Thursday, January 18, 2018

Attackers Wrapping New Tools In Old Malware To Target Medical Devices

Hospital equipment running old operating systems providing safe harbor for data theft, TrapX says. Medical devices running outdated operating systems like Windows XP and Windows 7 are giving attackers safe harbors within hospital networks for carrying out data theft in a nearly undetectable manner, a new report from TrapX Security warned this week. The report is based on the security vendor’s analysis of data associated with an ongoing series of attacks against three healthcare institutions that are its customers.

All of the attacks involve equipment running older, non-supported versions of Windows installed within the hospital networks. The most significant takeaway from the analysis, according to TrapX, is the manner in which the attackers in each case intentionally repackaged and embedded sophisticated new malware tools in extremely old malware wrappers in an apparent bid to avoid detection. One of the malware samples used in the attack, for instance, was designed to take advantage of a remote code execution vulnerability in Microsoft Server Service dating back to 2008.

The attackers used the worm to compromise a radiation oncology system running Windows XP and a fluoroscopy workstation also running Windows XP in one of the hospitals.

That access then allowed the attackers to install backdoors and botnet connections within the hospital network in order to exfiltrate data, though they could have easily caused significant damage to the equipment as well. Since endpoints running newer Windows versions are not vulnerable to the threat, they did not either detect the malware or ignored it completely. “This ensured that the worm would go undetected while it sought out older Windows systems,” TrapX said in its report. In another hospital, the attackers compromised a Windows XP-based MRI system and installed a Remote Access Trojan on the device using malware tools packaged inside an out-of-date wrapper for network32.kido.ib.

The malware sample is ignored by patched Windows 7 and Windows 8 platforms and newer operating system and therefor managed to evade detection, the security vendor said. According to TrapX, its analysis showed clear evidence that attackers are intentionally packaging their tools in a manner so to target medical equipment running Windows XP, Windows 7 and other older operating systems. “The most interesting approach we discovered was the utilization of self-spreading malware that use old exploits that would compromise medical devices only,” says Moshe Ben-Simon, co-founder and vice president of services at TrapX. Medical devices provide a tempting target for attackers because many of them run old, no-longer supported operating systems.
So long as the equipment works as intended, hospitals are often reluctant to update the operating systems on these devices, Ben-Simon says “Also, they are closed turnkey systems and hospitals are generally not allowed to install cyber defense software on them because of legal and risk issues.” Unlike typical desktop systems, medical devices do not get updated often and some equipment can remain in place for years after their operating systems have become obsolete.

As a result, the corrections and fixes that are available on newer operating systems are not present in these medical devices making them vulnerable to attacks, Ben-Simon says. Even when an organization makes the effort to keep their systems patched, all it takes for an attacker to break into them is to repackage the malware slightly using easily available tools. “Once a backdoor is established in one machine, they can move into other machines under the control of the human attacker,” Ben-Simon says. “These medical devices create a huge series of safe harbors within the hospital network, not easily detected, and very difficult to remediate and remove.” Related stories:  Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016.

Click for information on the conference schedule and to register.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights

Google Accounts Of US Military, Journalists Targeted By Russian Attack Group

The Threat Group 4127 that hit the Democratic National Committee also went after 1,800 other targets with info interesting to Russian government, says SecureWorks. A Russian attack group used the Bitly URL-shortener to disguise malicious links in order to carry out spearphishing campaigns not only against the Democratic National Committee, but also against some 1,800 Google accounts of US military and government personnel and others. Researchers at SecureWorks Counter Threat Unit today said the spearphishing campaign, carried out in mid-2015 by Threat Group 4127 (TG-4127), mostly targeted people inside Russia and former Soviet states, but it also targeted individuals who were publicly critical of the Russian Federation or who had information valuable to the Russian Federation.  SecureWorks tracks them as Threat Group 4127 (TG-4127), but "components of their operations have been reported under the names APT28, Sofacy, Sednit, Fancy Bear, and Pawn Storm" by other security companies.
SecureWorks assesses with "moderate confidence" that TG-4127 operates from the Russian Federation and gathers intelligence on behalf of the Russian government. The group registered the domain "" to host a spoofed Google login page, and used the Bitly URL-shortener to cloak that location within the spearphishing messages.
In all, some 1,881 Google account users were phished.
Some were only sent one message, while others were sent several; the attackers used a total of 4,396 phishing URLs. Betweeen March 2015 and September 2015, 59% of the malicious URLs were accessed, "suggesting that the recipients at least opened the phishing page," and were possibly compromised.  SecureWorks believes that TG-4127's information-gathering efforts primarily focus on individuals and organizations inside Russia and former Soviet states However, certain groups in the US and Western Europe are also targeted. The researchers break TG-4127's Western targets into two main groups: those who are publicly critical of Russia, including journalists, activists, NGOs, and authors; and those who have information that is useful to the Russian government, like current and former US military personnel, government personnel, and people in the defense supply chain.   The group also targeted a considerable number of authors who write about being military spouses or family members -- 22% of the targeted authors and journalists fell into that category, compared to 53% who were experts on either Russia or Ukraine.
SecureWorks theorized that the attackers might be looking for information on "broader military issues in the US or gain operational insight into the military activity of the target's spouse." Of the current and former military and government personnel targeted (excluding the "military spouses"), 64% were American personnel, according to SecureWorks' report. The cybersecurity industry was also in the bullseye. Other targets included a security consultant for NATO and the director of federal sales for the security arm of a multinational technology company.
It is not clear how many organizations were actually compromised through this campaign.  Related Content: Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

KSN Report: Ransomware from 2014-2016

Executive summary and main findings Ransomware is a type of malware that, upon infecting a device, blocks access to it or to some or all of the information stored on it.
In order to unlock either the device or the data, the user is required to pay a ransom, usually in bitcoins or another widely used e-currency.

This report covers the evolution of the threat over the last two years. Methodology: This report has been prepared using depersonalized data processed by Kaspersky Security Network (KSN).

The metrics are based on the number of distinct users of Kaspersky Lab products with the KSN feature enabled who encountered ransomware at least once in a given period.

The term ransomware covers mainly two types of malware: so-called Windows blockers (they block the OS or browser with a pop-up window) and encryption ransomware.

