Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry

In the past few hours, multiple reports were published about a mass-scale cyber-attack taking place in Ukraine. The attack hit multiple government resources, as well as corporate, financial and critical infrastructure systems (Kyiv subway and airport, electricity and oil companies, etc). Continue reading “Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry”

EclecticIQ Partners with SenseCy to Bring Leading Cyber Threat Intelligence Technology to the Israeli Cyber Community

We are very proud to announce our partnership with EclecticIQ, the industry-leading builder of analyst-centric technologies that turn cyber threat intelligence into business value.

In the partnership, SenseCy will deliver its unique cyber intelligence Continue reading “EclecticIQ Partners with SenseCy to Bring Leading Cyber Threat Intelligence Technology to the Israeli Cyber Community”

The Healthcare Sector is Targeted by Cybercriminals More than Ever

The healthcare sector has recently become a desirable target for cyber crooks. According to Symantec ISTR report statistics, healthcare was the most breached sub-sector in 2015, comprising almost 40% of all the attacks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.

1
Top 10 Sub-Sectors Breached by Number of Incidents According to Symantec ISTR report

Only lately, this concept has started to be challenged, revealing the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and during the last few months, we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.

Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.

The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.

While monitoring closed Deep-Web and Darknet sources, SenseCy analysts recently noticed a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, we came across several occurrences indicating extensive trade of medical records and access to servers where this data is stored.

The first case, in May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.

Although the seller did not mention the origin of the credentials he was selling, he claimed that local administrator privileges could be received on the compromised system. He also specified that 45 users from the medical personnel were logged into the system from the workstation he hacked.

The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.

2
An excerpt of the sale thread posted on a Darknet forum

 

3
Screenshot allegedly taken on the hacked workstation

Just a few weeks later, in June 2016, our analysts detected another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.

4
One of the sales posts on a Darknet marketplace
5
Screenshot posted by the seller as a proof of hacking into a medical organization

Before long, we again discovered evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.

The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data:

  1. Implement a strong password policy, because many hacks are a result of brute-force attack. Strong passwords and two-factor authentications to log into organizational systems should be the number one rule for medical organizations.
  2. Deploy suitable security systems.
  3. Instruct the employees to follow cyber security rules – choosing strong and unique passwords, spotting phishing email messages, avoiding clicking on links and downloading files from unknown sources, etc. Consider periodic training for employees on these issues to maintain high awareness and compliance with the rules.
  4. Use Cyber Threat Intelligence (CTI) – to keep up with the times regarding the current most prominent threats to your organization and industry.
  5. Keep all software updated.

Terrogence, SenseCy and Sixgill Announce a Strategic Partnership

Terrogence, SenseCy and Sixgill have formed a strategic partnership to deliver next generation integrated big data analytics and cyber threat intelligence for Japanese clients. The new venture allows organizations to create their own personal collection lists and real-time threat alerts enhanced with actionable intelligence. We look forward to working together to produce high quality intelligence for our customers.

The full press release can be viewed here.

#OpIsrael 2016 – Summary

This year, #OpIsrael hacktivists focused on defacing private websites, carrying out DDoS attacks and leaking databases. Hundreds of private Israeli websites were defaced, mostly by Fallaga and AnonGhost members. Various databases containing Israeli email addresses and credit cards were leaked, but the majority were recycled from previous campaigns.

The hacktivists attacks commenced on April 5, 2016, two days before the campaign was launched, with a massive DDoS attack against an Israeli company that provides cloud services. The fact that no one took responsibility for the attack, alongside the massive DDoS power invested, may indicate that threat actors with advanced technical abilities were responsible.

On April 7, 2016, approximately 2,650 Facebook users expressed their desire to participate in the campaign via anti-Israel Facebook event pages. There are several possible reasons for the low number of participants (compared for example to the 5,200 participants in #OpIsrael 2015). One reason might be disappointment in last year’s lack of significant achievements. Another reason could be the devotion of attention to other topics, such as the cyber campaign against the Islamic State (IS), in the wake of the recent terrorist attacks in Brussels. Moreover, it is possible that anti-Israel hacktivists have abandoned social media networks for other platforms, such as IRC and Telegram.

1
Number of participants in the #OpIsrael campaign since 2014

During the campaign, we detected many indications of the use of common DDoS tools, such as HOIC, and simple DDoS web platforms that do not require any prior technical knowledge in order to operate them. Most of the DDoS attacks were directed against Israeli government and financial websites. Hacktivists claimed they managed to take down two Israeli bank websites. While this could be true, the websites were up and operational again within a short time. In addition, there were no indications of the use of RATs or ransomware against Israeli targets.

