65 73 20 6f 66 20 6c 65 6e 67 74 68 20 3e 20 32 35 35 20 5b 61 63 74 75 61 6c 20 6c 65 6e 3d 25 7a 75 5d}
$string3 = {50 72 6f 78 79 20 43 4f 4e 4e 45 43 54 20 66 6f 6c 6c 6f 77 65 64 20 62 79 20 25 7a 64 20 62 79 74 65 73 20 6f 66 20 6f 70 61 71 75 65 20 64 61 74 61 2e 20 44 61 74 61 20 69 67 6e 6f 72 65 64 20 28 6b 6e 6f 77 6e 20 62 75 67 20 23 33 39 29}
$string4 = {3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3e 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3c 2f 61 3e 3c 62 72 3e}
$string5 = {43 3a 5c 44 65 76 5c 46 69 6e 61 6c 5c 52 65 6c 65 61 73 65 5c 6d 61 69 6e 2e 70 64 62}
$string6 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 6f 66 73 74 72 65 61 6d 40 44 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 44 40 73 74 64 40 40 40 73 74 64 40 40}
$string7 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 69 6f 73 40 5f 57 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 5f 57 40 73 74 64 40 40 40 73 74 64 40 40}
$string8 = “ttp://4rhfxsrzmzilheyj.onion/get.php?a=” wide
$string9 = “\\Payment-Instructions.htm” wide

condition:
all of them
}

How Hackers Use Social Media Networks to Put Your Organization at Risk

SenseCy’s teams monitor underground and password-protected forums and communities in many languages – Russian, Arabic, Persian, Chinese, Portuguese, English, and more. By gaining access to the Deep Web and Darknet, we identify suspicious activity and new hacker tools and enable our clients to mitigate or eliminate cyber threats.

Hacker communities on social networks continue to evolve. More and more communities are creating Twitter accounts as well as pages and groups in popular social networks such as Facebook and VKontakte (a Russian social network) to share information, tools, and experience.

In the past, hackers came together on social networks to hold operational discussions, share targets, and join forces for DDoS attacks, but less to upload or download hacking tools. Since this is changing, we are now monitoring hacking tools offered for download on Twitter, Facebook, and VKontakte.

Source code published on Twitter
Source code published on Twitter

These hacker communities can be classified into three main categories:

  1. Open public groups and accounts that make common, well-known tools available.

    Open Facebook group of well-known Arab hackers
    Open Facebook group of well-known Arab hackers
  2. Closed, secret groups sharing rare or sector-related tools or programs in a specific language.

    Secret Facebook group from Southeast Asia
    Secret Facebook group from Southeast Asia
  3. Groups sharing or even selling self-developed tools.
    Facebook post in closed Asian hacker group
    Facebook post in closed Asian hacker group

    A prominent example is the self-developed DDoS tool created by hacker group AnonGhost for the #OpIsrael cyber campaign, which is expected to take place on April 7, 2015. This tool uses three flooding methods, TCP, UDP, and HTTP and can operate through a proxy if needed. AnonGhost posted its new tool on its official Facebook page with a link to a tutorial on YouTube, and soon it was widely distributed among hacktivists through social media.

    From AnonGhost's official Facebook Page
    From AnonGhost’s official Facebook Page

    We regularly monitor trends and developments in social networks, since they are becoming the preferred platform for groups of hackers to share and improve attack tools. SenseCy also takes part in these communities, which gives us the edge in preventing attacks in real time. We continue to track new trends and developments to detect cyber threats for our clients.

Turkish Hacking Group Cyber Warrior’s e-Magazine : TeknoDE

Cyber Warrior is one of the biggest hacker groups in Turkey. The group was established in 1999. Their first significant cyber-attack was in 2003, when they launched a massive operation against 1,500 U.S. websites in protest against the American invasion of Iraq and a specific incident where Turkish military personnel in northern Iraq were captured and interrogated by the U.S. Army.