The term also includes select groups of Trojan-Downloaders, namely those that tend to download encryption ransomware upon infection of a PC. Nowadays, encryption ransomware is widely regarded as synonymous with ransomware, although, according to Kaspersky Lab statistics the number of users that regularly encounters blockers remains high. Main findings: The total number of users who encountered ransomware between April 2015 and March 2016 rose by 17.7% compared to the previous 12 months (April 2014 to March 2015) – from 1,967,784 to 2,315,931 users around the world; The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware rose 0.7 percentage points, from 3.63% in 2014-2015 to 4.34% in 2015-2016; Among those who encountered ransomware, the proportion who encountered cryptors rose dramatically – up 25 percentage points, from 6.6% in 2014-2015 to 31.6% in 2015-2016; The number of users attacked with cryptors rose 5.5 times, from 131,111 in 2014-2015to 718,536 in 2015-2016; The number of users attacked with Win-lockers decreased 13.03%, from 1,836,673 in 2014-2015 to 1,597,395 in 2015-2016; The number of users attacked with mobile ransomware grew almost 4 times: from 35,413 users in 2014-2015 to 136,532 users in 2015-2016. Introduction: A brief history of ransomware Although it has only now started to attract the widespread attention of the media and the security community, ransomware (including crypto-ransomware) as a type of malware has been known about for years: at least since 1989 when the first-known malware capable of encrypting file names (the AIDS Trojan) was discovered. Another example of extortion malware was discovered by security researchers as long ago as the middle 2000s.

This was the Gpcode malware, capable of encrypting files on infected machines with its own encryption algorithm.

Gpcode was followed by several other families, like Krotten, Cryzip etc.

From time to time another copycat or slightly different version of Gpcode emerged.

The appearance of such programs would provoke relatively small incidents, but never resulted in something that looked anything like an epidemic. This situation remained unchanged for years. The Blockers epidemic The first real ransomware epidemic started in 2010 with thousands of home users in Russia and some neighboring countries encountering cryptic windows that covered all other windows on their desktop.

These windows usually contained a message from criminals asking the victim to send money to a given Premium-SMS number in order to unlock the screen or browser of their infected PC. The scale of the problem turned out to be so great and the number of victims so significant that it prompted law enforcement agencies to become involved and gained extensive media coverage in Russia, from television to the blogosphere. Mobile phone operators did what they could to combat the threat, introducing new rules for registering and operating premium-rate (short) numbers, blocking accounts that had been used to perpetrate fraud and informing their customers about this type of fraud. In late August 2010, several people were arrested in Moscow and accused of creating blockers.

According to the Russian Ministry of the Interior, the illegal income generated by the criminal group was estimated at 500 million rubles (about 12.5 million euros). The rise of so-called blockers was powered mainly by the fact that the creation of malware capable of blocking an OS browser or desktop did not require significant programming skills and generated a relatively reliable income for the criminal.

Comparatively easy DIY sets for creating blockers were available on underground forums and this attracted a lot of low-level cybercriminals. The security industry and law enforcement agencies reacted quickly: the arrest of the group, combined with the release of a number of services offering the free unlocking of locked systems made criminal efforts to extort money in this way both more risky and less profitable. Nevertheless, blockers remain on the threat landscape to this day – as illustrated in this report. At the end of 2010, Kaspersky Lab researchers predicted that despite the arrests, the problem was unlikely to go away.

Cybercriminals, the experts predicted, would simply use other methods to receive payment for ‘unblocking’ their victims’ computers, such as electronic money systems. That is exactly what happened several years later when ransomware’s big comeback began. Ransomware returns with encryption The biggest difference between the two types of ransomware: blockers and encryption ransomware is that blocker damage is fully reversible.

Even in the worst case scenario, the owner of an infected PC could simply reinstall the OS to get all their files back.
In addition, the way in which blockers work allowed security researchers to develop automated technologies that help to fight against blockers even after infection. One such patented technology is implemented in Kaspersky Lab products and it basically puts a stop to the blocker threat for Kaspersky Lab clients. However, when it comes to encryption ransomware things are much more complicated because the encrypted files are impossible to decrypt without a special key, which is usually stored on the cybercriminals’ servers.

This makes it more important than ever to take a proactive approach to protection. The severity of the consequences of successful infection is one of the reasons why encryption ransomware is enjoying a resurgence in popularity among cybercriminals. However, it is not the only one.

The analysis in this report attempts to assess the scale of the problem, and to highlight possible reasons for its re-emergence almost ten years after the first encryption ransomware appeared on the threat landscape. Part 1. PC ransomware: From blockers to crypto-ransomware One doesn’t need to look at the statistics to see that ransomware is once again a major problem for Internet users. You only need to read or watch the news. Nevertheless, the statistics help to show how big the problem is and whether there are aspects to the problem that you won’t learn from yet another news story about yet another ransomware infection. The total number of users who encountered ransomware over the12 month period from April 2015 to March 2016 grew by 17.7% in comparison to the previous year: April 2014 to March 2015 – from 1,967,784 to 2,315,931 users around the world The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware rose 0.7 percentage points, from 3.63% in 2014-2015 to 4.34% in 2015-2016. The following graphs illustrate the change in the number of users encountering ransomware at least once in the 24 month period covered by the report.

As can be seen in Fig. 1, the prevalence of ransomware has been sporadic, rising and falling every few months.

The rise in the use of crypto-malware has been more consistent: showing a steady increase in the number of attacked users, particularly from March 2015, before peaking in December 2015.
Interestingly enough, from October 2015, all other types of ransomware were declining dramatically in number and by the turn of the year just a very small number of users encountered old school blockers and other non-encrypting ransomware. Fig. 1: The number of users encountering ransomware (including Encryptors and Downloaders that load encryptors) at least once in the period from April 2014 to March 2016 The decline did not last long.
In February 2016, both categories started to recover from the dramatic fall in January, and numbers continue to rise. Fig. 2: Number of users attacked with any malware 2014-2016 As seen in Fig. 2, the behavior of ransomware does not reflect overall attack trends.

To discover the possible reasons behind the peaks and troughs we need to look deeper into the ransomware attack statistics. The first main spike in the period under investigation was registered in July 2014 with more than 274 thousand users encountering some form of ransomware.

The main reason for this surge was the, a browser-locker that attacked more than one-in-three (31%) those affected by ransomware that month.

Encryptors were encountered by one-in-ten (11.63%) of all those who faced malware from the Trojan-Ransom category. The next peak was registered in April 2015, when 282.5 thousand users were attacked with ransomware.

