Saturday, December 16, 2017
Home Tags Cyber Crime

Tag: Cyber Crime

Let's Encrypt, an organization set up to encourage broader use of encryption on the Web, has distributed 1 million free digital certificates in just three months. The digital certificates cover 2.5 million domains, most of which had never implemented SSL/TLS (Secure Sockets Layer/Transport Layer Security), which encrypts content exchanged between a system and a user.

An encrypted connection is signified in most browsers by "https" and a padlock appearing in the URL bar. "Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress," according to a blog post by the Electronic Frontier Foundation, one of Let's Encrypt's supporters. The organization is run by the ISRG (Internet Security Research Group) and is backed by Mozilla, Cisco, Akamai, Facebook and others. There's been a push in recent years to encourage websites to implement SSL/TLS, driven in part by a rise in cybercrime, data breaches and government surveillance. Google, Yahoo, and Facebook have all taken steps to secure their services. SSL/TLS certificates are sold by major players such as Verisign and Comodo, with certain types of certificates costing hundreds of dollars and needing periodic renewal.

Critics contend the cost puts off some website operators, which is in part why Let's Encrypt launched a free project. "It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we've known that HTTPS needs to be the default," the EFF wrote.
It’s probably already happened, but you just haven't seen it... Technology moves quickly, not just in legitimate business, but in the cybercriminal world too.

Advanced attack tools are now available on the black market, lowering the barrier to entry for the average online lowlife.

They are happy to target large and small organizations alike, and they only have to be lucky once. Security pros have been forced to prepare for a world of constant, sustained attack by understanding the threats and choosing the right measures to prepare for them.

Companies are realising the extent of the threat and gearing up for it, say experts. “We have seen information security budgets increasing in the last 12 months to address the challenges that cyber crime is bringing to the organisation,” said Steve Durbin, managing director of the Information Security Forum. So what kinds of threats are they dealing with, and how can they prepare? What are the threats and where are they coming from? The cyberthreats facing modern companies fall into various categories, and they’re loosely linked to the type of cybercriminal that you’re dealing with and the kind of information that they’re after. Hacktivism has traditionally been characterised by attacks with a relatively low barrier to entry such as DDoS and web site defacements, for example. While hackers’ motives are frequently political or ideological, financial cybercriminals are interested purely in money, and are adept in their pursuit of it.
Some will attempt to transfer money out of an organization, while others will focus on saleable information. Malware typically underpins a financial cybercrime attack. One notable recent example is Carbanak, an extensive attack on financial institutions that netted $1bn in stolen assets.
It was a devilish attack, starting with a backdoor sent as an attachment that then moved through the network until it found an administrative machine. Then, the malware intercepted clerks’ computers, recording their sessions, and subsequently used that information to transfer money fraudulently using online banking sessions and to dispense money from ATMs. Carbanak was a sophisticated attack that sought to directly manipulate systems, but cybercriminals typically look to steal specific types of information such as personally identifiable information (PII) when they attack. Malware delivery via phishing and drive-by downloads is still a highly effective tool to steal this data.

Exploit kits designed to target enterprise clients with malicious payloads are on the rise.
In its 2015 Threat Report, Forcepoint found three times more exploit kits in circulation than it had in 2013. This information can be about your customers or your employees.

The latter can be just as damaging, because you’re likely to have financial and other data about the people who work for you. One of the most egregious attacks on employee data recently must be the Office of Personnel and Management hack that compromised 5.6 million fingerprint records, and more than 21 million former and government employees, harvesting social security numbers and addresses. PII isn’t the only threat category, though.
Intellectual property is another rich seam for online criminals to mine. Often the subject of targeted attacks, this information can take many forms, from email archives through to launch plans for new products, or details of new products currently under development. “We see a lot of intellectual property theft out there, coming from assumed nation states based on the IPs that they’re coming from, and from industry, too,” said Eric Stevens, director of strategic security consulting services at Forcepoint. “It’s a lot cheaper to steal development time than it is to do that development yourself,” he pointed out. While these different groups will typically seek different types of information, there is also an increasing amount of overlap. Hacktivists have begun targeting both customer data and intellectual property where it suits their needs.

Anonymous was behind the theft of ticketholder data for the 2012 F1 Grand Prix in Montreal, which was posted online. Hacktivist faction Lulzsec mined intellectual property from private security firm Stratfor in 2011. How do you live with attackers getting in, and continue to fight them? Over the years, the focus on keeping attackers out at all costs has shifted towards managing them when they break into an organization.
Security professionals seem to be tacitly admitting that network intrusion is a question of ‘when’, rather than ‘if’. “15 years ago, the focus was keeping them out.

