In the past few months, an alleged group of transparency advocates, headed by activist Emma Best (@NatSecGeek), created an online repository of leaked data similar to WikiLeaks, named “Distributed Denial of Secrets” (@DDoSecrets).
Our initial examination revealed that the repository includes a great volume of data aggregated from past leaks, but also several new ones. The data is extremely diverse and consists of documents, hacked emails, leaked credentials, and other data, which has been leaked over the years, by a variety of actors (hacktivists, APTs, etc).
On December 31, 2018, a cybercrime group going by the handle The Dark Overlord (hereafter TDO) claimed he had hacked an unnamed company, and exfiltrated a large volume of sensitive documents related to the 9/11 terror attacks-related lawsuits. TDOaims to extort the impacted organizations into paying a Bitcoin ransom and he already published batches of the leakage after creating a public auction system, where anyone can contribute Bitcoins to unlock new documents. Continue reading “What will The Dark Overlord Do Next – a CTI Assessment”
The following is an excerpt from the report. To receive a copy, please send a request to: email@example.com
2016 has been replete with an unprecedented volume of cyber events of varying impact and future significance. From our perspective, on account of our persistent presence and active participation in discussions Continue reading “SenseCy 2016 Annual CTI Report”
The healthcare sector has recently become a desirable target for cyber crooks. According to Symantec ISTR report statistics, healthcare was the most breached sub-sector in 2015, comprising almost 40% of all the attacks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.
Only lately, this concept has started to be challenged, revealing the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and during the last few months, we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.
Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.
The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.
While monitoring closed Deep-Web and Darknet sources, SenseCy analysts recently noticed a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, we came across several occurrences indicating extensive trade of medical records and access to servers where this data is stored.
The first case, in May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.
Although the seller did not mention the origin of the credentials he was selling, he claimed that local administrator privileges could be received on the compromised system. He also specified that 45 users from the medical personnel were logged into the system from the workstation he hacked.
The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.
Just a few weeks later, in June 2016, our analysts detected another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.
Before long, we again discovered evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.
The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data:
Implement a strong password policy, because many hacks are a result of brute-force attack. Strong passwords and two-factor authentications to log into organizational systems should be the number one rule for medical organizations.
Deploy suitable security systems.
Instruct the employees to follow cyber security rules – choosing strong and unique passwords, spotting phishing email messages, avoiding clicking on links and downloading files from unknown sources, etc. Consider periodic training for employees on these issues to maintain high awareness and compliance with the rules.
Use Cyber Threat Intelligence (CTI) – to keep up with the times regarding the current most prominent threats to your organization and industry.
A recent wave of ransomware attacks has hit countries around the world, with a large number of infections reported in the United States, the United Kingdom, Germany and Israel. It appears that the attackers have no specific target, since the attacks have struck hospitals, financial institutions and private institutions, indicating that no specific industry has been targeted.
In Israel, two types of ransomware were identified in the most recent attacks: the familiar TeslaCrypt and the new ransomware, Locky.
The Evolution of Ransomware
The vigorous usage of ransomware tools by cybercriminals and their success in this area has led to the development of new ransomware and the constant upgrading of known models. During the past several months, researchers have reported on the development of ransomware that is capable of file encryption without Internet connection, i.e., they do not communicate with their C&C servers for the encryption process.
Additionally, RaaS (Ransom-as-a-Service) offers are becoming popular on closed DeepWeb and Darknet forums. These services allow potential attackers to easily create ransomware stubs, paying with profits from future successful infections. Recently, we identified a new RaaS dubbed Cerber ransomware, which is offered on a Russian underground forum. Previously it was ORX-Locker, offered as a service via a platform hosted on an .onion server.
The majority of the distribution vectors of ransomware stubs involve some kind of social engineering trap, for example, email messages including malicious Office files, spam messages with nasty links or malvertising campaigns exploiting vulnerable WordPress or Joomla websites with an embedded malevolent code. The distribution also takes advantage of Macro commands and exploit kits, such as Nuclear or Angler. Sometimes browser vulnerabilities are exploited, as well as stolen digital certificates.