Turkish Hacking Group Cyber Warrior
Turkish Hacking Group Cyber Warrior

Cyber Warrior (CW) comprises teams for strategy, intelligence, logistics, R&D and a dedicated unit for waging cyber-attacks named Akincilar. In recent weeks, for examples, Akincilar has attacked official government websites of countries that discriminate against their Muslim populations, in their opinion.

Additionally, CW has been active developing cyber tools and improving others. They even write instructional manuals on cyber security and have established a Cyber Academy, where they provide online training.

In September 2014, the group published their first monthly e-Magazine. The magazine is published on their online platforms and it includes cyber news items from the IT world, new technologies, cyber security, hacking news, programming and more.

September 2014 issue of TeknoDE
September 2014 issue of TeknoDE

In their first issue, they featured a cryptography contest with the top prize of a book, mug and mouse pad.

Cryptography Contest
Cryptography Contest

In their October issue, they reviewed the recently discovered Shellshock vulnerability, shared information on how to locate a lost mobile phone and discussed ways to hack into Gmail accounts, and aircraft and satellite systems.

October 2014 issue of TeknoDE
October 2014 issue of TeknoDE

A couple of weeks ago, they produced the November 2014 issue, featuring articles about credit card frauds, new Android malware and interviews with Cyber Warrior founders.

November 2014 issue of TeknoDE

 

Currently, the magazine is in Turkish and it increases awareness of the Cyber world for users, while promoting an interest in cyber security among them.

Members of the website and readers of CWTeknoDE will not only be motivated to hack, but with this magazine they will have chance to learn more about the cyber world, and methods and vulnerabilities.

Related Posts


Did Turkish Hackers Actually Hack the Israeli “Iron Dome”? on August 18, 2014 by Sheila Dahan

Turkish Government Bans Twitter and Hijacks IP Addresses for Popular DNS Providers on March 31, 2014 by Sheila Dahan

RedHack – A Turkish Delight on February 5, 2014 by Sheila Dahan

Iranian Hackurity – Hacking Group or Security Firm

In the past few years, the penchant of the Iranian regime for legitimizing hacking groups and their activities in Iran has become increasingly evident. While cooperation between the regime and certain hacking groups in Iran remains a non-declarative action by the Iranian government, the remarkable coordination between the two sides cannot be ignored. Examples of this alleged coordination is evidenced in several cases where Iranian hacker groups appear to act according to government interests. Two such examples were the subdual of Iranian hacker activities during the nuclear negotiations and the lull in attacks against banks during the Iranian presidential elections.

That said, it was not unexpected for Iran to become a fertile ground for numerous hacking groups, some more prominent than others.

This legitimacy and the free-hand policy have indirectly created an interesting trend in the Iranian cyber arena – rather than hiding and masking their activities, Iranian hackers or hacking groups are presenting themselves as security firms. This new ‘security firm’ disguise, ‘Hackurity’ if you will, may appear legitimate from the outside, but a review of the individuals supporting these firms or managing them, reveals a very different picture.

Such was the case in the Iranian DataCoders Security Team and cyber security firm.

Since it commenced activities in 2010, and especially throughout 2012-2013, this hacker group has repeatedly breached American and Israeli websites.

Defacement mirror by the Iranian DataCoders Security Team
Defacement mirror by the Iranian DataCoders Security Team

Additional examples revealed the possibility that the group is also operating under an Arab alias.

At the beginning of August 2013, an unknown hacker group calling itself Qods Freedom claimed to have waged several high-volume cyber-attacks against official Israeli websites and banks. In their Facebook account, they presented themselves as Palestinians hackers from Gaza. Taking into consideration Palestinian hacker capabilities, as well as an examination of the defacement signature left by ‘Qods Freedom’ has led us to believe that the group has connections with Iran. One of the Iranian groups that used the same signature on the exact same day was the Iranian DataCoders Security Team.