2
Using common DDoS tools against an Israeli website

As mentioned previously, most of the leaked databases were recycled from previous campaigns. However, we noticed that almost all of the new leaked databases were stolen from the same source – an Israeli company that develop websites. Notably, during the 2014 #OpIsrael campaign, this company website appeared on a list of hacked websites.

There was no immediate claim of responsibility for the leakage of these databases, which raises many questions, since anti-Israel hacktivists typically publish their achievements on social media networks to promote the success of the campaign. Moreover, almost all of these databases were first leaked in the Darknet, but anti-Israel hacktivists do not use this platform at all. In addition, all of the data leakages were allegedly leaked by a hacker dubbed #IndoGhost, but there are no indications to suggest that this entity was involved in the #OpIsrael campaign or any other anti-Israel activity.

Finally, we detected several attempts to organize another anti-Israel campaign for May 7, 2016. As an example, we identified a post calling to hack Israeli government websites on this date. We estimate that these attempts will not succeed in organizing another anti-Israel cyber campaign.

SenseCy 2015 Annual Cyber Threat Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.

The following is an excerpt from the report. To receive a copy, please send a request to: info@sensecy.com

Executive Summary

2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.

Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.

Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).

Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.

Insights

The following are several of our insights regarding activities in different cyber arenas this past year:

Islamic Hacktivism

During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.

Trade on Russian Underground Forums

The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.

Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.

Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.

Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.

Exploits and exploit kits on the Russian underground
Exploits and exploit kits on the Russian underground

The English-Language Underground

Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.

The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.

Sales of hacking tools in the English-language underground
Sales of hacking tools in the English-language underground

The Iranian Underground

With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.

One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.

Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.

That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.

Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum
Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum

ISIS – Cyber-Jihad

On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.

ORX-Locker – A Darknet Ransomware That Even Your Grandmother Can Use

Written by Ran L. and Mickael S.

The bar for becoming a cyber-criminal has never been so low. Whether buying off-the-shelf malware or writing your own, with a small investment, anyone can make a profit. Now it seems that the bar has been lowered even further with the creation of a new Darknet site that offers Ransomware-as-a-Service (RaaS), titled ORX-Locker.

Ransomware-as-a-Service enables a user with no knowledge or cash to create his own stubs and use them to infect systems. If the victim decides to pay, the ransom goes to the service provider, who takes a percent of the payment and forwards the rest to the user. For cyber-criminals, this is a win-win situation. The user who cannot afford to buy the ransomware or does not have the requisite knowledge can acquire it for free, and the creator gets his ransomware spread without any effort from his side.

This is not the first time we have seen this kind of service. McAfee previously (May, 2015) reported on Tox. While Tox was the first ransomware-as-a-service, it seems that ORX has taken the idea one step further, with AV evasion methods and complex communication techniques, and apparently also using universities and other platforms as its infrastructure.

In the “August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015,” published on Monday (August 24, 2015), IBM mentioned TOX while predicting: “This simplicity may spread rapidly to more sophisticated but less common ransomware attack paradigms and lead to off-the-shelf offerings in the cloud.” Just one day later, a post was published on a closed Darknet forum regarding the new ORX-Locker service.

ORX – First Appearance

On August 25, 2015, a user dubbed orxteam published a post regarding the new ransomware service. The message, which was part of his introduction post – a mandatory post every new user has to make to be accepted to the forum – described the new ORX-Locker ransomware as a service platform. In the introduction, the user presented himself as Team ORX, a group that provides private locker software (their name for ransomware) and also ransomware-as-a-service platform.

ORX team introduction post in a closed Darknet hacking forum.
ORX Team introduction post in a closed Darknet hacking forum.

ORX Locker Online Platform

Team ORX has built a Darknet website dedicated to the new public service. To enter the site, new users just need to register. No email or other identification details are required. Upon registration, users have the option to enter a referral username, which will earn them three percent from every payment made to the new user. After logging in, the user can move between five sections:

Home – the welcome screen where you users can see statistics on how much system has been locked by their ransom, how many victims decided to pay, how much they earned and their current balance.

Build EXE – Team ORX has made the process of creating a stub so simple that the only thing a user needs to do is to enter an ID number for his stub (5 digits max) and the ransom price (ORX put a minimum of $75). After that, the user clicks on the Build EXE button and the stub is created and presented in a table with all other stubs previously created by the user.

ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.
ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.

Stats – This section presents the user with information on systems infected with his stub, including the system OS, how many files have been encrypted, time and date of infection, how much profit has been generated by each system, etc.