Today, organizations are starting to realize they have to deal with a certain degree of compromise,” explained Stephen Northcutt, director of academic advising for the SANS Technology Institute. This is something that at least one of the three-letter agencies has understood for years.
In 2010, Deborah Plunkett, then-head of the Information Assurance Directorate at the NSA, said that the agency assumed that there were already intruders inside its network.

Considering itself already compromised forced it to protect critical data inside the network, rather than relying on a single ring of iron. The Open Group’s Jericho Forum focused on containing rather than preventing threats with its de-perimeterization principle, first espoused in the mid-2000s, which stated that the traditional trusted network boundary had eroded. One of the group’s commandments to survive in a de-perimeterized future was the assumption that your network was untrusted. Clearly, the NSA didn’t protect its resources especially well, though.

Ed Snowden, working for third party contractor Booz-Allen Hamilton, happily vacuumed up gigabytes of sensitive data for a sustained trickle-feed campaign to the media. No matter what side of the Snowden debate you’re on, for CISOs his case highlights the need for controls to stop the theft of information through authorized accounts. “Over the next few years, you will see a lot of growth in privilege and identity management,” said Northcutt. “At the network level you are going to see more segmentation and isolation.” To fully protect themselves with these techniques, though, organizations need a deep understanding of the data that they have and how it is used in their business, said Stevens.

There are many roles and sets of responsibilities in an organisation.
Some of them may even transcend internal employees altogether. “You have to understand what your business processes are surrounding that data,” he said.
It’s necessary to understand what a normal process looks like.

A hospital may send data to a third party company that produces its invoices for it. How can you distinguish between a legitimate business process like that, and an illegitimate one that is sending sensitive data to bad people? How do you distinguish between normal behaviour/threats Distinguishing between these different modes of behaviour is an important skillset for IT departments trying to spot attackers inside their network, but it’s doable with the right tools, say experts.
It’s all a question of mathematics, said Northcutt. “Twenty years ago the US Navy spent about a million dollars for a bunch of PhD statisticians to determine that like groups of people using like systems have a very similar network traffic footprint,” he said, adding that we have been using statistical techniques to baseline normal behaviour for years now. One form of attack involves malware that enters a network and then moves laterally, trying to find any data it can, and then exfiltrating it.
Software designed to baseline regular employee behaviour and then spot anything that deviates from the norm may be able to spot the unusual patterns that this malware may generate. Is a user account sending large amounts of data from an account that normally doesn’t? Is it encrypting that data, when it is normally sent over the internal company network in plain text? Why is it sending it at 2am when all employees are normally long gone? All of these things can raise flags in a suitably-equipped system. Where do you start when choosing tools Training people to be security aware is an important part of stopping breaches, but CISOs will never eradicate those problems entirely.

A technology layer provides a vital layer of protection.

Don’t be distracted by emotions or industry buzzwords when choosing these tools, said Stevens. He recommends first identifying what data you want to protect (adding that this is more difficult than you’d imagine for many companies).

Talk to compliance managers and line of business owners to identify this information, and then work out what category of tool would best block the egress of that data. Companies can hone their priorities by focusing on a security framework like NIST’s, using it to establish areas where they need to improve. “Then it’s about ensuring that those purchases are improving your security posture as well as catering to compliance requirements that you may have,” he said. At the very least, though, he recommends a web and email security gateway, along with a data leak prevention (DLP) tool to monitor and prevent things from leaving. “Essentials are always going to be network monitoring tools,” said the ISF’s Durbin, adding that companies can build out their tool sets as they become more sophisticated. “The more advanced will focus on big data and trying to anticipate breaches and identify weaknesses in the security perimeter. Best of breed vs holistic approach Should companies buy a single security platform offering a holistic approach, or focus on point solutions instead? “I would always vote on holistic, mainly because we aren’t seeing point channel solutions that are very effective,” said Stevens.

The main problem with best of breed solutions is visibility, he argued.
If you’re purchasing point solutions from multiple vendors, then integrating them to create a coherent view of your organizations’ security incidents can be challenging. Your view of security needs to be watertight, not least because incidents in one domain that seem incongruous might suddenly gain more significance if you’re able to correlate them with other incidents happening elsewhere. A single pane of glass can help to ensure a consistent view of everything that’s happening across the various aspects of your infrastructure, from email scanning through to web gateways. The good news is that while many of the threats facing companies are sophisticated, many of them rely on the least amount of effort to infiltrate a company.

