Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches

In recent weeks, we have identified a growing awareness on Chinese security blogs and mainstream media, to the existence of the Darknet, and the activities of Chinese users on its platforms. The focus is mostly on the sale of leaked data, mainly of Chinese citizens. One of these leaks pertained to the Huazhu hotel group, and was one of two major data breaches that occurred simultaneously in China, raising awareness to this issue. The second breach was the database of SF Express, a delivery service company based in Shenzhen, Guangdong Province. Continue reading “Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches”

Source Code of Ratopak/Pegasus Spyware Targeting the Financial Sector Recently Leaked

On July 6, 2018, a post claiming to contain the source code of Carbanak group malware was published on a Russian-speaking underground forum. Soon after the sharing of the code on the Russian underground, it was uploaded by an unknown actor to the text-sharing platform Pastebin, making it accessible to all. At the same time, malware researchers analyzing the shared code discovered the malware is not one used by the Carbanak group, but rather, it is the Ratopak/Pegasus spyware, used in attacks against Russian banks in 2016. Continue reading “Source Code of Ratopak/Pegasus Spyware Targeting the Financial Sector Recently Leaked”

The Healthcare Sector is Targeted by Cybercriminals More than Ever

The healthcare sector has recently become a desirable target for cyber crooks. According to Symantec ISTR report statistics, healthcare was the most breached sub-sector in 2015, comprising almost 40% of all the attacks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.

1
Top 10 Sub-Sectors Breached by Number of Incidents According to Symantec ISTR report

Only lately, this concept has started to be challenged, revealing the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and during the last few months, we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.

Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.

The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.

While monitoring closed Deep-Web and Darknet sources, SenseCy analysts recently noticed a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, we came across several occurrences indicating extensive trade of medical records and access to servers where this data is stored.

The first case, in May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.

Although the seller did not mention the origin of the credentials he was selling, he claimed that local administrator privileges could be received on the compromised system. He also specified that 45 users from the medical personnel were logged into the system from the workstation he hacked.

The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.

2
An excerpt of the sale thread posted on a Darknet forum

 

3
Screenshot allegedly taken on the hacked workstation

Just a few weeks later, in June 2016, our analysts detected another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.

4
One of the sales posts on a Darknet marketplace
5
Screenshot posted by the seller as a proof of hacking into a medical organization

Before long, we again discovered evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.

The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data:

  1. Implement a strong password policy, because many hacks are a result of brute-force attack. Strong passwords and two-factor authentications to log into organizational systems should be the number one rule for medical organizations.
  2. Deploy suitable security systems.
  3. Instruct the employees to follow cyber security rules – choosing strong and unique passwords, spotting phishing email messages, avoiding clicking on links and downloading files from unknown sources, etc. Consider periodic training for employees on these issues to maintain high awareness and compliance with the rules.
  4. Use Cyber Threat Intelligence (CTI) – to keep up with the times regarding the current most prominent threats to your organization and industry.
  5. Keep all software updated.

Handling a Ransomware Attack

A recent wave of ransomware attacks has hit countries around the world, with a large number of infections reported in the United States, the United Kingdom, Germany and Israel. It appears that the attackers have no specific target, since the attacks have struck hospitals, financial institutions and private institutions, indicating that no specific industry has been targeted.

In Israel, two types of ransomware were identified in the most recent attacks: the familiar TeslaCrypt and the new ransomware, Locky.

The Evolution of Ransomware

The vigorous usage of ransomware tools by cybercriminals and their success in this area has led to the development of new ransomware and the constant upgrading of known models. During the past several months, researchers have reported on the development of ransomware that is capable of file encryption without Internet connection, i.e., they do not communicate with their C&C servers for the encryption process.

New ransomware tools that were reported are Locky ransomware, whose modus operandi resembles the Dridex banking Trojan, and a new version of CTB-Locker that attacks web servers.

Additionally, RaaS (Ransom-as-a-Service) offers are becoming popular on closed DeepWeb and Darknet forums. These services allow potential attackers to easily create ransomware stubs, paying with profits from future successful infections. Recently, we identified a new RaaS dubbed Cerber ransomware, which is offered on a Russian underground forum. Previously it was ORX-Locker, offered as a service via a platform hosted on an .onion server.