This was provoked by several groups of malware, and about 10% of those affected encountered encryption ransomware. October 2015 saw ransomware achieve an all-time-high with more than 428.4 thousand users attacked. Of those affected, 9.38% were hit with encryption ransomware.
In March 2016, when another surge of ransomware attacks took place, the situation was very different: over half (51.9%) of those who encountered Trojan-Ransom malware were dealing with encryptors.

This was mostly due to the activity of a small number of ransomware groups led, among others, by the infamous TeslaCrypt encryption ransomware. The results for April and May 2016 – although beyond the scope of this report – confirm this trend: encryption ransomware affected 54% of attacked users in April 2016 and 35.7% in May, still well above the average for the previous 12 months. Main actors of encryption ransomware Looking at the malware groups that were active in the period covered by this report, it appears that a rather short list of suspects is responsible for most of the trouble caused by crypto-ransomware.
In the first period, from April 2014 to March 2015, the most actively propagated encryptors were the following groups of malware: CryptoWall, Cryakl, Scatter, Mor, CTB-Locker, TorrentLocker, Fury, Lortok, Aura, and Shade.

Between them they were able to attack 101,568 users around the world, accounting for 77.48% of all users attacked with crypto-ransomware during the period. Fig. 3: Distribution of users attacked with different groups of encryption ransomware in 2014-2015 A year later the situation had changed considerably.

TeslaCrypt, together with CTB-Locker, Scatter and Cryakl were responsible for attacks against 79.21% of those who encountered any crypto-ransomware. Fig. 4: Distribution of users attacked with different groups of encryption ransomware in 2015-2016 Interestingly, in 2015-2016 the “Others” category decreased to 2.41% of attacked users while a year earlier it had accounted for 22.55%.

This drop could be a sign of the development of criminal-to-criminal infrastructure.
Instead of developing their own, unique crypto-ransomware, criminals started to purchase off-the-shelf, ready-to-use malware. You can read more about this process in the “How it is done” section of this report.

But before that, let’s see what kind of users the malicious actors behind ransomware were after. Type of users attacked with ransomware Most ransomware attacks are directed at home users.

That was the case with the 2010-blockers epidemic in post-soviet territories, and also for the first period covered by this report. 93.2% of the users who encountered ransomware were users of home products, while the remaining 6.8% were corporate users.
In the second period, however, the share of corporate users attacked with ransomware more than doubled to 13.13%, a rise of over 6 percentage points.

All “thanks to” encryption ransomware. Fig. 5: Type of users encountering ransomware in 2014-2016 When looking at crypto-ransomware, the situation is different: throughout the 24 months covered by the report the share of corporate users attacked with encryptors remained steady at about 20% (rising only slightly to 22.07% in 2015-2016).

But this apparent stability is not reflected in the actual numbers. The number of corporate users attacked with crypto-ransomware increased nearly six-fold (5.86 times): from 27 thousand in 2014-2015 to 158.6 thousand in 2015-2016, with home users hit nearly as hard: up 5.37 times. Geography When analyzing the geography of attacked users, it is important to bear in mind that the numbers are influenced by the distribution of Kaspersky Lab’s customers around the world. As a result, in order to understand accurately where most of the users attacked with ransomware lived, we use special metrics: the percentage of users attacked with ransomware as a proportion of the users attacked with any kind of malware. We believe this gives a much more precise picture of the threat landscape than direct comparison between users hit by ransomware in each territory. In 2014-2015, the list of countries with the highest share of users attacked with ransomware looked as follows. Country % of users attacked with ransomware,out of all users encountering malware Kazakhstan 6.99% Algeria 6.23% Ukraine 5.87% Italy 4.69% Russian Federation 4.63% Vietnam 3.86% India 3.77% Germany 3.00% Brazil 2.60% United States 2.07% Fig. 6: The list of countries with the biggest share of users attacked with ransomware as a proportion of all users attacked with any kind of malware in 2014-2015 Kazakhstan, Algeria, Ukraine, Italy and Russia led the list with the percentage of attacked users exceeding 4%. One year later, the situation had changed significantly: India moved from 7th to 1st place, with 9.6% of users.

The share of Russian users also rose to 6.41%, followed by Kazakhstan, Italy, Germany, Vietnam and Algeria.
In the previous year these countries were all in the second half of the Top 10. Country % of users attacked with ransomwareout of all users encountering malware India 9.60% Russian Federation 6.41% Kazakhstan 5.75% Italy 5.25% Germany 4.26% Vietnam 3.96% Algeria 3.90% Brazil 3.72% Ukraine 3.72% United States 1.41% Fig. 7 the list of countries with the biggest share of users attacked with ransomware as a proportion of all users attacked with any kind of malware in 2015-2016 Of these, India, Brazil, Russia and Germany lead the list of countries with the biggest growth in the number of attacked users, while the number in the US, Vietnam, Algeria, Ukraine and Kazakhstan has notably decreased. Country 2014-2015 2015-2016 Y-to-Y change Russian Federation 562190 867651 up 54.33% India 143973 325638 up 126.18% United States 107755 55679 down 48.33% Germany 102289 138750 up 35.65% Vietnam 96092 89247 down 7.12% Ukraine 69220 39246 down 43.3% Kazakhstan 62719 39179 down 37.53% Algeria 61623 38530 down 37.43% Italy 49400 59130 up 19.7% Brazil 43674 70078 up 60.46% Fig. 8 the year-to-year change in the number of users attacked with any type of ransomware The above numbers are evidence of the change in the whole Trojan-Ransom category.
If we look deeper into the share of users attacked with Trojan-Ransom who experienced an attack by encryption ransomware, the picture becomes significantly different. Country % of users attacked with encryption ransomware in 2014-2015 % of users attacked with encryption ransomware in 2015-2016 Russian Federation 6.09% 20.43% India 3.34% 6.93% United States 14.27% 39.79 % Germany 4.64% 94.41% Vietnam 2.32% 22.87 % Ukraine 1.34% 28.86% Kazakhstan 1.14% 25.59% Algeria 1.18% 13.48 % Italy 8.93% 89.7% Brazil 2.56% 31.83% Other 41.16% 46.3% Fig. 10: The year-on-year change in the share of users attacked with encryption ransomware as a proportion of users attacked with any kind of ransomware. The ten countries above accounted for 64.14% of all users who encountered any kind of ransomware, and 52.83% of those who encountered cryptors.
In 2015-2016 these figures rose to 64.57% and 61.32% respectively. It is clear from Fig. 10 that during 2014-2015 encryption ransomware was, in most countries (except the US) yet another type of ransomware, with a relatively small percentage of attacked users.