Attackers will go for unpatched, out of date software versions and misconfigured machines if they can, to avoid giving away their zero-day secrets. Using tools to keep a watchful eye on your network, endpoints and data is one part of the solution.

Good threat intelligence is another. Just as important, though, are proper conversations with business counterparts to understand what data you should be trying to protect in the first place. ®
Free webinar series from the folks at Sophos Promo Registration is open for Security SOS Week, a short series of live webinars each featuring Sophos expert IT security practitioners.

The events range from protecting your business against social engineering to embracing the Internet of Things without letting crooks into your network. You can find out more and sign-up at Security SOS Week, but in the meantime here is a handy synopsis for you. The 30-minute webinars kick off each day from 14 March 2016 to 18 March 2016 at 2pm to 2.30pm UK time. (14:00-14:30 UTC.) Naked Security writer Paul Ducklin hosts each event and his brief is to interview Sophos experts to help you cut through the jargon and understand the big issues in computer security today. Each webinar consists of 20 minutes of live interview, followed by 10 minutes of Q&A. Paul promises: “No sales pitches, no product demos, no PowerPoint slide decks - just informed answers to tricky problems.” Check out the running order below: Social Engineering – when charming crooks talk to helpful users Monday 14 March 14:00 GMT Sophos Global Security IT Manager Ross McKerchar takes you into the murky world of targeted attacks and shows how to build defences that will prevent one well-meaning employee from giving away the keys to the castle. Can you strengthen security by weakening it? Tuesday 15 March 14:00 GMT Some regulators want stronger security for the data you hold while others want to deliberately exploit "backdoors" in case they need to access your data in an investigation. What to do? John Shaw, Sophos Vice President, Product Management, discusses. Malvertising: When trusted websites go rogue Wednesday 16 March 14:00 GMT Crooks don't need to hack into a mainstream website to infect it with malware.

They can get away with hacking just one ad served up by one ad network.

This is "Malvertising", and John Shier.
Sophos IT Security Specialist, explains how it works, why crooks love it, and what we can do to stamp it out. Inside a hacker's toolkit Thursday 17 March 14:00 GMT Join SophosLabs Principal Researcher Fraser Howard for an insight into what cybercrime tools the hackers have up their sleeves, how they work together, and what we can do to get the better of them. What's next for the Internet of Things? Friday 18 March 14:00 GMT Chet Wisniewski, Sophos Senior Security Advisor, tells you how you can dip your toes in the IoT water without plunging straight into trouble - as well as explaining how you can help us make the next generation of "things" secure by design. Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy
The popular TV show's executive producer and actors realize it's edutainment, but they still try to get the facts straight and teach some security lessons. SAN FRANCISCO—Among the most highly anticipated sessions at the RSA Conference 2016 here was the keynote presentation with the producer and cast from the popular CBS TV drama "CSI: Cyber."Among many in the IT security community, "CSI: Cyber" is widely derided as an inaccurate and an over-hyped representation of how IT security works.

That's a claim that the executive producer and actors in the show don't explicitly deny, but that doesn't mean they aren't actually trying to get it right and improve IT security overall."CSI: Cyber," which focuses on cyber-crimes and IT security, is the latest iteration of the popular "CSI: Crime Scene Investigation" series.Anthony Zuiker, creator and executive producer of the CSI franchise, responded to the question about whether "CSI: Cyber" accurately represents the IT security industry. "It's show business." Zuiker points to what is known as the "CSI-effect," regarding how crimes are solved that can set up false expectations.