It appears that the Iranian DataCoders is going to a lot of trouble to maintain its legitimacy as a new security firm, rather than sticking to its former title as a hacker group.

The group’s new web platform – DataCoders.org
The group’s new web platform – DataCoders.org

Another hacker group recently caught in the spotlight is the Ajax Security Team (AjaxTM). As in the first case, with its misleading decline in defacement activity, AjaxTM started to run a new platform – a security firm by the name of Pars-Security (Persian: شرکت امنیتی پارس پردازش حافظ).

According to a list posted in 2012 on an Iranian computer blog, the group is ranked among the top three Iranian hacker groups at that time, and is mostly active in the fields of training, security, penetration testing, and network exploits and vulnerabilities.

The group leader is Ali Alipour, aka Cair3x, who operates an active blog, where he describes himself as “Head of the Ajax Security Team.” Alipour is a former member of one of the oldest and most prominent hacker groups in Iran – “Ashiyane Digital Security Team” – and is accredited with perpetrating some of the exploits and defacements by the group. He was also listed on several forums as “one of Iran’s most terrible hackers“.

‘Pars-Security’ provides various services to the private and business sectors, including penetration testing, security and web programming. One of their most popular products is a technical guide entitled “Configuration and Server Security Package,” produced in cooperation with AjaxTM.

The company CEO is the AjaxTM leader – Ali Alipour – and the contact details on the Pars-Security website are his.

Pars-security.com contact details
Pars-security.com contact details

Although the ‘About us’ section on the site discloses that the company enjoys the support of the AjaxTM members, there is good reason to believe that the company is actually run by the Ajax Security Team themselves.

Another example of the tight relations between the ‘formats’ of Iranian hacker groups and security firms is the Mihan Hack Security Team. Since 2013, this group’s forum has been inactive, and was probably disabled by the group itself. With its forum and old website down, Mihan Hack has begun to reposition itself as a legitimate security firm.

Mihan Hack Security Team Website
Mihan Hack Security Team Website

The above-mentioned groups are just an example of the ‘hackurity groups’ trend in Iran. Our monitoring of the Iranian cyber arena has revealed more and more hacker groups once renowned for their defacement activities and hacking tool development, who have started to position themselves as ‘white hat’ security advisors and small Information Security (IS) consulting companies. The idea of active hackers supporting security firms and providing security services is not new, but is especially intriguing in Iran. The ‘former’ hacker groups that might be government-affiliated or supported are opening their own security firms rather than supporting existing firms and promoting self-developed products.

This action, accompanied by a decline in the declared activities of the group can divert attention from undercover activities and allows the group to operate more freely – a valuable resource for any hacker group, especially an Iranian one, due to the ever-growing global interest in Iran’s cyber activity.

Infosec 2014 – London Calling

London calling to the faraway towns
Now war is declared and battle come down
London calling to the underworld
Come out of the cupboard, you boys and girls

London calling, now don’t look to us
Phony Beatlemania has bitten the dust
London calling, see we ain’t got no swing
‘Cept for the reign of that truncheon thing

The ice age is coming, the sun’s zooming in
Meltdown expected, the wheat is growing thin
Engines stop running, but I have no fear
‘Cause London is drowning, and I live by the river

(London calling – The Clash)

London was calling European Infosec professionals last week, and they came in droves. Infosec 2014 proved a very successful event, at least in my eyes. A nice mix of new and established exhibitors, a great program and outstanding attendance contributed to what is arguably Europe’s most prominent information security event. Here are my takes from the event:

A Very British Event

This event was very British in spirit, and that was a good thing! Other than showing the Americans that they are not the only ones doing cyber security (albeit all the large U.S. vendors were represented), there was a more relaxed, courteous vibe than at U.S. events such as the RSA, and it seemed that everyone took it less seriously, with a good dose of British humor (perhaps the smiling faces were due to the fact that come four o’clock many exhibitors offered free beer). Registration and entry to the event was smooth and swift, and the exhibition hall, though large, was nothing like the two huge halls that hosted the hundreds of vendors at RSA, making orientation and navigation easy. The weather throughout most of the week was untypically warm and sunny, but the last day reminded us that we were in London with drizzling rain, bleak skies and cold – just how they like it there.