A year later, encryption ransomware became much more visible on the threat landscape, increasing its share of attacks by well over 20% in some countries (the US, Brazil, Kazakhstan, Ukraine, Vietnam and Russia).

And for some countries, like Germany and Italy, encryption ransomware became almost synonymous with the Trojan-Ransom category. To conclude the issue of geography, we can say that while, overall, the share of users attacked with malware from Trojan-Ransom barely changed, the actual number of attacked users increased by double digits.

Although in some countries the exact number of users attacked with any type of ransomware decreased, there is no country in the list that showed a decrease in the share of users attacked with encryption ransomware.

This of course doesn’t give a clear answer to the question: Did the actual number of users attacked with encryption ransomware actually increase in these countries or is the increase in the share of users attacked with encryption simply the result of a declining number of users being attacked with blockers? As can be seen in Fig. 11, the answer is yes, and in some countries, like Germany, Brazil, Ukraine, Kazakhstan and Italy, the growth rate was extremely high, which obviously means that users, especially in these countries should be extremely cautious when surfing the web. Country 2014-2015 2015-2016 Year-to-Year Change (times) Russian Federation 34226 177249 +5,18 India 4803 22572 +4,70 United States 15380 22155 +1,44 Germany 4744 96566 +20,36 Vietnam 2230 20409 +9,15 Ukraine 925 11257 +12,17 Kazakhstan 716 10025 +14,00 Algeria 728 5195 +7,14 Italy 4412 53039 +12,02 Brazil 1116 22307 +19,99 Others 61853 277962 +4,49 Fig. 11: the year-on-year growth rate of users attacked with encryption ransomware in the top 10 countries with a higher proportion of such users.

Guccifer 2.0: Red Herring Or Third DNC Hacker?

CrowdStrike and Fidelis say all evidence for intrusions at DNC points to Russian-backed groups. A lone hacker's claims of being behind the recent data breach at the Democratic National Committee—and his release Tuesday of apparently more purloined data from the DNC—has added a new twist to reports about Russian involvement in the breach. Using the handle Guccifer 2.0, the hacker today published a fresh cache of information related to the Hillary Clinton presidential campaign that was allegedly stolen from a DNC server. It is the second set of similar documents that Guccifer 2.0 has released in the last few days in a bid to prove that he is the one responsible for breaching the DNC -- not two Russian APT groups as reported by security firm CrowdStrike last week. In a WordPress blog post titled "Dossier on Hillary Clinton from DNC," Guccifer 2.0 listed several documents purporting to contain information on various Clinton campaign-related topics and on big donors. “The DNC collected all info about the attacks on Hillary Clinton and prepared the ways of her defense, memos, etc., including the most sensitive issues like email hacks,” the hacker said by way of describing the contents of the published documents. The DNC itself has so far not commented on either the purported theft or the authenticity of the published documents. In a Twitter interview with Motherboard, Guccifer 2.0 identified himself as being from Romania and said he had broken into the DNC server last summer. The hacker claimed to have exploited a security flaw in a software-as-a-service provider’s platform that the DNC uses, which allowed him to gain access to the committee’s servers. Guccifer 2.0 denied any connection to Russia and professed a dislike for both the nation's foreign policies and for being linked to the Russian government in any way. The hacker’s comments and his continued publishing of data purportedly stolen from the DNC add a new wrinkle to recent reports by a couple of security vendor’s that link the DNC breach to two Russian cyber espionage groups. The first report released last week was from CrowdStrike and was based on the security vendor’s investigation of a breach at the DNC. CrowdStrike said its analysis of the breach showed clear forensic evidence of two Russian APT groups—Cozy Bear and Fancy Bear—being behind the intrusion. The two groups appear to have been completely oblivious to each other’s presence on the same network, though they targeted the same systems and the same data, CrowdStrike said. In response to Guccifer 2.0’s claims, CrowdStrike released a statement standing by its analysis and findings that it was two separate Russian intelligence-affiliated adversaries that broke into DNC and stole data. CrowdStrike and others have raised the possibility that Guccifer 2,0’s claims were part of a Russian intelligence community disinformation campaign to try and divert attention from their role in the DNC hacking. On Monday, Fidelis Cybersecurity backed CrowdStrike's analysis with a report of its own confirming the DNC breaches as being the work of the Cozy Bear and Fancy Bear Russian APT groups. The company said its investigation was prompted by Guccifer 2.0’s claims about being responsible for the DNC breach. “The malware samples were similar -- and at times identical -- to malware that other security vendors have associated to these Russian APT groups,” Fidelis said in its report. “Based on our comparative analysis we agree with Crowdstrike and believe that the Cozy Bear and Fancy Bear APT groups were involved in successful intrusions at the DNC.” CrowdStrike and Fidelis did not immediately respond to a question on whether it is possible that someone else also gained access to the DNC’s systems in addition to the two Russian APT groups. Phil Burdette, senior security researcher at the Counter Threat Unit at SecureWorks, says it is possible that a lone wolf was able to breach the DNC, as Guccifer 2.0 has claimed. However, it is also feasible that Guccifer 2.0's claims are a misinformation campaign to divert attention away from Russia’s role in the attacks, Burdette says. SecureWorks also recently released a report on a Russian Federation-based group called the Threat Group-4127 that has been targeting the Clinton campaign for the past several months.   Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register. According to SecureWorks, 108 email addresses associated with the Hillary for America campaign were targeted using 213 malicious links between last October and May 2016. In addition, Threat Group-4127 targeted Gmail accounts belonging to individuals linked to the Hillary for America campaign, the DNC, or other aspects of US national politics. “SecureWorks believes there is substantial overlap between TG-4127 and the Fancy Bear intrusion occurring with the DNC as reported by CrowdStrike,” Burdette says. Burdette says he, too, is convinced of Russian involvement in the breach, regardless of Guccifer 2.0’s claims. “SecureWorks stands strongly behind its attribution assessment that Threat Group-4127 is operating from the Russia Federation and is gathering intelligence on behalf of the Russian government," Burdette says. “This does not preclude another threat group or lone wolf from also comprising the DNC. However, it is also feasible that the Guccifer is a misinformation campaign and thus we encourage individuals to draw their own conclusion," he says. Related stories:   Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio More Insights