1
The ransom message presented by the Cerber ransomware

Ransomware Distribution

The majority of the distribution vectors of ransomware stubs involve some kind of social engineering trap, for example, email messages including malicious Office files, spam messages with nasty links or malvertising campaigns exploiting vulnerable WordPress or Joomla websites with an embedded malevolent code. The distribution also takes advantage of Macro commands and exploit kits, such as Nuclear or Angler. Sometimes browser vulnerabilities are exploited, as well as stolen digital certificates.

In November 2015, attempts to deliver ransomware to Israeli clients were identified. In this case, the attackers spoofed a corporate email address and tried to make recipients believe the email was sent from a company worker.

2
RaaS offered on a Darknet forum

Handling a Ransomware Attack

Please find below our suggestions for recommended action to avoid ransomware attacks on an organization, and how to deal with an attack after infection:

Defend Your Organization from Potential Threats

  • Train your employees – since the human link is the weakest link in the organizational cybersecurity and the majority of the cases involve social engineering on one of the employees, periodical employee briefing is extremely important. Specify the rules regarding using the company systems, and describe what phishing messages look like.
  • Raise awareness regarding accepting files that arrive via email messages – instruct your employees not to open suspicious files or files sent from unfamiliar senders. Consider implementing an organizational policy addressing such files. We recommend blocking or isolating files with the following extensions: js (JavaScript), jar (Java), bat (Batch file), exe (executable file), cpl (Control Panel), scr (Screensaver), com (COM file) and pif (Program Information file).
  • Disable running of Macro scripts on Office files sent via email – in recent months, many cases of ransomware attacks employing this vector were reported. Usually, Macro commands are disabled by default and we do not recommend enabling them. In addition, we suggest using Office Viewer software to open Word and Excel files.
  • Limit user privileges and constantly monitor the workstations – careful management of user privileges and limited administrator’s privileges may help in avoiding the spread of the ransomware in the organizational network. Moreover, monitoring the activity on workstations will be useful for early detection of any infection and blocking it from propagating to other systems and network resources.
  • Create rules that block programs from executing from AppData/LocalAppData folders. Many variants of the analyzed ransomware are executed from these directories, including CryptoLocker. Therefore, the creation of such rules may reduce the encryption risk significantly.
  • Install a Russian keyboard – while monitoring closed Russian forums where several ransomware families originated, we discovered that many of them will check if the infected computer is located in a post-Soviet country. Usually, this check is performed by detecting which keyboard layout is installed on the machine. If a Russian (or other post-Soviet language) keyboard layout is detected, the ransomware will not initiate the encryption process.
  • Keep your systems updated – in many cases, hackers take advantage of outdated systems to infiltrate the network. Therefore, frequent updates of the organizational systems and implementing the published security patch will significantly reduce the chances of infection.
  • Use third-party dedicated software to deal with the threat – many programs aimed at addressing specific ransomware threats are constantly being released. One is Windows AppLocker, which is included in the OS and assists in dealing with malware. We recommend contacting the organizational security vendor and considering the offered solutions.
  • Implement technical indicator and YARA rules in the company organizations. We provide our clients with intelligence items accompanied by technical indicators. Additionally, a dedicated repository that includes ransomware indicators was launched.
    3
    A closed forum member looks to blackmail companies using ransomware

    What if I am Already Infected?

  • Restore your files – some ransomware tools create a copy of the file, encrypt it and then erase the original file. If the deletion is performed via the OS erase feature, there is a chance to restore the files, since in majority of the cases, the OS does not immediately overwrite the deleted filed.
  • Decryption of the encrypted files – the decryption will be possible if you were infected by one of these three ransomware types: Bitcryptor, CoinVault or Linux.Encoder.1. Therefore, detecting the exact kind of ransomware that attacked the PC is crucial.
  • Back-up files on a separate storage device regularly – the best practice to avoid damage from a ransomware attack is to backup all your important files on a storage disconnected from the organizational network, since some ransomware variants are capable of encrypting files stored on connected devices. For example, researchers recently reported a ransomware that encrypted files stored on the Cloud Sync folder.
  • If ransomware is detected in the organization, immediately disconnect the infected machine from the network. Do not try to remove the malware or to reboot the system before identifying the ransomware. In some cases, performing one of these actions will make the decryption impossible, even after paying the ransom.

ORX-Locker – A Darknet Ransomware That Even Your Grandmother Can Use

Written by Ran L. and Mickael S.

The bar for becoming a cyber-criminal has never been so low. Whether buying off-the-shelf malware or writing your own, with a small investment, anyone can make a profit. Now it seems that the bar has been lowered even further with the creation of a new Darknet site that offers Ransomware-as-a-Service (RaaS), titled ORX-Locker.

