SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.

Gods, Monsters and Pandas – Threats Lurking in the Cyber Realm

With new viruses constantly being developed and new groups being formed all the time, hackers should use their creative minds to come up with original names to distinguish their tools/group from the rest. While some names are rather trite and corny, others are more amusing and curious. Generally speaking, the names usually fall under one of about ten categories. Here are a few examples:

The following are some elaborations on specific names:

Torshammer666: Thor’s hammer, or Mjölnir in Norse mythology, is depicted as one of the most powerful weapons, forged by the skillful hands of the dwarves. However, it seems that one Nordic god was not enough for this specific hacker, so he walked the extra mile and added the ominous number 666 to the tool name, to create an intimidating effect stemming from the thought of a Nordic-Satanic-almighty-weapon.

Fallaga: The famous Tunisian hacker group Fallaga is named after the anti-colonial movement that fought for the independence of Tunisia (there were also Fallaga warriors in Algeria). The character in the group’s logo resembles the original Fallaga fighters.

熊猫烧香 (Panda Burning Incense) – Everybody loves those adorable, chubby, harmless bears called Pandas! They are native to China, and serve as its national animal and mascot. As such, it is no wonder that panda-themed characters and cartoons figure extensively in China in various contexts, often symbolically representing China internationally. And now the pandas have even invaded the virus realm! In 2006-2007 the 熊猫烧香 virus infected millions of computers throughout China and led to the first-ever arrests in the country under virus-spreading charges. The ultimate goal of the virus was to install password-stealing Trojans, but it was its manifestation on the victim’s device that attracted a lot of attention: the virus replaced all infected files icons with a cute image of a panda holding three incense sticks in its hands, hence the name “Panda Burning Incense.”

Bozok (Turkish) – It may refer to one of the two branches (along with Üçok) in Turkish and Turkic legendary history from which three sons of Oghuz Khan (Günhan, Ayhan, and Yıldızhan) and their 12 clans are traced (from Wikipedia.)

推杆熊猫 (Putter Panda, putter=golf stick) – Another Panda-themed name. It is widely recognized that golf is the sport of white collar professionals, usually those on the upper end of the salary ladder. That is why, when these prominent figures travel abroad to a convention or on a business trip (and engage in semi-business/semi-pleasure golf activities), they are sometimes subjected to sophisticated hacker attacks, usually initiated by their host country, as suspected in the case of Putter Panda and its ties with the Chinese government.

As you read these lines, more tools are being written, and we can expect to continue to see more intriguing names. The Chinese idiom 卧虎藏龙 (literally: “crouching tiger, hidden dragon”), which was the inspiration for the successful namesake movie, nowadays actually means “hidden, undiscovered talents.” Maybe it is time the gifted tigers and dragons of the hacker community climbed out of their dark caves, stopped performing illegal activities, and put their pooled talents (be they computing or copywriting) to good use?

 

After Intimidating Humankind Around the World, the Ebola Virus is now Threatening the Cyber Arena

It is a well-known fact that hackers can be very creative, not only when writing malicious code, but also when bestowing a name on their creation or connecting it to some sensational subject.

This time, inspired by the outbreak of the Ebola epidemic in Africa, the authors of the ransomware discussed below coded it to change filenames on the infected computer into a string containing the word “Ebola”. Let us take a deeper look at this new malware.

We first encountered the malware in a discussion on VKontakte, a very popular Russian social network. One of the participants uploaded a sample of the virus that infected his computer.

According to his description, he received the malware via an email message that contained a link. Clicking the link initiated the downloading of an .RAR archive that DOES NOT pop-up an AV alert. After unzipping the archive, all the files on the PC (extensions: PDF, DOC, DOCX, XLS, XLSX, JPG, DWG) became encrypted and their names were changed to *id-*help@antivirusebola.com. The shared folders were also encrypted and access denied. To recover the contents of the PC, the victim had to send an email to the address help[at]antivirusebola.com, and was subsequently instructed to pay 1 Bitcoin (approximately US$380) to a given address.