New Ransomware Strain Coded Entirely In Javascript

Security researchers have discovered a new strain of ransomware coded entirely in Javascript, which could increase its chances of being activated.Unlike executable program files, Javascript documents do not always trigger a security warning on Windows or require administrator access to run.Named RAA, the malware is disguised as a document and starts encrypting files immediately when opened.One security expert said the approach was likely to fool many victims."It's an interesting approach to ransomware," said Ken Munro of security company Pen Test Partners."Using Javascript as an attachment to an email is likely to result in many victims accidentally installing it."The RAA ransomware was discovered by security researchers known as Benkow and JamesWT.It is sent to victims by email and if opened on a Windows machine uses the "Windows Based Script Host" to run its code.Typically an executable program such as an .exe or .bat file would be automatically screened and blocked by the operating system, but Windows allows .js files to run.If opened, the ransomware sets about encrypting the victim's files and displays a ransom note written in Russian.
It demands a fee of $250 (£171) for the files to be restored.In April, Microsoft reported that it had seen an increase in malware being spread through Javascript email attachments."It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document and another click to enable the macros," the firm said in a blog post."On the other hand, the Javascript attachments only take one or two clicks to start executing."ProtectionMr Munro said people should avoid opening attachments from unknown sources to stay safe."The .js (Javascript) file type is automatically blocked in some email packages, particularly Outlook," said Mr Munro."But interestingly Gmail doesn't appear to block it.

Don't open unknown attachments, particularly those with a .js extension."While we're there, don't open macro enabled Office docs either (such as .docm and .xlsm files) - and keep your anti-virus right up to date."Additionally, Windows can be instructed not to start the "Windows Based Script Host" when a .js file is double-clicked.Virus blog Bleeping Computer reports that there is currently no way to reverse the RAA encryption without paying the ransom. Often, restoring files from a back-up copy is the only way to get files back without paying - although some examples of ransomware have been cracked.

The Tip of the Iceberg: An Unexpected Turn in the xDedic...

Introduction Last week we reported on the xDedic underground marketplace that facilitated the selling and buying of access to compromised RDP servers. We counted over 70,000 hacked server accounts from 173 countries for sale on the marketplace.

After the public announcement the xDedic website very quickly went offline, thanks to the cooperation of several major ISPs. However, it seems that this was not the end of the story. The day after the announcement, an anonymous source from a Lithuanian IP address posted an unusual comment on our blog using the alias “AngryBirds.” We usually take such comments with a pinch of salt and generally don’t pay too much attention to comments with strange links. However, this time the links pointed to a series of pastes on the popular resource Pastebin, which in turn contained long lists of IP addresses and date information. One such paste contains about 19,000 records.

The author of the comment mentioned that the list of pastes is related to hacked servers from the xDedic marketplace.

At first glance it looked real – the earliest date was close to the time when the first servers were listed on xDedic (according to our records the first server was added in November 2014). However, we were slightly sceptical and decided to validate the list before making use of it. With this blogpost we share the results of that validation and our thoughts on the data we received. We have collected and concatenated all the pastes in one list: it contains around 176,000 unique records from October 2014 to February 2016. Validation Challenge The first problem we faced is that we didn’t have full IP addresses from the xDedic marketplace, because the marketplace revealed only first two octets of each IP. We had some data from the sinkhole, but this was just part of the full xDedic dataset and related to the operation of a single criminal (group) relying on the SSCLIENT backdoor that we managed to sinkhole.

The problem becomes even worse when you consider the fact that our sinkhole data starts from the end of March 2016 while the Pastebin dataset ends at the end of February 2016.

Theoretically, we can’t provide a strong validation of the submitted data. Nevertheless, we decided to do our best. One way of comparing the datasets was to check the correlation between the numbers of servers added monthly, so we combined them into one chart, seen below: The orange bars show the number of servers added to the marketplace while the blue bars show the IPs found on Pastebin.

There is a weak but still recognizable correlation between the two datasets starting from June 2015. We have no solid theory as to why this began in June 2015, but one thought is that the developers of xDedic introduced a major change to the platform code around that time which somehow affected the server information displayed. Another check we did was to see how much the Pastebin dataset overlaps with our data from the sinkhole.

As mentioned above, the sinkhole data started coming in at the end of March 2016 while Pastebin data ends in February, leaving a one month gap between the two datasets. However, we should still see an element of overlap considering that some servers could have been resold on the marketplace.

And so it turned out: 1,303 unique IP addresses were found both in our sinkhole data and in the Pastebin data. Next, we decided to check how many of the reported IP addresses from the Pastebin dataset were RDP servers.
So we simply scanned known IPs for the most popular RDP ports.

The results were quite impressive: 71,784 IPs had the RDP service running on port range 3300-3400 (most of them were on standard port 3389). Finally, we decided to compare the list of subnets, based on the first two octets we had from the marketplace before March 2016 and check to see if these subnets were part of the Pastebin data too.

The results were astonishing: Subnets from marketplace before March’16 Subnets that matched Pastebin dataset 8,721 8,718 There were only three IPs on the marketplace which didn’t make it into Pastebin dump. We checked those and found that they were added on 29th of February 2016. We assume that these three IPs (subnets) were added at the end of the day, right after the Pastebin dump ended. Aftermath We sorted the Pastebin IPs by the country they belong to and got a different picture compared to what we saw previously. Here is the new TOP 10 (new countries marked in bold): Marketplace TOP 10 Pastebin TOP 10 (NEW) # Country Compromised Servers Country Compromised Servers 1 Brazil 6,540 USA 60,081 2 China 5,023 United Kingdom 8,817 3 Russia 4,020 Brazil 8,770 4 India 3,488 Canada 6,112 5 Spain 3,155 France 5,973 6 Italy 3,119 Spain 5,954 7 France 2,474 Australia 5,855 8 Australia 2,448 Russia 5,608 9 South Africa 2,438 Italy 5,536 10 Malaysia 2,140 Germany 4,988 If we compare visually what we saw on the marketplace and on Pastebin: Interestingly, the number of servers hosted in the USA and the UK jump into the TOP 10 to rank first and second respectively.

