PERSONAL DATA OF TAIWAN’S ENTIRE POPULATION FOR SALE

A May 2020 media report disclosed that a Taiwanese database containing personal data from over 20 million citizens (Taiwan’s entire population) was posted for sale on the Dark Web. According to researchers, the source of the leak is governmental and originates from the Department of Household Registration, under the Ministry of Interior.

The sale offer was posted on May 19, 2020 in an English language underground Dark Web marketplace. The seller indeed claimed the database contains data of the entire country’s citizens and attached a sample where one can see each line in the database is arranged by full name, landline number, ID number, home address and sex. The seller has offered to sell the database for US$ 2,500.

Taiwan’s Population Database for Sale
Source: Verint Luminar

NOT THE FIRST TIME WE’VE SEEN SUCH AN OFFER

Although this database leak was defined by the above reports as unique, this is not the first time we have seen an offer for a database consisting of personal information for the entire population of Taiwan. In Chinese sources, such offers have appeared since August 2018 at least. Our findings, detailed below, may imply the database offer is in fact a resell of a previous database offered several times in the past in Chinese underground sources. These findings show the flow of data from one underground arena to another and stress the importance of multi-language monitoring across various sources to get a full picture of the origins of leaked databases.

THE TAIWANESE DATABASE ON THE CHINESE DARK WEB

Our first indication of a Taiwanese population database was in August and September 2018. In August 2018, an offer appeared on the Chinese Darknet marketplace to sell a Taiwanese population database consisting of the full names, landline numbers, gender and home addresses of 21,141,314 people.

Taiwan’s Population Database for Sale, August 2018
Source: Chinese Dark Web marketplace

About a month later, an actor who has offered several other major database leaks on the same Chinese language Darknet marketplace (including the Marriott database), offered a full database of the Taiwanese population, consisting – according to him – of approximately 25 million lines of data, claiming the data was updated to September 2017.

Taiwan’s Population Database for Sale
Source: Chinese Dark Web marketplace

Since then, similar offers have occasionally appeared in both the Darknet marketplaces and other underground chat groups operating on Telegram.

SIMILARITIES BETWEEN LEAKED SAMPLES SHARED ON THE DARK WEB

According to our research, the last time a similar offer was published was January 2020, when an actor on a Chinese Darknet marketplace offered a 25 million line Taiwanese population database containing – once more by that order: full names, landline telephone numbers, ID numbers, home addresses and sex. The actor also attached a short sample to prove the authenticity of the database. According to the marketplace’s inner data, this transaction was completed twice, meaning two different actors have purchased the database since. Of note, the same actor also offered the same database in April 2019, attaching a similar sampler. The two screenshots below show the two offers, from January 2020, and April 2019.

Offer to Sell Taiwan’s Full Population Database, Containing ~25 million Lines, January 2020. Source: Chinese Dark Web Marketplace
Similar Offer from the Same Actor, April 2019
Source: Verint Luminar

The two samples attached to the offers – the two Chinese posts from April 2019 and January 2020 and the English post from May 2020 – show different names but look strikingly similar. The pattern of the data is identical, and it is arranged in the exact same order: full name, landline number, ID number, home address and sex. Furthermore, the current seller admitted he obtained the data in 2019, which is in line with the date the same offer was published on a Chinese marketplace.

All the above leads us to conclude the current offer of the Taiwanese population database is an attempt to resell the same database leaked in the past in Chinese underground platforms. As the asking price for the data sold on the Chinese platform was merely US$ 200, whereas he offered the same database for US$ 2,500, we believe it is highly probable this actor acquired the database on the Chinese marketplace and then tried to make an easy profit from actors operating on other platforms who do not have access to the Chinese marketplace and/or cannot read Chinese.

THE SELLER HAS OTHER ACTIVITIES ON THE DARK WEB

According to our analysis, the seller was seen operating under the same nickname on a Chinese Telegram underground chat group, a Russian Clearnet hacking and fraud forum, and two English-language Darknet forums.

In all instances, he offered credit card user data from China Industrial Bank containing over 460,000 lines. In one of the offers seen below and posted on the English-language forum, the actor quoted a price of US$ 380 for the database.

The China Industrial Bank Credit Card User Database offered on a Chinese Underground Telegram Group
A Similar Offer by the Same Actor Posted on an English-language Darknet Forum for US$ 380
Source: Verint Luminar

BUY IN ONE LANGUAGE, RESELL (FOR A NICE PROFIT) IN ANOTHER

As in the case of the Taiwanese population database, the China Industrial Bank database offered by this actor appeared before in Chinese underground platforms. In March 2020, the offer was posted on a Chinese Darknet marketplace for US$56 (see first screenshot below.) According to this marketplace’s inner data, it was sold 21 times. A month later, in April 2020, it was also offered on a Chinese-language underground Telegram group (see second screenshot below.) This demonstrates a similar modus operandi by this actor, and presumably by many other actors who operate across various, multi-language platforms: acquiring databases in one language (Chinese) and reselling them at higher prices on platforms in other languages.