In November 2015, attempts to deliver ransomware to Israeli clients were identified. In this case, the attackers spoofed a corporate email address and tried to make recipients believe the email was sent from a company worker.
Handling a Ransomware Attack
Please find below our suggestions for recommended action to avoid ransomware attacks on an organization, and how to deal with an attack after infection:
Defend Your Organization from Potential Threats
Train your employees – since the human link is the weakest link in the organizational cybersecurity and the majority of the cases involve social engineering on one of the employees, periodical employee briefing is extremely important. Specify the rules regarding using the company systems, and describe what phishing messages look like.
Disable running of Macro scripts on Office files sent via email – in recent months, many cases of ransomware attacks employing this vector were reported. Usually, Macro commands are disabled by default and we do not recommend enabling them. In addition, we suggest using Office Viewer software to open Word and Excel files.
Limit user privileges and constantly monitor the workstations – careful management of user privileges and limited administrator’s privileges may help in avoiding the spread of the ransomware in the organizational network. Moreover, monitoring the activity on workstations will be useful for early detection of any infection and blocking it from propagating to other systems and network resources.
Create rules that block programs from executing from AppData/LocalAppData folders. Many variants of the analyzed ransomware are executed from these directories, including CryptoLocker. Therefore, the creation of such rules may reduce the encryption risk significantly.
Install a Russian keyboard – while monitoring closed Russian forums where several ransomware families originated, we discovered that many of them will check if the infected computer is located in a post-Soviet country. Usually, this check is performed by detecting which keyboard layout is installed on the machine. If a Russian (or other post-Soviet language) keyboard layout is detected, the ransomware will not initiate the encryption process.
Keep your systems updated – in many cases, hackers take advantage of outdated systems to infiltrate the network. Therefore, frequent updates of the organizational systems and implementing the published security patch will significantly reduce the chances of infection.
Use third-party dedicated software to deal with the threat – many programs aimed at addressing specific ransomware threats are constantly being released. One is Windows AppLocker, which is included in the OS and assists in dealing with malware. We recommend contacting the organizational security vendor and considering the offered solutions.
Implement technical indicator and YARA rules in the company organizations. We provide our clients with intelligence items accompanied by technical indicators. Additionally, a dedicated repository that includes ransomware indicators was launched.
What if I am Already Infected?
Restore your files – some ransomware tools create a copy of the file, encrypt it and then erase the original file. If the deletion is performed via the OS erase feature, there is a chance to restore the files, since in majority of the cases, the OS does not immediately overwrite the deleted filed.
Decryption of the encrypted files – the decryption will be possible if you were infected by one of these three ransomware types: Bitcryptor, CoinVault or Linux.Encoder.1. Therefore, detecting the exact kind of ransomware that attacked the PC is crucial.
Back-up files on a separate storage device regularly – the best practice to avoid damage from a ransomware attack is to backup all your important files on a storage disconnected from the organizational network, since some ransomware variants are capable of encrypting files stored on connected devices. For example, researchers recently reported a ransomware that encrypted files stored on the Cloud Sync folder.
If ransomware is detected in the organization, immediately disconnect the infected machine from the network. Do not try to remove the malware or to reboot the system before identifying the ransomware. In some cases, performing one of these actions will make the decryption impossible, even after paying the ransom.
Written and prepared by SenseCy’s Cyber Intelligence analysts.
SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.
The following is an excerpt from the report. To receive a copy, please send a request to: firstname.lastname@example.org
2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.
Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.
Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).
Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.
The following are several of our insights regarding activities in different cyber arenas this past year:
During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.
Trade on Russian Underground Forums
The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.
Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.
Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.
Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.
The English-Language Underground
Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.
The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.
The Iranian Underground
With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.