Also, Canada and Germany now appear in the TOP 10.

This may make more sense when you consider that the marketplace data concerns only unsold offerings, while the huge Pastebin dataset could reflect a more realistic picture of all compromised servers.

This suggests that the source of the data is either high-frequency monitoring of the xDedic marketplace (with access to full IP information) or someone had advanced access to the backend (be it a hosting provider or one of the developers). Meanwhile our charts from the sinkhole also had the USA, the UK and Germany in the TOP 10, which supports the fact that the real picture should have these major countries in the TOP 10. Extra Note In our earlier report we mentioned that the average server on the xDedic marketplace cost around $7-8 USD. However, many journalists asked us: “What was the most expensive server for sale on xDedic?” When we looked at the data again we saw one server that cost $6,000 USD.
In fact, only around 50 servers cost more than $50 USD, and all of them were located in the USA, from Alaska to Florida.

The TOP 10 most expensive servers on xDedic marketplace were offered by a single criminal (group) with the alias “Narko“: Subnet State City OS Date Price, USD 72.69.*.* Illinois Chicago Windows 7 03.04.2016 $6,000 50.195.*.* Massachusetts New Bedford Windows 7 12.05.2016 $4,000 173.10.*.* Washington Bellevue Server 2012 R2 29.04.2016 $4,000 162.233.*.* Mississippi Lucedale Windows 7 05.04.2016 $4,000 104.57.*.* Oklahoma Stratford Windows 7 10.05.2016 $4,000 97.87.*.* Michigan Davison Windows 7 24.12.2015 $2,500 50.255.*.* Michigan Ypsilanti Server 2012 R2 18.03.2016 $2,000 108.58.*.* New York Hicksville Server 2008 R2 11.04.2016 $2,000 74.124.*.* North Carolina Randleman Windows 7 18.04.2016 $1,500 24.178.*.* Georgia Gainesville Windows 7 08.04.2016 $1,500 We can only speculate as to why these servers cost more than others, but there is no objective way to find their exact IPs because they were added to xDedic after the period covered by the Pastebin dataset. Conclusions If we consider the newly obtained Pastebin data as authentic this can help many organizations, companies and individuals to identify compromised servers they own.

For us it was yet another confirmation that when it comes to cybercrime, we often see just the tip of the iceberg.

The reason why the xDedic marketplace looked smaller to the buyer is because the most desirable servers were often sold almost as soon as they were added to marketplace, leaving only the least interesting and unwanted servers for sale. After all the analysis we still have many questions: Where does the data come from? Why does the dataset from Pastebin not include more data from March to June 2016? That would make validation far easier. How many of these IPs are still compromised now? What we can tell for sure is that the Pastebin dataset: Matches the timeline of the xDedic operation. Contains the IPs of many RDP servers. Contains many IPs of known compromised RDP servers. Shows a correlation with the dynamics of the xDedic marketplace offering. Contains 100% of the subnetworks we saw on the xDedic marketplace within the same timeframe. In any case, whatever unanswered questions remain, it makes sense for the system administrators of the listed IP addresses to check carefully for a potential past compromise of their servers. Since much of this information has already become public through the open comment on our blog post, we are releasing for national CERTs a full combined list of IPs with country code based on the GeoIP. On the assumption that the Pastebin data provided by AngryBirds is genuine, we would like to say a formal thank you for sharing this data with us. However, there is one thing that can be improved next time, namely responsible disclosure. Making this data fully public may encourage other criminals to attack easy targets or result in the undeserved public shaming of administrators who run currently secure systems. Had we received this information via a private channel (email, private URL, etc.), we would have been happy to relay it to CERTs and local authorities of affected countries via our established channels and partners.
So we would ask that in future those who respond to our research refrain from dumping such data into the public domain.

Thank you! A full combined list of IPs with country code based on the GeoIP (.csv file)

Lone Hacker Taking Credit For DNC Breach Is Likely Russian, Says...

'Guccifer 2.0' claimed responsibility for the breach at the Democratic National Committee, then leaked stolen documents about Donald Trump to prove it. Investigators pinned this week's Democratic National Committee data breach on two Russian state-sponsored advanced threat groups, Cozy Bear and Fancy Bear. Yet, shortly thereafter, an anonymous actor, going by the name "Guccifer 2.0," claimed individual responsibility for the DNC attack, and supported their claim by releasing what appeared to be documents stolen from the DNC, reported Ars Technica.   Much is unknown about Guccifer's involvement or relationships with the advanced threat actors or the Kremlin; but what does seem clear is Guccifer's Russian heritage. Private security researcher PwnAllTheThings highlighted evidence, reports Ars Technica. The researcher says the first clue is in the computer name Феликс Эдмундович obtained from the metadata inside the hacker’s Word document.

This indicates the computer was configured to use Russian language.

Translated, this name is Felix Dzerzhinsky who was founder of the Soviet secret police. The second suggestion, says PwnAllTheThings, comes from the leaked Donald Trump Word document which carries a break in a link displaying the message “Error! Hyperlink reference not valid.” This document, when converted to a PDF file by Guccifer 2.0 and posted on Gawker, carries this same message, but in Russian.  The third hint is the use of ))) in Guccifer 2.0’s blog post, which, says PwnAllTheThings, is a smiley used by people in Eastern Europe and Russia. PwnAllTheThings adds clues suggest the hacker may not be native English speaking and also thinks the culprit is unlikely to be a nation-state. For more details, read here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Operation Daybreak

Earlier this year, we deployed new technologies in Kaspersky Lab products to identify and block zero-day attacks.

This technology already proved its effectiveness earlier this year, when it caught an Adobe Flash zero day exploit (CVE-2016-1010).

Earlier this month, our technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks. We believe the attacks are launched by an APT Group we track under the codename “ScarCruft”. ScarCruft is a relatively new APT group; victims have been observed in Russia, Nepal, South Korea, China, India, Kuwait and Romania.

The group has several ongoing operations, utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer. Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit.
It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April. This exploit caught by our technologies highlights a few very interesting evasion methods, some of which we haven’t seen before. We describe them below. Operation Daybreak general information Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails.

To date, we have observed more than two dozen victims for these attacks. Although the exact attack vector remains unknown, the targets appear to receive a malicious link which points to a hacked website where the exploitation kit is hosted.

The hacked web server hosting the exploit kit is associated with the ScarCruft APT and used in another line of attacks.