Further investigation on the Russian-speaking web revealed many other reports of Ebola virus infections. In most of the cases, the malicious link was sent via an email message, allegedly from the tax authorities or traffic police.

The ransomware was reported on several security firm forums (such as Kaspersky, Symantec and Dr.Web), but no solution to decrypting the files was found.

According to the Russian security company Dr.Web, the malware, now called “the Ebola Virus,” firstly appeared on August 20. The same ransomware has been distributed since August 7, albeit in a slightly different format – the file names were changed to id-*_decrypt@india.com or id-*_com@darkweider.com). All three versions are probably variants of the same malware identified by Dr.Web as Trojan.Encoder.741, and coded by a Russian nicknamed Korrektor (presumably the author of other ransomware as well). The malware is written in Delphi language, packed with an Armadillo packer and uses the algorithm AES-128 for encryption.

A closer look at the sample revealed the IP address of the C&C server – 31.220.2.150 – which belongs to a company called KODDOS, registered in Hong Kong (offering Offshore hosting and DDoS protection). The network is generated over HTTP – the infected machine sends out a unique string, probably the UID of the infected machine.

The post in VKontakte

It is important to note that to date, the malware is largely unrecognized by AV vendors. (The detection rate varies for different samples on VirusTotal – the highest is 15/55.)

Cyber Threats to the Aviation Industry

The aviation industry faces major risks on all of its fronts: from the air traffic control systems, to the aircraft themselves, to the airline companies and airports and border crossings. The identified threats stem from the current nature of aviation industry systems, which are interconnected and interdependent.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Aviation Industry”. If you are interested in receiving the full report please write to: info@sensecy.com)

On August 13, 2013, the AIAA officially released a Decision Paper entitled “A Framework for Aviation Cyber security”, outlining existing and evolving cyber threats to the commercial aviation enterprise and noting the lack of international agreement on cyber security in aviation. There is no common overall coordination of efforts seeking a global solution.

According to the report, the global aviation system is a potential target for a large-scale cyber attack with attackers focusing on malicious intent, information theft, profit, “hacktivism”, nation states, etc.

Aviation

The risks are not only theoretical. As portrayed below, some of the aforementioned security concerns have already been realized by hackers in real-life.

  • A presentation at the ‘Hack in The Box’ security summit in Amsterdam in April 2013 has demonstrated that it is possible to take control of an aircraft’s flight systems and communications using an Android smartphone.
  • Sykipot is a tool that serves as a backdoor that an attacker can use to execute commands on the affected system. It is being used to gather intelligence about the civil aviation sector in the U.S. Like most targeted attacks, Sykipot infects using spear-phishing techniques by sending emails with malicious attachments. Lately, as identified by Trend Micro, Sykipot has been observed gathering intelligence on the U.S. civil aviation sector. The intentions of this campaign are unclear as yet. Sykipot has a history of targeting U.S. Defense Initial Base (DIB) and key industries over the past six years.
  • Conficker, a worm that has infected millions of computers worldwide, infected the French Navy network on 2009, forcing it to cut connectivity to stop it from spreading, and to ground its Rafale fighter jets. It was probably introduced through an infected USB drive.
  • In 2008, Spanair flight 5022 crashed just after take-off, killing 154 people. According to the Spanish government’s Civil Aviation Accident and Incident Investigation Commission (CIAIAC), the disaster occurred because the central computer system used for monitoring technical problems in the aircraft was infected with a Trojan horse.
  • In 2008, the FAA reported that the computer network in the Boeing 787 Dreamliner’s passenger compartment was connected to the aircraft’s control, navigation and communication systems – a cause for grave security concern. This connection renders the plane control system vulnerable to cyber attack. Boeing advised that they would address the issue
Aviation sector under threat of cyber attacks

We believe that the aviation industry is facing major threats from cyberspace and these threats encompass large areas of the industry and may become a greater burden for it, compromising the safety of the passengers, and causing financial and commercial damage to the associated companies.