One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.
Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.
That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.
ISIS – Cyber-Jihad
On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.
On July 12, 2015, the IT-systems of Ashley Madison (owned by Avid Life Media), a Canada-based online dating service for married people, were hacked. The attackers, who call themselves Impact Team, released a message claiming they had taken control over all of the company’s systems and extracted databases containing client details, source codes, email correspondence and more.According to the message, the attack occurred in response to Ashley Madison‘s exposure of its clients – although the company offered and charged clients for a full profile deletion, this, in fact, was never carried out. Impact Team demanded that Ashley Madison and another website owned by Avid Life Media (ALM) cease their activity and shut down in 30 days, otherwise all stolen data would be published.
One month later, on August 16, 2015, Impact Team realized its threats – a link for downloading the data was posted on a password-protected hacking forum on the Darknet. The leaked data contained details of 37 million Ashley Madison users. Additionally, the attackers released data, containing mostly internal company information, in two additional stages.
The infiltration vector used by the attackers is not known. According to ex-Ashley Madison CEO, the attack was performed by a provider or a former employee who possessed legitimate login credentials. Apparently, as in an APT attack, Impact Team had access to the company systems for a long period of time. They stated that they had collected information for years and that the attack started long before the data was exposed.
In an email interview with members of Impact Team, they said “they worked hard to make a fully undetectable attack, then got in and found nothing to bypass – Nobody was watching. No security. The only thing was a segmented network. You could use Pass1234 from the internet to VPN to root on all servers.”
The Leaked Data
Despite the fact that Ashley Madison maintained a low security level on its systems, the clients data was stored with many more precautions – full credit card data was not stored, but instead only the last four digits, in accordance with the company’s declared policy. Nevertheless, information about payments that contained names and addresses of the clients were stored and later used by cybercriminals.
The passwords of Ashley Madison‘s clients were encrypted using a bcrypt algorithm, which is considered to be extremely strong. Another security measure taken by the company was the separation of databases for email addresses and passwords. However, an error in one of the exposed source codes enabled the decryption of 11 million passwords in only 10 days. A security researcher decrypted another 4,000 “strongly encrypted” passwords, due to the fact that they were widely used passwords.
Moreover, Ashley Madison saved IP addresses of its users for as long as five years. Thus, almost every user behind each profile can be identified.
The release of the data led to numerous discussions on hacking forums regarding ways to exploit the data. Some hackers focused on extortion schemes, while others offered to initiate spear-phishing attacks based on the leaked data.
In other attack reported by TrendMicro, hackers distributed email messages allegedly from Impact Team or law firms. They asked for money in exchange for removing the recipient’s name from the leak or for initiating a class action lawsuit against Ashley Madison.
Besides financial damage, according to press publications, three people committed suicide after the leaked data was released.
Moreover, not only its clients, but the company itself suffered damage because of the exposure of confidential information. Exposure of internal correspondence of Ashley Madison‘s executives revealed the company’s improper business activity, such as hacking into its competitors systems, creating fake profiles on its website and more. Finally, Ashley Madison’s financial losses are estimated at more than 200 million dollars, since the company was about to launch an initial public offering later this year.
Analysis of the leaked email correspondence of Ashley Madison‘s executives demonstrates that they were fully aware of the importance of cyber security measures. In the beginning of 2012, following the cyber-attack on the Grinder mobile application, the company’s then-CTO expressed his concerns regarding passwords that were stored fully unencrypted. Later in 2012, an encryption for passwords was initiated. On another occasion, after the email correspondence leak of General Petraeus, an employee suggested implementing an encrypted email service for Ashley Madison users. Despite the severity of the hack, several measures taken by the company, such as the encryption of the users’ passwords, reduced the damage caused by the leak. Nevertheless, the encryption, even a strong one such as bcrypt, is not enough and a password complexity policy should be implemented in the organization. Using strong passwords, maintaining different and complex passwords for the high-privileged accounts of the IT systems and restricting the access to these accounts will limit the attackers’ ability to move laterally in the organization’s network and take control of it.