Ransomware-as-a-Service enables a user with no knowledge or cash to create his own stubs and use them to infect systems. If the victim decides to pay, the ransom goes to the service provider, who takes a percent of the payment and forwards the rest to the user. For cyber-criminals, this is a win-win situation. The user who cannot afford to buy the ransomware or does not have the requisite knowledge can acquire it for free, and the creator gets his ransomware spread without any effort from his side.

This is not the first time we have seen this kind of service. McAfee previously (May, 2015) reported on Tox. While Tox was the first ransomware-as-a-service, it seems that ORX has taken the idea one step further, with AV evasion methods and complex communication techniques, and apparently also using universities and other platforms as its infrastructure.

In the “August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015,” published on Monday (August 24, 2015), IBM mentioned TOX while predicting: “This simplicity may spread rapidly to more sophisticated but less common ransomware attack paradigms and lead to off-the-shelf offerings in the cloud.” Just one day later, a post was published on a closed Darknet forum regarding the new ORX-Locker service.

ORX – First Appearance

On August 25, 2015, a user dubbed orxteam published a post regarding the new ransomware service. The message, which was part of his introduction post – a mandatory post every new user has to make to be accepted to the forum – described the new ORX-Locker ransomware as a service platform. In the introduction, the user presented himself as Team ORX, a group that provides private locker software (their name for ransomware) and also ransomware-as-a-service platform.

ORX team introduction post in a closed Darknet hacking forum.
ORX Team introduction post in a closed Darknet hacking forum.

ORX Locker Online Platform

Team ORX has built a Darknet website dedicated to the new public service. To enter the site, new users just need to register. No email or other identification details are required. Upon registration, users have the option to enter a referral username, which will earn them three percent from every payment made to the new user. After logging in, the user can move between five sections:

Home – the welcome screen where you users can see statistics on how much system has been locked by their ransom, how many victims decided to pay, how much they earned and their current balance.

Build EXE – Team ORX has made the process of creating a stub so simple that the only thing a user needs to do is to enter an ID number for his stub (5 digits max) and the ransom price (ORX put a minimum of $75). After that, the user clicks on the Build EXE button and the stub is created and presented in a table with all other stubs previously created by the user.

ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.
ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.

Stats – This section presents the user with information on systems infected with his stub, including the system OS, how many files have been encrypted, time and date of infection, how much profit has been generated by each system, etc.

Wallet – following a successful infection, the user can withdraw his earnings and transfer them to a Bitcoin address of his choosing.

Support – This section provides general information on the service, including more information on how to build the stub and a mail address (orxsupport@safe-mail[.]net) that users can contact if they require support.

Ransomware

When a user downloads the created stub, he gets a zip file containing the stub, in the form of an “.exe” file. Both the zip and the stub names consist of a random string, 20-characters long. Each file has a different name.

Once executed, the ransomware starts communicating with various IP addresses. The following is a sample from our analysis:

  1. 130[.]75[.]81[.]251 – Leibniz University of Hanover
  2. 130[.]149[.]200[.]12 – Technical University of Berlin
  3. 171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
  4. 199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)

As you can see, some of the addresses are related to universities and others to organizations with various agendas.

Upon activation, the ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.

The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.

When the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted, and a payment instruction file will be created on the desktop.

After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted
After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted

In the payment instruction file (.html), the victim receives a unique payment ID and a link to the payment website, located on the onion network (rkcgwcsfwhvuvgli[.]onion). After entering the site using the payment ID, the victim receives another set of instructions in order to complete the payment.

ORX-Locker payment platform which has a dedicated site located on the onion network.
ORX-Locker payment platform, which has a dedicated site located on the onion network.

Finally, although some basic persistence and anti-AV mechanisms are present, the malware still has room to “grow.” We are certain that as its popularity grows, more developments and enhancements will follow.