Certain details, such as using the same infrastructure and targeting, make us believe that Operation Daybreak is being done by the ScarCruft APT group. The ScarCruft APT group is a relatively new player and managed to stay under the radar for some time.
In general, their work is very professional and focused.

Their tools and techniques are well above the average. Prior to the discovery of Operation Daybreak, we observed the ScarCruft APT launching a series of attacks in Operation Erebus. Operation Erebus leverages another Flash Player exploit (CVE-2016-4117) through the use of watering hole attacks. In the case of Operation Daybreak, the hacked website hosting the exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland. The main exploit page script contains a BASE64 decoder, as well as rc4 decryption implemented in JS. The parameters sent to the “ap.php” script are randomly generated on each hit, so the second stage payload gets encrypted differently each time.

This prevents easy detection by MD5 or signatures of the second stage payload. The exploitation process consists of three Flash objects.

The Flash object that triggers the vulnerability in Adobe Flash Player is located in second SWF delivered to the victim. At the end of the exploitation chain, the server sends a legitimate PDF file to user – “china.pdf”.

The “china.pdf” file shown to the victims in the last stage of the attack seems to be written in Korean: Decoy document shown to victims The document text talks about disagreements between China and “The North” over nuclear programs and demilitarization. Vulnerability technical details The vulnerability (CVE-2016-4171) is located in the code which parses the ExecPolicy metadata information. This is what the structure looks like: This structure also contains an array of item_info structures: The documentation says the following about these structures: “The item_info entry consists of item_count elements that are interpreted as key/value pairs of indices into the string table of the constant pool.
If the value of key is zero, this is a keyless entry and only carries a value.”
In the exploit used by the ScarCruft group, we have the following item_info structures: Item_info array in exploit object The code that triggers the vulnerability parses this structure and, for every key and value members, tries to get the respective string object from string constant pool.

The problem relies on the fact that the “.key” and “.value” members are used as indexes without any kind of boundary checks.
It is easy to understand that if key or value members are larger than string constant pool array, a memory corruption problem appears.
It is also important to mention that this member’s (value, key) are directly read from SWF object, so an attacker can easily use them to implement arbitrary read/write operations. Getting object by index from constant pool without any checks Using this vulnerability, the exploit implements a series of writes at specified addresses to achieve full remote code execution. Bypassing security solutions through DDE The Operation Daybreak attack employs multiple stages, which are all outstanding in some way. One of them attracted our attention because it implements a bypass for security solutions we have never seen before. In the first stage of the attack, the decrypted shellcode executed by the exploit downloads and executes a special DLL file.

This is internally called “yay_release.dll”: Second stage DLL internal name and export The code of this module is loaded directly into the exploited application and has several methods of payload execution. One of method uses a very interesting technique of payload execution which is designed mostly to bypass modern anti-malware products.

This uses an interesting bug in the Windows DDE component.
It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute. For instance, such defense technologies trigger if a potentially vulnerable application such as Adobe Flash starts other untrusted applications, scripts interpreters or even the command console. To make execution of payload invisible for these defense systems, the threat actors used the Windows DDE interface in a very clever way.

First, they register a special window for it: In the window procedure, they post WM_DDE_EXECUTE messages with commands: Sending WM_DDE_EXECUTE message to window The attackers used the following commands: The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed.

This is an undocumented behavior in Microsoft Windows. In our case, a malicious VBS was executed, which installs a next stage payload stored in CAB file: Malicious VBS used in the attack We have reported this “creative” abuse of DDE to Microsoft’s security team. The final payload of the attack is a CAB file with the following MD5: 8844a537e7f533192ca8e81886e70fbc The MS CAB file (md5: 8844a537e7f533192ca8e81886e70fbc) contains 4 malicious DLL files: MD5 Filename a6f14b547d9a7190a1f9f1c06f906063 cfgifut.dll e51ce28c2e2d226365bc5315d3e5f83e cldbct.dll 067681b79756156ba26c12bc36bf835c cryptbase.dll f8a2d4ddf9dc2de750c8b4b7ee45ba3f msfte.dll The file cldbct.dll (e51ce28c2e2d226365bc5315d3e5f83e) connects to the following C2: hXXp://webconncheck.myfw[.]us:8080/8xrss.php The modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited” with serial numbers, copied from real Tencent certificates: 5d 06 88 f9 04 0a d5 22 87 fc 32 ad ec eb 85 b0 71 70 bd 93 cf 3f 18 9a e6 45 2b 51 4c 49 34 0e Invalid digital signature on malware samples The malware deployed in this attack is extremely rare and apparently reserved only for high profile victims. Our products detect it as well as other malware from ScarCruft as HEUR:Trojan.Win32.ScarCruft.gen. Victims: Although our visibility is rather limited, some of the victims of these attacks include: A law enforcement agency in an Asian country One of the largest trading companies in Asia and in the world A mobile advertising and app monetization company in the USA Individuals related to the International Association of Athletics Federations A restaurant located in one of the top malls in Dubai Some of these were compromised over the last few days, indicating the attackers are still very active. Conclusions: Nowadays, in-the-wild Flash Player exploits are becoming rare.

This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky. Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult. Nevertheless, resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets. As usual, the best defense against targeted attacks is a multi-layered approach. Windows users should combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies.

According to a study by the Australian DSD, 85% of the targeted attacks analysed could have been stopped by four simple defense strategies. While it’s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker – who will just give up and move on to other targets. Kaspersky products detect flash exploit as HEUR:Exploit.SWF.Agent.gen also our AEP (Automatic Exploit Prevention) component can successfully detect this attack. Payloads are detected with HEUR:Trojan.Win32.ScarCruft.gen verdict. * More information about the ScarCruft APT group is available to customers of Kaspersky Intelligent Services. Indicators of compromise: Malicious IPs and hostnames: 212.7.217[.]10 reg.flnet[.]org webconncheck.myfw[.]us MD5s: 3e5ac6bbf108feec97e1cc36560ab0b6a6f14b547d9a7190a1f9f1c06f906063e51ce28c2e2d226365bc5315d3e5f83e067681b79756156ba26c12bc36bf835cf8a2d4ddf9dc2de750c8b4b7ee45ba3f8844a537e7f533192ca8e81886e70fbc

For $6, Buy Access To Hacked Government Server, On Underground Market

Kaspersky uncovers marketplace where criminals buy entry into 70,000 servers from 173 countries to launch cyberattacks. Software security firm Kaspersky Lab has exposed an underground trading platform that is selling access to compromised servers of governments, businesses and universities at a price starting as low as $6, reports Reuters.