The effect can give people the false impression that law enforcement just needs to push a button to solve a crime, he added. "The CSI effect is also positive because it does send the announcement that on the worst day of your life, there are CSI agents out there that will find evidence and solve the crime."Zuiker said that with the show he is trying to send a positive message, and tell the best stories possible.
It's also not his direct intention to glamorize black hat hackers, but he reiterated that "CSI: Cyber" is first and foremost a TV drama."We understand perfectly that the people that do the real heavy lifting, the experts in the space, are on that side of the stage with you guys," Zuiker said pointing to the RSA Conference audience. "We're just trying to tell the best stories possible and help inform the world that there is cyber-crime out there and people need to be aware of it."In terms of how stories are developed, Zuiker explained that everything is focused on how relate-able the core of a given story is to the show's target audience. "We're trying to do story lines to cater to the most important part of our audience."The most important part of the CSI audience is women, who make up 60 percent of the CSI TV viewing audience, he said."It's very important that the American public in general understands that cyber-crime affects them almost every day and the devices in their pockets can be used as weapons in the hands of the wrong people," Zuiker said. "That's why our edutainment is as important as our entertainment."Zuiker, who visited various branches of law enforcement as part of his research for "CSI: Cyber," has received the same request to help get a few key messages out. One of them is to use complex passwords, and the other is to encourage people to do regular software updates.The positive impact of the CSI franchise has already been felt in other areas.
In Las Vegas, where the first CSI shows ran, local law enforcement had a Field Services division that performs crime scene investigations, that was getting 10 applications a year a decade ago.

Thanks in part to the visibility and exposure that the CSI shows give to the profession, Zuiker said that Las Vegas law enforcement now gets 55,000 job applications per year to be crime scene investigators.The "CSI: Cyber" show can help improve the chronic talent shortage in IT security by raising awareness, Zuiker said. "The challenge for our industry is to reach the young people that have great skills with computers that can be amazing white hats and do their civic duty to help protect this country."Actor Charley Koontz, who plays white-hat FBI agent Daniel Krumitz on "CSI: Cyber" commented that he's been the target for criticism on Twitter about how real the show is and what his character does. Koontz echoed Zuiker, noting that the goal is to make an entertaining TV show while providing some food for thought about security.Koontz isn't too worried about reality on TV. "We're on a network that shows Supergirl, so where the line lands in terms of how realistic we're supposed to be on TV isn't clear," he said.Sean Michael Kerner is a senior editor at eWEEK and

Follow him on Twitter @TechJournalist.
Sorry, tinfoil types.

Crims operate from home base, don't care for cross-border sharing Trend Micro security bods have 'capped' their epic research efforts to catalogue the world's regional cybercrime undergrounds. The mammoth effort saw researchers crawl through criminal forums in five countries, documenting the nuances of each as they went. The security outfit's forward-looking threat research team detail the findings in the Cybercrime and the Deep Web [PDF] "... there is no such thing as 'an underground', threat man Christopher Budd says. "The global cybercrime underground mirrors the globe itself: a patchwork of different countries and cultures, each unique and different in its own way." The teams found hackers in America did very little to hide their crimes and instead quickly opened and shuttered sites to evade law enforcement. Hackers in Germany take cues operating in lockstep with counterparts in Russia and running what is likely the most effective efforts across Europe. Russian online criminals operate probably the most prolific crime operations using bizarre slang to chatter across the more than two dozen large and "very active" malware and fraud sites.

The scene is akin to an assembly line where "stiff competition" leads to high quality malware, services, and carding offerings. The research team found Chinese hackers had made money boosting iOS and Android applications with fake reviews published on the official Apple and Google stores.

The criminals were said to be the fastest innovators, recently publishing a data leak search engine. Meanwhile Brazilian crims were among some of the most prolific with one kid using the handle 'Lord Fenix' writing more than 100 trojans in a year. Researchers found it is a place where forum newbies were welcome and had sufficient tools to start fleecing victims without a steep learning curve. Japanese hackers too had a look-in by the Trend Micro team.

The scene was found to be in its infancy and trading in illegal goods and discussing prohibited topics behind gated bulletin boards that promise anonymity and exclusivity. ® Sponsored: Securing personal and mobile device use with next-gen network access controls
Henchperson wanted: Must have Java, C++, signature villain cackle RSA 2016 Cybercrooks, much like ethical security defenders, are facing a skills crisis and difficulties in recruiting qualified staff.

Their attempts to bring workers into criminal organisations leave it possible for experts to learn more about their strategies and tactics, according to new research from threat intelligence firm Digital Shadows. Kingpins behind cyber-fraud need an ecosystem of malware writers, exploit developers, botnet operators and mules in order to build their business in order to turn a dishonest living. However, finding individuals who can be trusted is difficult and requires a rigorous application procedure. Running against their desire for anonymity, many cyber criminal organisations have being obliged to adopt traditional, real-world recruitment techniques.