YARA rule:

rule ORXLocker
{
meta:
author = “SenseCy”
date = “30/08/15”
description = “ORXLocker_yara_rule”

strings:
$string0 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 34 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 64 2e 25 64 2e 25 64 2e 25 64 3a 25 64 2e 20 28 25 64 29 2c 20 72 65 71 75 65 73 74 20 72 65 6a 65 63 74 65 64 20 62 65 63 61 75 73 65 20 74 68 65 20 63 6c 69 65 6e 74 20 70 72 6f 67 72 61 6d 20 61 6e 64 20 69 64 65 6e 74 64 20 72 65 70 6f 72 74 20 64 69 66 66 65 72 65 6e 74 20 75 73 65 72 2d 69 64 73 2e}
$string1 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 35 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 64 2e 20 28 25 64 29}
$string2 = {53 4f 43 4b 53 35 3a 20 73 65 72 76 65 72 20 72 65 73 6f 6c 76 69 6e 67 20 64 69 73 61 62 6c 65 64 20 66 6f 72 20 68 6f 73 74 6e 61 6d 65 73 20 6f 66 20 6c 65 6e 67 74 68 20 3e 20 32 35 35 20 5b 61 63 74 75 61 6c 20 6c 65 6e 3d 25 7a 75 5d}
$string3 = {50 72 6f 78 79 20 43 4f 4e 4e 45 43 54 20 66 6f 6c 6c 6f 77 65 64 20 62 79 20 25 7a 64 20 62 79 74 65 73 20 6f 66 20 6f 70 61 71 75 65 20 64 61 74 61 2e 20 44 61 74 61 20 69 67 6e 6f 72 65 64 20 28 6b 6e 6f 77 6e 20 62 75 67 20 23 33 39 29}
$string4 = {3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3e 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3c 2f 61 3e 3c 62 72 3e}
$string5 = {43 3a 5c 44 65 76 5c 46 69 6e 61 6c 5c 52 65 6c 65 61 73 65 5c 6d 61 69 6e 2e 70 64 62}
$string6 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 6f 66 73 74 72 65 61 6d 40 44 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 44 40 73 74 64 40 40 40 73 74 64 40 40}
$string7 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 69 6f 73 40 5f 57 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 5f 57 40 73 74 64 40 40 40 73 74 64 40 40}
$string8 = “ttp://4rhfxsrzmzilheyj.onion/get.php?a=” wide
$string9 = “\\Payment-Instructions.htm” wide

condition:
all of them
}

A Creative Way to Celebrate the New Year’s Eve by the Russian Hacking Community

The second half of December is a joyful and festive time in the snowy, post-Soviet arena, culminating in the magical New Year’s Eve. Most people take vacation, and an atmosphere of playfulness and celebration can be felt in the air. The Russian-speaking hacker and malware development community is no exception, and each year the forums that serve as their main platforms are colorfully decorated for the holiday, while members post Season’s Greetings to each other.

This year, we witnessed a creative new idea by this community to celebrate the most important holiday in former Communist countries – a self-sponsored, cross-platform contest. Specifically, a quiz on hacking operations, scheduled to take place simultaneously on the last day of the year on several different forums.

The idea is the brainchild of one of the administrators of a leading underground forum, who started to raise money that will serve as prizes for the winners of the contest. A dedicated Bitcoin wallet has been opened for donations. Furthermore, service providers have offered free use of their products for the lucky winners.

The concept was met with enthusiasm by forum members, who proposed question topics and formats. A survey was launched on one forum, asking members to vote for the topic they would like to see in the quiz. The suggested topics involve the following areas of cybercrime: coding, spam, crypt, traffic, brute forcing, reverse engineering and administration.

A Survey launched on one forum about the topics in the quiz
A survey launched on one forum about the topics in the quiz

Several members have donated money, saying that such activity helps to develop the community and serves as motivation for achieving knowledge. Moreover, the administrators of numerous underground forums have expressed their support for the contest, indicating the expected high level of the quiz.

We look forward to discovering the names of the winners of the contest on December 31 and seeing what kind of questions are going to be asked. Meanwhile, we wish you all Happy Holidays and Happy Novy God!

2

Spotlight on the Russian Underground Infrastructure

The media is in an uproar at present, reporting on one cyber incident after another. Adobe, Target, Neiman Marcus, Home Depot, JP Morgan – these breaches are just the tip of the iceberg in the cybercrime arena. The Russian underground forums serve as fertile ground for planning cybercrime-motivated breaches worldwide – programming the malicious software, distributing it and sharing knowledge about the most profitable usage, selling the stolen data (such as credentials, etc.). Let us take a deeper look at the internal structure of these forums and the norms of behavior there.