This marketplace, operating under the name xDedic, is run by a Russian speaking group and provides access to 70,000 servers from 173 countries hacked at some point without the owners’ knowledge. Researchers say access to the computers are offered along with software designed to launch denial-of-service and spam campaign attacks on networks, break into online or retail payment systems and illegally produce Bitcoin.

Also up for exploit are millions of stolen email credentials. Access to government servers are reportedly sold from $7 onwards while $15 is charged for servers with high-capacity network connections. xDedic takes a 5 percent cut on all money put into trading accounts. Kaspersky told Reuters it was alerted to this eBay for criminals by a European internet provider and has informed the national computer emergency response teams in several countries. For full report, click here.  Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Survey Points To 75% Organizations With Poor Cybersecurity

RSA research says nearly half of surveyed companies show their incident response capabilities to be nonexistent. Incident response capabilities of organizations are underdeveloped and 65% are more likely to adopt mature capabilities only after their business experiences an incident, according to the new RSA Cybersecurity Poverty Index.  This was the second RSA Cybersecurity Poverty Index conducted by the security division of EMC and designed to get organizations to assess their cybersecurity programs using the NIST Cybersecurity Framework as the yardstick.  The study found that companies invested in detection and response technologies are better placed to ward off cyber attacks than organizations that have just perimeter protection.

An important improvement from the 2015 survey was an increase in the number of organizations with better capabilities, rising from 4.9% to 7.4%. The research also revealed that for the second straight year, respondents with significant cybersecurity risk exposure stand at 75%. Amit Yoran, CEO of RSA, said “We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response.” Read full survey report here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

FBI: BEC Scam Attempts Amount to $3 Billion

FBI warns of rise in business email compromise frauds, says it should be reported immediately. The FBI is warning that there has been a sudden spike in business email compromise (BEC) scams. Launching a public awareness campaign, the Bureau said fraudsters tried to steal around $3.1 billion from businesses posing as company executives and ordering huge wire transfers. Just four months ago, the FBI put the figure at $2.3 billion, so this is a significant increase in such a short time.

Although not all attempts were successful, news reports show that BEC attacks have struck several companies with multimillion-dollar losses.   US and foreign victims have reported 22,143 cases from October 2013 through last month, according to the FBI.

The bureau has asked to be notified immediately of a BEC scheme, which saw 1300 percent hike in losses since January 2015, so that the transferred money could be recovered before it got too late.

Transfer requests are commonly made to China and Hong Kong banks, adds the FBI. The recent increase in such activities is seen partly because of the effort made by law enforcement agencies to categorize these scams separately as BECs in which the business and not the customer is targeted -- unlike regular wire fraud, says Reuters, citing the FBI. Read full report at Reuters.  Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

xDedic – the shady world of hacked servers for sale

Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished. The short, cryptic name perhaps doesn’t say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet. xDedic forum login From government networks to corporations, from web servers to databases, xDedic provides a marketplace for buyers to find anything.

And the best thing about it – it’s cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6. The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks.
It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors. Server purchase forum To investigate xDedic, Kaspersky Lab teamed up with a European ISP.

The research allowed us to collect data about the victims and the way the marketplace operates. In May 2016, we counted 70,624 servers available for purchase, from 416 unique sellers in 173 affected countries.
In March 2016, the number was about 55,000, a clear indication that the database of users and servers is carefully maintained and updated. Top countries with servers on sale Interestingly, the developers of xDedic are not selling anything themselves – instead, they have created a marketplace where a network of affiliates can sell access to compromised servers.
If the truth be told, the people behind xDedic have created what appears to be a “quality” service – the forum even includes live technical support, special tools to patch hacked servers to allow multiple RDP sessions and profiling tools that upload information about the hacked servers into the xDedic database. Top 10 sellers – May 2016 So who are the xDedic sellers listed above? We have been able to identify a very specific piece of malware (SCCLIENT) which is used by one of them, and to sinkhole its C&Cs.

This provided a glimpse into the operations of one of these entities, which, based on the number of victims, we suspect is either Narko, xLeon or sirr. SCCLIENT Trojan: victims’ information from sinkholing (first 12 hours) The profiling software created by the xDedic developers also collects information about the software installed on the server, such as online gambling, trading and payments. Apparently, there is strong interest in accounting, tax reporting and point-of -sale (PoS) software which open up many opportunities for fraudsters: Spam and Attacking Tools Gambling and Financial Software POS Software Advanced Mass SenderBitvise TunnelierDU BruteLexisNexis Spam SoftLexisNexis ProxifierProxifierSpam Soft Full Tilt PokeriPoker NetworkUltraTax 2010 (2011,..,2015)Abacus Tax SoftwareCCH tax14 (tax15)CCH Small Firm ServicesChoicePointProSeries TAX (2014,2015)ProSystem fx TaxTAX Software2015 Tax PraparationTax Management Inc.Lacerte Tax PosWindowsBrasilPOSPOS AccuPOSPOS Active-ChargePOS AmigoPOS CatapultPOS FireflyPOS ePOSPOS EasiPosPOS RevelPOS Software (Generic)POS ToastPOS QBPOSPosTerminalPOS kiosk.exePOS roi.exePOS PTService.exePOS pxpp.exePOS w3wp.exePOS DpsEftX.ocxPOS AxUpdatePortal.exePOS callerIdserver.exePOS PURCHASE.exePOS XPS.exePOS XChgrSrv.exe During our research, we counted 453 servers from 67 countries with PoS software installed: Servers for sale with Point-of-Sale software – May 2016 For instance, a malicious user could go to the xDedic forum, register an account, top it up with Bitcoins and then purchase a number of servers which have PoS software installed.

Then, they can install PoS malware, such as Backoff to harvest credit card numbers.

The possibilities are truly endless. Kaspersky Lab has reported this issue with the appropriate law enforcement agencies and is cooperating in an ongoing investigation. To read our full report on xDedic which includes IOCs, download the xDedic Marketplace Analysis PDF here. * For more information about Kaspersky Lab Intelligence Services, Threat Reports and custom threat analysis contact