The bar for becoming a cyber-criminal has never been so low. Whether buying off-the-shelf malware or writing your own, with a small investment, anyone can make a profit. Now it seems that the bar has been lowered even further with the creation of a new Darknet site that offers Ransomware-as-a-Service (RaaS), titled ORX-Locker.
Ransomware-as-a-Service enables a user with no knowledge or cash to create his own stubs and use them to infect systems. If the victim decides to pay, the ransom goes to the service provider, who takes a percent of the payment and forwards the rest to the user. For cyber-criminals, this is a win-win situation. The user who cannot afford to buy the ransomware or does not have the requisite knowledge can acquire it for free, and the creator gets his ransomware spread without any effort from his side.
This is not the first time we have seen this kind of service. McAfee previously (May, 2015) reported on Tox. While Tox was the first ransomware-as-a-service, it seems that ORX has taken the idea one step further, with AV evasion methods and complex communication techniques, and apparently also using universities and other platforms as its infrastructure.
In the “August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015,” published on Monday (August 24, 2015), IBM mentioned TOX while predicting: “This simplicity may spread rapidly to more sophisticated but less common ransomware attack paradigms and lead to off-the-shelf offerings in the cloud.” Just one day later, a post was published on a closed Darknet forum regarding the new ORX-Locker service.
ORX – First Appearance
On August 25, 2015, a user dubbed orxteam published a post regarding the new ransomware service. The message, which was part of his introduction post – a mandatory post every new user has to make to be accepted to the forum – described the new ORX-Locker ransomware as a service platform. In the introduction, the user presented himself as Team ORX, a group that provides private locker software (their name for ransomware) and also ransomware-as-a-service platform.
ORX Locker Online Platform
Team ORX has built a Darknet website dedicated to the new public service. To enter the site, new users just need to register. No email or other identification details are required. Upon registration, users have the option to enter a referral username, which will earn them three percent from every payment made to the new user. After logging in, the user can move between five sections:
Home – the welcome screen where you users can see statistics on how much system has been locked by their ransom, how many victims decided to pay, how much they earned and their current balance.
Build EXE – Team ORX has made the process of creating a stub so simple that the only thing a user needs to do is to enter an ID number for his stub (5 digits max) and the ransom price (ORX put a minimum of $75). After that, the user clicks on the Build EXE button and the stub is created and presented in a table with all other stubs previously created by the user.
Stats – This section presents the user with information on systems infected with his stub, including the system OS, how many files have been encrypted, time and date of infection, how much profit has been generated by each system, etc.
Wallet – following a successful infection, the user can withdraw his earnings and transfer them to a Bitcoin address of his choosing.
Support – This section provides general information on the service, including more information on how to build the stub and a mail address (orxsupport@safe-mail[.]net) that users can contact if they require support.
When a user downloads the created stub, he gets a zip file containing the stub, in the form of an “.exe” file. Both the zip and the stub names consist of a random string, 20-characters long. Each file has a different name.
Once executed, the ransomware starts communicating with various IP addresses. The following is a sample from our analysis:
130[.]75[.]81[.]251 – Leibniz University of Hanover
130[.]149[.]200[.]12 – Technical University of Berlin
171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)
As you can see, some of the addresses are related to universities and others to organizations with various agendas.
Upon activation, the ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.
The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.
When the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted, and a payment instruction file will be created on the desktop.
In the payment instruction file (.html), the victim receives a unique payment ID and a link to the payment website, located on the onion network (rkcgwcsfwhvuvgli[.]onion). After entering the site using the payment ID, the victim receives another set of instructions in order to complete the payment.
Finally, although some basic persistence and anti-AV mechanisms are present, the malware still has room to “grow.” We are certain that as its popularity grows, more developments and enhancements will follow.