Wallet – following a successful infection, the user can withdraw his earnings and transfer them to a Bitcoin address of his choosing.

Support – This section provides general information on the service, including more information on how to build the stub and a mail address (orxsupport@safe-mail[.]net) that users can contact if they require support.

Ransomware

When a user downloads the created stub, he gets a zip file containing the stub, in the form of an “.exe” file. Both the zip and the stub names consist of a random string, 20-characters long. Each file has a different name.

Once executed, the ransomware starts communicating with various IP addresses. The following is a sample from our analysis:

  1. 130[.]75[.]81[.]251 – Leibniz University of Hanover
  2. 130[.]149[.]200[.]12 – Technical University of Berlin
  3. 171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
  4. 199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)

As you can see, some of the addresses are related to universities and others to organizations with various agendas.

Upon activation, the ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.

The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.

When the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted, and a payment instruction file will be created on the desktop.

After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted
After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted

In the payment instruction file (.html), the victim receives a unique payment ID and a link to the payment website, located on the onion network (rkcgwcsfwhvuvgli[.]onion). After entering the site using the payment ID, the victim receives another set of instructions in order to complete the payment.

ORX-Locker payment platform which has a dedicated site located on the onion network.
ORX-Locker payment platform, which has a dedicated site located on the onion network.

Finally, although some basic persistence and anti-AV mechanisms are present, the malware still has room to “grow.” We are certain that as its popularity grows, more developments and enhancements will follow.

YARA rule:

rule ORXLocker
{
meta:
author = “SenseCy”
date = “30/08/15”
description = “ORXLocker_yara_rule”

strings:
$string0 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 34 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 64 2e 25 64 2e 25 64 2e 25 64 3a 25 64 2e 20 28 25 64 29 2c 20 72 65 71 75 65 73 74 20 72 65 6a 65 63 74 65 64 20 62 65 63 61 75 73 65 20 74 68 65 20 63 6c 69 65 6e 74 20 70 72 6f 67 72 61 6d 20 61 6e 64 20 69 64 65 6e 74 64 20 72 65 70 6f 72 74 20 64 69 66 66 65 72 65 6e 74 20 75 73 65 72 2d 69 64 73 2e}
$string1 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 35 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 64 2e 20 28 25 64 29}
$string2 = {53 4f 43 4b 53 35 3a 20 73 65 72 76 65 72 20 72 65 73 6f 6c 76 69 6e 67 20 64 69 73 61 62 6c 65 64 20 66 6f 72 20 68 6f 73 74 6e 61 6d 65 73 20 6f 66 20 6c 65 6e 67 74 68 20 3e 20 32 35 35 20 5b 61 63 74 75 61 6c 20 6c 65 6e 3d 25 7a 75 5d}
$string3 = {50 72 6f 78 79 20 43 4f 4e 4e 45 43 54 20 66 6f 6c 6c 6f 77 65 64 20 62 79 20 25 7a 64 20 62 79 74 65 73 20 6f 66 20 6f 70 61 71 75 65 20 64 61 74 61 2e 20 44 61 74 61 20 69 67 6e 6f 72 65 64 20 28 6b 6e 6f 77 6e 20 62 75 67 20 23 33 39 29}
$string4 = {3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3e 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3c 2f 61 3e 3c 62 72 3e}
$string5 = {43 3a 5c 44 65 76 5c 46 69 6e 61 6c 5c 52 65 6c 65 61 73 65 5c 6d 61 69 6e 2e 70 64 62}
$string6 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 6f 66 73 74 72 65 61 6d 40 44 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 44 40 73 74 64 40 40 40 73 74 64 40 40}
$string7 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 69 6f 73 40 5f 57 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 5f 57 40 73 74 64 40 40 40 73 74 64 40 40}
$string8 = “ttp://4rhfxsrzmzilheyj.onion/get.php?a=” wide
$string9 = “\\Payment-Instructions.htm” wide

condition:
all of them
}

Why Are Information Security Tools and Cyber Intelligence Like a Hammer and Nails?

By Dori Fisher, VP Intelligence Solutions

Information security (“cyber security”) has rapidly evolved in recent years, and as a result, we need to reinvent and redefine concepts that were once considered clear and concepts that have not yet been addressed. One of these concepts is cyber threat intelligence, or CTI.

Market Guide for Security Threat Intelligence Services, a Gartner paper from October 2014, lists 27 companies in its CTI category. These include two very different Israeli companies, Check Point, known originally for its firewalls, and SenseCy, which is known for its intelligence.