The Chinese Industrial Bank Database offered on a Chinese Darknet Marketplace, March 2020
The Same Database offered on a Chinese Telegram Group, April 2020. Source: Chinese Darknet Marketplace

The New SMBGhost Wormable Vulnerability is Gaining Popularity in The Dark Web

smbg_cover_1920x960-1024x512

On March 10, 2020, details about a zero-day vulnerability (CVE-2020-0796) affecting the Microsoft Server Message Block (SMB) protocol, were accidentally exposed by security companies. SMB is a network communication protocol responsible for granting shared access to files, printers and serial ports between the different devices on the network.

In this blog post we reveal some of the activities we identified in the dark web and explain why this specific vulnerability has the potential to become a “wormable” attack that can spread fast.

The CVE-2020-0796 vulnerability, which received the moniker SMBGhost, is a buffer overflow vulnerability that exists due to an error in the way the vulnerable protocol handles a maliciously crafted compressed data packet. It could be exploited by a remote, unauthenticated attacker to execute arbitrary code and gain control over vulnerable systems.

In addition, researchers noted the vulnerability could be exploited in a “wormable” attack, in which an attacker could easily and quickly move from one victim on the network to another. In this aspect, this vulnerability resembles the “wormable” CVE-2017-0144 vulnerability, which also affected an earlier version of the SMB protocol (SMBv1) and was exploited during the massive WannaCry and NotPetya ransomware outbreaks in 2017, using the EternalBlue exploit allegedly developed by the NSA and leaked by the Shadow Brokers hacking group in April 2017.

Will the SMBGhost vulnerability lead to cyber-attacks in the magnitude of WannaCry and NotPetya? We don’t know yet. What we do know is that the world is currently in a very different and much more vulnerable place, with the Coronavirus outbreak sending millions of employees to work remotely, in a much less secure environment. The balance between risk and security has shifted.

Time To Patch SMBGhost

As the vulnerability only affects SMBv3, which is the latest version of the SMB protocol that exists only in recent versions of the Windows operation system, only Windows 10 and Windows Server 2019 versions of the OS are vulnerable, and specifically the following builds of both OS versions: 1903 and 1909.

The vulnerability was patched by Microsoft shortly after its publication, with the release of a security update on March 12, 2020.

Users are urged to install the relevant security update issued by Microsoft. However, if installing the patch is currently not possible, the company advises to disable SMBv3 compression using the following PowerShell command:

powershell-command

PowerShell Command

Unfortunately, prioritizing patching is always a challenge. Considering the fact that most IT departments in any organization nowadays, are currently occupied by ensuring employees are able to work remotely, in order to maintain business continuity, it is possible that patching will not be a first priority.

Discovered PoC Exploits

Since the vulnerability was made public, various repositories connected to the vulnerability have been created on GitHub. Many of these contain scanner scripts for detecting vulnerable systems.

In addition, several repositories containing PoC exploits for the vulnerability were also identified. One such repository contains a PoC written in Python that supports SMBv3.1.1. This PoC targets Windows 10 systems running the 1903/1909 build.

According to our analysis, this PoC triggers a buffer overflow and crashes the kernel, but could be modified into a remote code execution exploit. We identified additional similar PoC exploits on GitHub, all of which would eventually cause the targeted system to crash. However, none of the exploits we observed allow remote code execution.

poc-description-1024x424

Description of the PoC

Dark Web Discussions

Right after details of the SMBGhost vulnerability were published, discussions about the vulnerability emerged on different Dark Web platforms, where the vulnerability is also dubbed CoronaBlue (possibly a paraphrase on the EternalBlue exploit and the current Coronavirus pandemic outbreak). At first, we mainly observed the sharing of publicly available reports about the vulnerability.

news-reports

News Reports about the SMBGhost Vulnerability Shared on a Russian Dark Web Forum (Source: Verint LUMINAR)

However, threat actors soon started expressing their interest in a working PoC. For instance, on March 11, 2020, a member of a hacking-related Discord channel asked how many GitHub repositories containing fake exploit codes for CVE-2020-0796 exist (since it is not uncommon to find fake repositories allegedly containing exploit codes circulating on the Web after a new zero-day vulnerability is revealed). One of the replies he got was that it “would be good” to have a working PoC, and another member shared a link to a scanning tool for tracking vulnerable systems, which is publicly available on GitHub. That same scanner was also shared on a Russian forum, and an additional scanner on GitHub was shared in a Persian Telegram channel. Furthermore, our researchers have found multiple discussions in different underground forums, where users are trying to find exploit kits for the CVE-2020-0796 SMBv3 vulnerability.