20140429_124032

Educational Agenda

I was very impressed with the educational agenda of the event. In addition to being complementary (for both the exhibition and the conference) the organizers put together a very comprehensive and impressive program that catered to professionals and ordinary people alike. Two notable keynotes were “What’s New in Cybercrime?”- a panel hosted by Graham Cluley, and, and “Actionable Intelligence: Building a Holistic Security Threat Intelligence Capability,” hosted by Brian Honan.

The vendors seemed to play along with this theme and instead of hosting very sales-oriented sessions at their booths, they appeared to offer more educational content. I attended a talk at the Sophos booth by Chester Wisniewski that was both entertaining and educational (he uses his wife’s credit card to demonstrate how cyber crooks can steal credit card details using uncomplicated means).

Bloggers Meetup

I had the privilege of attending the European Bloggers meetup and awards ceremony, held at a pub not far from the conference venue. In addition to the great English pub experience (with complementary drinks), it was a chance to meet and talk with some of the industry’s top media stars. Unlike the Bloggers awards at RSA, Brian Krebs (not sure what the qualification criteria was as this was designated a European bloggers award) did not take all the awards, but he did win the Most Educational Blog . Read all about the winners at: http://blogs.infosec.co.uk/european-blogger-awards-2014-winners/

New Exhibitors

The event organizers allocated substantial space for new exhibitors, and allowed many vendors to showcase their products for the first time in the U.K. This was a nice contrast to the established players, who erected huge booths at the central area of the hall and offered lots of freebies, iPad raffles and candy. For me, it showed that the industry is both hungry for innovation and many entrepreneurs are stepping up with new solutions and services that are likely to be snatched up by the larger vendors very soon.

Industry not Stepping Up to the Challenge

The event was marred by one very unfortunate event – a massive Tube strike that took place on two of the three days of the event. This meant that instead of a leisurely ride to the station adjacent to the event site, visitors had to fight their way through Overground trains, buses and taxies in peak London traffic. Not a pleasant experience and I suspect that had better transportation been available, there would have been many more local, non-industry visitors. On a personal note, I find it kind of disappointing that none of the participating vendors – some of whom invested quite heavily in fancy booths (and booth babes) offered a remedy to this. I would love to have ridden the “Vendor-X” sponsored bus back to the city. It would have been a great opportunity to beat the traffic and mingle with like-minded professionals. Sadly no-one seemed to stand up to the challenge, which is symbolic to our industry. When the rain comes down (as it does in London) almost everyone ducks for cover, and very few stand up and try to fight it (you would have imagined that after the Target breach security vendors would offer complimentary security checkups to firms and individuals, to show that the industry is capable of providing decent security to its customers.) Sadly no one did.

Overall – a terrific event. I will definitely mark my calendar for next year’s event.

Why Scaring Is NOT an Effective Technique for Increasing Cyber Security?

There is a big hole in the Internet and it’s bleeding passwords. Or at least that is what one would understand from following various media reports about “Heartbleed”, that ominous flaw in the design of the Internet’s basic encryption method, the SSL. Just by reading (and listening to and watching) the media, one could be excused of thinking that the Internet as we know it has come to an end. Slogans like “Internet safety is gone” and “Replace all your passwords now!” were being shouted repeatedly (didn’t they tell us that passwords were useless anyway? and didn’t they say that 99.9% of the passwords are 123456 anyway?)