Yet one-dimensional market categories do not reflect the specific activities of various companies. In other words, CTI, like DLP (data leakage protection) and other terms, is implemented in various ways and expresses different needs. Sometimes, with all the marketing hype, words lose their meaning. One of the biggest challenges with “CTI” is that it refers to intelligence when what is actually delivered is information.

What is Intelligence?

Intelligence, according to the FBI, is “information that has been analyzed and refined so that it is useful to policymakers in making decisions.”

Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice.”

The common thread in definitions of intelligence is that it is information analyzed to create value.

Stages of Cyber Intelligence

Cyber intelligence, like classic intelligence, consists of a number of major processes:

Developing sources: Where do you look and how do you get there? (For example, how do you become a member of a closed Indonesian carding forum?)

Collection: What do you look for and how do you find information? (For example, using various languages, automatic or manual tools, etc.)

Filtering and aggregation: Filtering and combining bits of information.

Analysis: Understanding the information and its value.

Conclusions and deliverables: Insights about the information analyzed and packaging of the information.

Computers have proven themselves efficient at collecting, aggregating, and filtering intelligence. However, human beings are still better at developing high-quality sources, analyzing, and drawing conclusions – despite the great promise of various analytic technologies.

Intelligence vs. Information

Many of the deliveries called intelligence (or CTI) are in fact, information.

Examples are information collection by means of honey pots, attack servers, network forensics, social networks, Internet networks not accessible through a Google search (the Deep Web), or networks requiring special browsing software (the Dark Web).

Without information collection there would be no intelligence, but the mere act of collection from one source or another does not make the information “intelligence.”

For example, a quote from a closed group that is planning to attack a certain bank on Christmas is important information, but the modus operandi, the tools to be used, the ability to actually carry out the attack, and the likelihood that the attack will take place is important intelligence.

Cyber Intelligence as a Nail and Information Security Tools as a Hammer

Psychologist Abraham Maslow noted that “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”

In the ancient world, when Joshua sent spies into Jericho, his tools were mainly between his ears, and the intelligence took form accordingly. Today, with firewalls, information security management systems, data leak prevention, and endpoint protection, we sometimes confuse intelligence with technological information like IP addresses and signatures that can be inserted into the products that we buy.

The technological information is the delivery but not the essence.

High-quality intelligence can sometimes also be expressed in technological deliveries, but the quality of intelligence can be measured based on the ability to act upon it, whether by updating firewall rules or redefining strategy or tactics in regard to a certain topic.

 

How Hackers Use Social Media Networks to Put Your Organization at Risk

SenseCy’s teams monitor underground and password-protected forums and communities in many languages – Russian, Arabic, Persian, Chinese, Portuguese, English, and more. By gaining access to the Deep Web and Darknet, we identify suspicious activity and new hacker tools and enable our clients to mitigate or eliminate cyber threats.

Hacker communities on social networks continue to evolve. More and more communities are creating Twitter accounts as well as pages and groups in popular social networks such as Facebook and VKontakte (a Russian social network) to share information, tools, and experience.

In the past, hackers came together on social networks to hold operational discussions, share targets, and join forces for DDoS attacks, but less to upload or download hacking tools. Since this is changing, we are now monitoring hacking tools offered for download on Twitter, Facebook, and VKontakte.

Source code published on Twitter
Source code published on Twitter

These hacker communities can be classified into three main categories:

  1. Open public groups and accounts that make common, well-known tools available.

    Open Facebook group of well-known Arab hackers
    Open Facebook group of well-known Arab hackers
  2. Closed, secret groups sharing rare or sector-related tools or programs in a specific language.

    Secret Facebook group from Southeast Asia
    Secret Facebook group from Southeast Asia
  3. Groups sharing or even selling self-developed tools.
    Facebook post in closed Asian hacker group
    Facebook post in closed Asian hacker group

    A prominent example is the self-developed DDoS tool created by hacker group AnonGhost for the #OpIsrael cyber campaign, which is expected to take place on April 7, 2015. This tool uses three flooding methods, TCP, UDP, and HTTP and can operate through a proxy if needed. AnonGhost posted its new tool on its official Facebook page with a link to a tutorial on YouTube, and soon it was widely distributed among hacktivists through social media.

    From AnonGhost's official Facebook Page
    From AnonGhost’s official Facebook Page

    We regularly monitor trends and developments in social networks, since they are becoming the preferred platform for groups of hackers to share and improve attack tools. SenseCy also takes part in these communities, which gives us the edge in preventing attacks in real time. We continue to track new trends and developments to detect cyber threats for our clients.

SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.