These tactics include posting standalone job ads on general purpose forums or by using specific job boards to seek out talent. Once candidates apply, they are put through an application and vetting process. Hackers face the challenge of wedding out “script kiddies”, who possess few legitimate technical skills and can waste limited resources, as well as the need to guard against potential infiltration by law enforcement agencies or security researchers. All this is not too dissimilar to corporate cybersecurity hiring challenges.

Due diligence is required to ensure that the proper candidates come through the process.
S’kiddies, who possess no legitimate technical skill, must be put through a rigorous process to ensure they are up to the task.

There are many instances of recruiters asking for application forms – some even offer an application template, according to Digital Shadows. Just like in corporate cyber security hiring, bringing the wrong candidate on board wastes limited resources. Honour among thieves Reputations are even more important to cyber-criminals than they might be to legitimate businesses, who would be prepared to train up less-skilled individuals. On the dark side, by contrast, there’s a desire to hire people who will be “productive” from the get-go and a desire to weed out chancers and clueless script kiddies. Mad skillz In practice, cybercrime gangs frequently use Skype to conduct interviews. However groups often require that the users’ voices are masked, video is turned off and traffic is ported through a service like Tor.

The precautions are needed in order to provide a degree of anonymity. Some crime groups - which as in the past mostly hail from eastern Europe and Russia - require that new recruits serve a probationary period, similar to common practice for techies starting work with legitimate corporations. These varied hiring practices can be a source of useful intelligence to the the “good guys”.

The information contained in cybercrime job ads can provide organisations with real value into attackers’ motivations and tactics. Digital Shadows researchers involved initially harvesting intelligence by spidering the dark web and open web (forums and paste sites).

Analysts then evaluated this data, which looked at cybercrime forums and more write in either Russian, English or German.

The research is skewed towards cybercrime groups. Looking for signs of nefarious activity by government intel agencies and military groups was beyond the scope of the study. The research was releases on Tuesday at the RSA security conference in San Francisco. Showing their hand Researchers were able to glean intelligence on a group’s tactics and capabilities from their adverts.

For example, if they are looking to hire people who can run DDoS attacks, then it stands to reason that swamping targeted websites with junk websites is one of the tactics they are likely to deploy.

The same goes for organisations looking for with the capability to mount social engineering attack or the coding skills to run cross site scripting attacks or SQL injection attacks. Knowledge of Java, Python and C++ is sought among would-be recruits in some cases.
Social engineering skills are frequently required. Cyber criminals must balance operations security (OpSec) and their ability to recruit - too much OpSec may result in a failure to identify suitable candidates, so cyber criminals are obliged to expose themselves to some scrutiny in order to recruit.

Too much OpSec leaves little time to identify qualified candidates, so cybercriminals are obliged to make compromises in their race towards profit. Stolen information, particular carding details, is a perishable commodity so crooks need a team that can move quickly, meaning they can’t do everything themselves and are constantly obliged to bring in fresh talent.

Criminals organisations need a decent roster or they will be left unable to carry out cybercrime at scale, hence the need to recruit substantial number of people over a tight timescale. During the recruitment process, attackers can leave behind clues that defenders can take advantage of to build resiliency into their security programs.
In specifying the skills they are looking for, hackers are essentially showing their hand.
In some circumstances, defenders might find specific details about attacks targeting their organisation, while in others they might find general attack trends that could bolster their defences. Rick Holland, Vice President of Strategy at Digital Shadows, told El Reg that occasionally cybercrooks are looking to recruit people who have access to a particular environment. “Cybercriminals are more like us in the corporate world than we’d like to think,” he said. Holland said potential recruits are motivated primarily by money but also get involved in illicit activity in order to show off their skills. Occasionally crooks are trying to turn insiders to their own nefarious ends. One advert featured in Digital Shadows research sought help in intercepting money transfers, and was pitched at potential corrupt or disaffected insiders. Inside knowledge This ad was the exception rather than the rule.
In the most part crooks are going for “low hanging fruit”, straightforward ways to make an illicit profit. “Getting the basics right like as setting up an app security programme and applying two-factor authentication cane really help businesses in defending against cybercrime groups,” Holland concluded. ®
Criminals are becoming more organized by employing teams of developers that create more sophisticated malware that produces larger monetary gains, states an IBM report. Cyber-criminals increasingly used customized malware, software-development expertise and knowledge of the financial system to make 2015 an extremely profitable year—a trend that will continue in 2016, according to IBM’s annual threat report, published on Feb. 22.Using three families of malware—Dyre, Dridex and Carbanak—cyber-criminals have stolen hundreds of millions of U.S. dollars. Over two years, for example, the Carbanak malware infiltrated as many as 100 financial institutions to steal an estimated $1 billion, a brazen heist that came to light last year.The trend departs from the traditional image of a cybercriminal: The lone, amateur criminal who typically focused on smaller thefts from consumer accounts, Limor Kessem, security researcher for IBM’s X-Force research group, told eWEEK.The evolution toward more sophisticated, highly organized cyber-crime that results in higher loses will likely continue in 2016, the IBM report stated. “From the nature of those organized groups, they bring that research and the planning and the resources that … has helped them push their ability to make so much money at once,” Kessem said. “Even just a couple of years ago, we did not see $1 million, $3.5 million and $5 million transfers.” The maturing of the criminal ecosystem is one of the major trends noted in information security this year, according to IBM.