Our research team will continue to monitor the new SMBGhost vulnerability and the threat actors that express interest in the vulnerability and in obtaining a working PoC exploit for it. As several PoC exploit codes have been made available on GitHub, it is possible we will soon witness exploitation attempts. Although none of the currently available PoC codes could allow the attacker to remotely execute arbitrary code on targeted systems, these exploits could be modified to enable remote code execution, and potentially constitute a more serious threat. Furthermore, the fact this vulnerability could be leveraged in a “wormable” attack, stresses the importance and the urgency of applying the relevant patch.

Hackers Continue to Exploit the COVID-19 Pandemic in Malicious Campaigns

hackercovid_1920x960-1024x512

As the Coronavirus (COVID-19) pandemic continues to spread throughout the world, a growing number of malicious campaigns were identified, attempting to exploit the constant search for information and updates on the virus, in order to spread various types of malware.

In this blog post we share our analysis of one of the major Coronavirus related malicious campaigns and provide an overview of other campaigns. In addition, for your convenience, you will find at the end of the post a list of IoCs to implement in your security systems.

The COVID-19 Interactive Map – The Malicious Version

Security researchers have identified Russian cybercriminals selling malicious versions of the highly popular interactive map of COVID-19 cases around the world, created by Johns Hopkins Coronavirus Resource Center. In fact, these versions include infostealer malware, intended on stealing information from its victims’ computers.

john-hopkins-map-1024x349

John Hopkins Coronavirus Resource Center

sales-offer-on-russian-dark-web-forum

Sales Offer of Malicious Map in Russian Dark Web Forum
Source: Verint LUMINAR

In addition, a new malicious domain was discovered, coronavirusapp[.]site, which is offering to download an Android app that tracks the spread of the virus and also includes statistical data. However, the application is actually poisoned with CovidLock, a ransomware that changes the password used to unlock the device, thus denying the victims access to their phones. The victims are required to pay a ransom fee of US$100 in Bitcoin, or else, according to the ransom note, their contacts, pictures, videos and device’s memory will all be erased.

coronavirus-app-site

The Coronavirusapp[.]site domain.
Source: Domain Tools

Attack Methods

Security researchers have also discovered a new backdoor distributed in RAR format. The file includes an executable masquerading as a Microsoft Word file with information on COVID-19, intended to install the rest of the malware on the victim’s computer. The researchers estimate that file is being distributed via phishing emails.

A new ransomware called CoronaVirus was recently identified while being distributed through a fake website of WiseCleaner, a service offering system utilities for Windows OS. Download files on this malicious site act as downloaders for both the CoronaVirus ransomware and a stealer called Kpot. Additional campaigns utilize phishing emails with malicious attachments that supposedly include information and updates on Coronavirus, but in fact download different malware to the victims’ computers, including a banking Trojan called TrickBot, a Stealer called LokiBot and a Stealer called FormBook.

State-Sponsored Threat Actors Are Also Involved

Security researchers have also identified state-sponsored threat actors exploiting the COVID-19 panic to promote their interests and carry out attack campaigns.

  • In early March 2020, researchers discovered a campaign launched by a Chinese APT group against targets in Vietnam.
  • Another Chinese APT group attacked targets in Mongolia’s government using malicious documents that supposedly contain new information on the virus.
  • An APT group originating from North Korea has sent phishing messages to South Korean officials that ostensibly included a document detailing the reaction of the country to the pandemic.
  • Russian APT Group had sent malicious files, seemingly including updates on Coronavirus, in order to distribute a backdoor malware to targets in Ukraine.

We see that cybercriminals and state-sponsored threat actors are using the panic resulting from the Coronavirus pandemic, for phishing purposes and malware distribution. As the virus continues to spread across the world, preoccupying the global agenda, it can be estimated we will witness more campaigns exploiting the crisis.

To read the detailed analysis click here

For a list of IOCs click here

The Awakening of PoS Malware (or, Has It Really Been Dormant?)

The peak of activity of Point-of-Sale (PoS) malware was in late 2013 (with the disclosure of the notorious Target breach), and over the course of 2014, when we witnessed the development and trade of new PoS malware strains. The vigorous discussions on hacking communities at the time, has led hackers to believe PoS malware would ensure them an easy profit. However, as time passed, Continue reading “The Awakening of PoS Malware (or, Has It Really Been Dormant?)”