Regardless of the actual severity of this flaw, two things come to mind when analyzing the public and media’s behavior regarding Heartbleed. The first is that the media is thirsty for cyber-related stories, and is willing to blow any story out of proportion just to make the headlines – especially if it can be said to be “relevant to everyone” and “puts us all in danger.” But this is not surprising – there is a very unhealthy relationship between the media, the Cybersec industry and the public – each doing its share to evoke panic and misinformation.

What I find more disconcerting is that some people and organizations use such incidents to increase awareness of cyber threats and turn this into a call for action. While there is nothing wrong with raising awareness, I do believe that using it too much – i.e scaring people – achieves the opposite effect. Want an easy way of verifying this? Just ask the people around you (normal folk, not industry techies) if they have heard of Heartbleed. Many of them (especially in the U.S.) will probably say yes. Then ask how many of them have changed their passwords as a result of this being made public. I can almost guarantee that the answer will be zero. The explanation for this is simple – when people are presented with a catastrophe, they tend to do absolutely nothing. If nothing is safe anymore, than why bother doing something?

And that is exactly the problem. By creating panic, we also create apathy, when we should evoke emotion and move people to act – seek professional advice, check their systems for breaches, whatever. We should be stating very clearly the REAL threats and the REAL remedies, even if they make less appealing headlines. Only then do we stand the slightest chance that the “Average Joe” will stop, listen and act differently than before. “Make them aware, not scared” should be our motto.

heatbleed stop

RSA Wrap-up

Mark Twain once wrote that the coldest winter he’s had was a summer spent in San Francisco.

Good thing we came in the winter, and even better that we attended the annual RSA conference –  it was anything but cold. In fact, it was sizzling hot, almost to a boiling point when the water starts to bubble. In many ways the two adjacent, huge conference halls of the Moscone center felt like a giant pot left to boil and waiting to explode. Everyone who’s anyone was there, and then some hundred others you haven’t heard of. From the Industry Giants, who populated the north hall with huge booths, some two story tall, with the complimentary raffles (all offering mini iPads to the lucky winners) and booth babes, to modest small booths on the south side hosting some lesser-known start-ups company. The conference provided a terrific vantage point to view the current state of the industry. To summarize in one sentence – big and growing fast. This year’s expo was almost twice the size of last year’s, with close to 400 companies participating, many more companies “visiting” (or suitcasing) and thousands of visitors. And there is also great variety of products and offerings, almost to a point where the exhibition floor felt like a Middle Eastern bazaar… and the hustle bustle was not limited to the conference site, it was felt in a two miles’ radius, where every hotel, restaurant or bar was stuffed with RSA conference badge wearing folk, talking, having business meeting or just partying the night away.

Prior to the conference there was a bit of negative buzz and calls to boycott the conference due to RSA past involvement (according to Snowden) with the NSA, and some keynote speakers even cancelled their participation and opted to talk at a competing, non-mainstream event called Trustycon (also taking place at San Francisco at the same time). If people actually avoided the RSA due to this controversy, it went unnoticed – there were thousands of visitors who participated and enjoyed this event.

It was difficult, but we were able to identify several prominent trends from this mayhem.

Investment and Consolidation Craze

There’s definitely a feeling of “big fish eat little fish “, where entrepreneurs are being seduced by VCs, smaller companies being snatched by bigger ones, and medium companies being swallowed by the behemoth of the industry. Almost everyone we’ve talked to was either after raising some capital, after opening a US office or prior to meeting a potential investor. There’s some money on the floor and everybody wants a piece of the action. I attribute this both to the herd mentality of VCs (and investors alike), and the fact that in the last year the cyber security industry has become much more accessible to the general public in terms of understanding the needs and solution types required (some of which are yet to be developed).

Threat Intelligence and info Sharing Platforms

We should look outside and understand the type of threats which are out there. Also, information sharing would be a good idea. So why not combine the two an offer a platform where different threat information could be pushed and distributed to customers? Sounds almost obvious, but we are only now seeing a more mature view of the industry on what threat intelligence is and how it should be aggregated, filtered and disseminated.