Registration

While many forums have free registration, others require payment (Cybercriminals will never miss an opportunity to profitJ). Some of the forums that ask for registration fees do not contain useful information, and the fee is merely a farce, while for others, the fee is a means to keep poor or noob hackers away from the “big guy discussions.” Some of the forums ask potential candidates to fill out a detailed registration form, clarifying exact capabilities/programming languages they know, while others go one step further and send different hacking tasks to the applicants, demanding proof of their professional level. Many forums have strict policies about filtering out the registrants and very few people are accepted.

Registration page in one of the underground forums
Registration page in one of the underground forums

Communication

When it comes to personal contacts between the seller and buyer, the first choice is the Jabber messenger. Sometimes, one of the sides will request an OTR (Off-the-Record, allowing private conversation using encryption and elimination of all traces of the conversation) protocol for Jabber. Besides, exchanging messages via PM (private message) – the private mailbox on each forum is another popular means of communication. Users wishing to connect via Jabber are sometimes asked to authenticate themselves via private message beforehand – indicating the high level of confidentiality and security concerns.

ICQ is also used, although it is not very common and is perceived as a communication method for less experienced hackers.

Payment

On the underground, you will never see any payment method that would somehow enable identification of the parties in the transaction. Naturally, no credit cards, PayPal accounts or money transactions are accepted – only virtual currencies are used. BTC is rather popular, as well as PM (Perfect Money), LTC (Light Coins), WM (Web Money) and other virtual currencies.

Escrow System

Most of the forums maintain a well-established system of escrow services provided by an official forum member appointed by the administrator. In exchange for a reward, usually a percentage of the transaction value, he mediates between the buyer and the seller, keeping the money until the goods are supplied. He also checks that the product offered matches its description.

Reputation Score

The reputation of the members is one of the pillars of Russian underground forums. Despite the fact that each forum has its own scoring system, all have a common principle: forum members rate each other, based on the threads they post. For instance, by providing useful advice or uploading malware, the author will receive more points. Another reputation booster is the number of posts, as well as seniority on the forum that defines the status of the user: beginner, intermediate, specialist, etc. Certain threads are available only to members with a minimum numbers of posts.

Furthermore, some forums ask for monetary deposits that are displayed next to the user’s name, indicating his reliability. If monetary conflict arises, the sales thread will often be suspended until the issue is clarified. If no solution is found, the seller incurs a “ripper” status, thus losing the chance to sell anything ever again on the forum, unless he changes his nickname.

Member's profile in one of the underground forums
Member’s profile in one of the underground forums

Cyber Threats to the Insurance Industry

Written by Gal Landesman

In recent years, insurance companies have been finding themselves affected by the rising number of major incidents of cyberattacks. On the one hand, this trend presents a business opportunity for selling cyber insurance to organizations concerned about protecting their sensitive assets. On the other hand, insurance companies are not excluded from the cyber battlefield, as they hold large amounts of sensitive information regarding their clientele and are therefore targeted by cyber criminals. Moreover, data breaches that occur in the insurance industry are more difficult to detect than credit card information theft because clients check their bank accounts more frequently.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Insurance Industry”. If you are interested in receiving the full report please write to: info@sensecy.com).

Cyber Insurance

Cyber insurance is a service much sought-after by many companies today. Most fear the bad PR in the wake of a cyberattack, the cost of dealing with the Data Protection Commissioner and handling affected clients. The financial burden and threat of reputation damage caused by downtime and data leakage are becoming more noticeable. Companies in industries such as healthcare, financial services, telecommunications and online retails now realize that cyber insurance is essential to minimize potential financial impact.

Some insurance companies selling cyber insurance have reported up to 30% increase in sales over the last year. This type of insurances typically covers such things as exposure to regulatory fines, damages and litigation expenses associated with defending claims from third parties, diagnostic of the source of the breach, recovering losses and reconfiguring networks.

The cyber insurance market is fast-growing with a value of EUR one billion annually in the U.S. and EUR 160 million annually in the E.U., where it has been adopted at a slower rate.

Cyber Insurance

Insurance Company Data Breaches

Insurance companies are now selling cyber insurance to organizations – ironically making them more vulnerable to attack as they withhold valuable information about organizations and people.

Lately, regulators have been focusing their efforts on insurance companies that can sometimes hold very sensitive information on their customers, such as PII (Personally Identifiable Information) and PHI (Protected Health Information). The New York State Department of Financial Services sent out a survey in 2013 to insurance companies asking them about their cyber security policy. Insurance companies hold not only information on regular people, but they also hold sensitive and valuable information on their corporate customers. Insurers hold sensitive information on companies across a variety of industries.

The risks are evident in the following examples of reported data breaches of insurance companies:

  • Aviva Insurance company suffered a data leak disclosing information and car details to third party companies, by two of their workers.
  • The Puerto Rican insurance company Triple-S Salud (TSS) suffered a data breach and its management was fined $6.8 million by the Puerto Rico Health Insurance Administration.
  • In October 2012, Nationwide insurance provider was hacked, compromising the personal information of 1.1 million customers.

Commercial Espionage

Not only is the insurance sector suffering from the aforementioned threats, but insurance companies are apparently also facing threats from their competitors in the industry, who are going after their data in commercial espionage, employing hacking techniques. According to a report released by The Independent, SOCA – the British Serious Organized Crime Agency – suppressed reports revealing that law firms, telecom giants and insurance companies routinely hire hackers to steal information from rivals. According to the report, a key hacker admitted that 80% of his clientele were law firms, wealthy individuals and insurance companies.

Selling Insurance Information on the Underground Black Market

PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on the underground continue to rise.

Several underground marketplaces include the selling of information packages containing “verified” health insurance credentials, bank account numbers/logins, SSN and other PPI. According to Dell SecureWorks, these packages are called “fullz” – an underground term for the electronic dossier on individuals used for identity theft and fraud, and they sell for about $500 each.

Such underground marketplaces can be used as a one-stop shop for identity theft and fraud. Health insurance credentials are sold for about $20 each and their value continues to rise as the cost of health insurance and medical services rise.

An Aid to the Aspiring Cyber Intelligence Analyst (Part 1)

So you read all about the cyber underground and want to start snooping around? Well, knowing English won’t help you very much, as most communication at these online meeting places is in native languages, using unique slang. To help you, we bring you the first part of the cyber analyst terms table to assist you in your efforts.

Good luck!

table

Cyber landscape
Cyber landscape

Where Does All the Data Go?

Written by Gal Landesman

We have recently learned of numerous data breaches targeting the healthcare industry that have exposed electronic personal healthcare information (ePHI). Just this month, a Chicago doctor’s email account, holding information on 1,200 patients, was accessed; a stolen laptop and flash drive jeopardized 2,500 patients’ data in Michigan; the investigation of the California Sutherland Healthcare Services data breach revealed that data pertaining to 338,700 individuals has been compromised; and La Palma Inter-community Hospital announced an old case of data breach involving one of their employees who accessed personal information without permission.

We are hearing about such incidents on an almost daily basis. Symantec even named 2013 the year of “Mega Breach”, with more than 552 million identities exposed this year. According to Symantec, the healthcare sector suffered the largest number of disclosed data breaches in 2013. They blame it on the large amount of personal information that healthcare organizations store and the high regulation standards requiring them to disclose data breaches. Still, the healthcare industry is one of the most impacted by data breaches this year.

Targeted data includes health insurance information, personal details and social security numbers. What could really happen if a patient’s personal data falls into the wrong hands?

Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Attackers could make fraudulent insurance claims, obtain free medical treatment or addictive prescription drugs for personal use or resale.

Cyber criminals are definitely eyeing medical records. These records can fetch about $60 apiece on the black market, according to Norse-Sans that published a detailed report on the issue this February, claiming that such records are even more valuable than credit card information because they present criminals with greater opportunities for exploitation, such as insurance and prescription fraud. Norse-Sans identified a large volume of malicious traffic in their analysis of healthcare organization traffic.

Another example of interest was published by the Wall Street Journal, days before the Norse-Sans report, featuring valuable network information of healthcare facilities that was dumped on 4shared.com (a file-sharing site), including firewall brand, networking switch, Internet addresses of wireless access points, blueprints of the facilities, locations of PCs and printers and encryption keys, usernames and passwords that could be used for network access.

Here at SenseCy, we successfully traced the usage of breached medical information on Underground forums and the DarkNet. The following are some examples of prescription drugs for sale on the Underground:

Someone is offering Clonazepam (Klonopin), which affects chemicals in the brain, for sale:

Clonazepam

Another vendor offers different drugs, including ADDERALL-IR, a psychostimulant pharmaceutical drug, and Percocet, a narcotic pain reliever (containing opioid):

ADDERALL-IR

Information for sale:

Info_for_Sale

Info_for_Sale_2

Original prescriptions for sale:

Prescriptions

Prescriptions_2