Cloud

Sure, cloud is THE trendiest of them all. And with it come acute security challenges and possibilities. So there were many companies offering solutions for securing cloud applications, and, on the other hand, many offering cloud based security solutions.

Mobile

Again, not terribly difficult to predict that mobile and BYOD would be a hot topic. And there were myriad solutions for the mobile world. In fact, it has become almost impossible to distinguish between the different solutions, and too many companies appeared to be doing the exact same things. I assume it will take this segment of the industry several more years to reach maturity and allow clarity regarding solutions types and their merit (also safe to assume that mobile solutions companies will be quickly snatched by larger, more established companies to enrich their portfolio and provide a more holistic security approach to organizations).

Industry and US Centric

Kind of superfluous, but needs to be said – this event is very much industry centric, with few customers (or potential buyers) compared to industry participants. Also a very much US centric, which is not surprising, since the main bulk of the industry resides within the states. Notable non-US exhibitors were Germans and Chinese (each with a pavilion) and off course the Russian giant Kaspersky Lab (the only exception to this was the extremely high concentration of Israeli companies, which comprised a whopping 15-20% of exhibitors, and many of the visitors).

I hope these characteristics will erode over time, as the industry needs to open up more to the public and obviously there is a huge global market for cyber security solutions outside the states.

As for us, we did not invest in a booth but rather roamed the halls, trying to meet as many potential partners and sales channels. I gotta say we’ve met some terrific companies, some with very similar views to ours and hopefully we will be able to forge some alliances very soon and attack the US market.

And a final word- what was the greatest gadget on display? It was a small wooden box, semi analog and over 60 years old. Yes, there were two original Enigma deices on display, which attracted many more visitors to the booth displaying them (one of the belonged to the NSA) than any booth babe.

Enigma

Online Jihadists Express Interest in Cyber Warfare and Cyber Security

In March 2013, a hacker group called the “Tunisian Cyber Army” (TCA) claimed that they, in coordination with the al-Qaeda Electronic Army (AQEA), (or AQECA – al-Qaeda Electronic Cyber Army), have hacked several U.S. government websites.

The attackers stated that they were assisted by “Chinese hackers.” In addition, the groups claimed that these attacks were in preparation for #OpBlackSummer, a cyber campaign designed to target U.S. websites between May and September 2013.

OpBlackSummer

Regardless of the authenticity of these attacks, we clearly see the increased motivation of AQ-affiliated cyber units to wage attacks against Western targets. We would not be at all surprised to see sophisticated AQ attacks in the near future. We can assume that they are developing cyber attack tools, or even worse – purchasing advanced tools from the underground black market.

In September 2013, the Global Islamic Media Front (GIMF) – a propaganda organization associated with AQ – posted an encryption program for mobile phones on jihadi forums. The program is called Tashfeer al-Jawwal, or Mobile Encryption, and the GIMF described it as the “first Islamic encryption software for mobiles.”

The release was prefaced by an introduction from renowned jihadi ideologue Abu Sa’ad al-A’mili, who promised that the program would be a qualitative move for secure communications between jihadists and a surprising shock to the enemy. It should be mentioned that the GIMF provided a description of the program on their website, as well as tutorials in Arabic, English, Indonesian and Urdu.

Tashfeer al-Jawwal -  encryption program for mobile phones
Tashfeer al-Jawwal – encryption program for mobile phones

In December 2013, the exclusively online AQ propaganda distributor, the al-Fajr Media Center, published a new encryption program called Amn al-Mujahid (“Security of the Mujahid”) on jihadi forums, accompanied by a 28-page instructional manual. Al-Fajr said that AQ’s Technical Committee sought to develop an encryption program equipped with the latest technology that would enable the user  to use advanced encryption standards.

Although these developments are merely versions of available programs, the steady introduction of programs such as these reveals jihadi interest in cyber security and cyber warfare.