About 18 percent of attacks detected by IBM used some form of malware, representing the largest category of threats recorded in 2015, according to the report.

Distributed denial-of-service attacks accounted for about 15 percent of threats and attacks on misconfigured systems and networks for about 8 percent.In a separate threat report, Dell SonicWALL stated its products had captured 64 million malware variants attacking customers, up from 37 million the year before.Four families of malware–Dyre, Neverquest, Bugat, also known as Dridex, and Zeus V2 – made up nearly three-quarters of all malware attacks recorded by IBM in 2015.On its own, the group behind the Dyre malware accounted for 24 percent of attacks detected by the firm.

The group, however, has largely been silent since late November. Some media outlets have reported that members of the group have been arrested by Russian law enforcement, but Russian authorities have not confirmed the arrests.The behavior of the groups behind Dyre and Dridex show significant similarities, suggesting–at the very least–that they may be using the same playbook, Kessem said.“Everything that Dyre was doing, Dridex was suddenly doing,” she said. “The same techniques, the same sorts of things.

The redirection attacks that Dyre came up with, (for example) all the sudden Dridex was launching them.”With the sudden disappearance of Dyre in November, other malware has topped the charts. Now, Neverquest, Dridex, Zeus V2, and a fourth program, Gozi, make up three-quarters of all attacks, according to Kessem.IBM’s report focused on a few other areas of the threat landscape as well.

The number of vulnerabilities reported during the year did not change in 2015, while mobile malware started taking off, the company said.The most targeted industries included computer services, which were the victims in more than 30 percent of attacks followed by retail, 15 percent, and healthcare 9 percent.Both Dell and IBM noted an increase in mobile malware targeting the financial industry.

Cybercrime And Hacking Atlas

A geographic guide with cybercrime threat and target trends in 10 notable countries. 1 of 11 When we picture hackers at work, it’s easy to get caught up imagining young men quietly working in a dark Dostoevskian garret in a bleak post-Soviet town. Or, rows of uniformed Chinese in a sterile Far Eastern military office.

But are these images realistic? While the former Soviet bloc and China certainly make up their share of global hacking, cybercriminals have a broadly global reach and a great deal of international diversity.

Even though major attacks are increasingly carried out by multinational rings, there is still often a national flair to online crime, and countries in Latin America, Western Europe, and the developing world are all well-represented. Here are some of the notable countries, in no particular order whatsoever. Sources for population and economic data: CIA Factbook and Wikipedia.  Sources for photos: Pixabay Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio 1 of 11 More Insights
Imagine this scenario: Men in dressed in sharp-looking suits show up and claim to know details of your business and the kinds of security problems your organization has.

They are Windows networking experts and want to fix those issues that made a breach possible.Except those suits aren't being helpful.
Instead, they are likely from the Poseidon Group, a Brazilian cyber crime outfit that stealthily attacks organizations, steals information, and then manipulates the victims into hiring them to secure the network, said Kaspersky Lab researchers Juan Andres Guerrero-Saade, Santiago Pontiroli, and Dmitry Bestuzhev at the Kaspersy Lab Security Analyst Summit.

The group steals data from infected networks with a customized malware signed with digital certificates and containing a PowerShell agent.Poseidon uses a combination of custom malware and spear phishing in English and Portuguese to steal information.

The "treasure stealer" malware, also known as IGT, comes with a file deletion utility, a PowerShell agent, a SQL data compiler, and information gathering tools for stealing data such as user credentials, group management policies, and system logs.PowerShell lets the attackers execute the commands and to look like normal network activity while poking around.

The malware connects to a command-and-control server and sends information about the infected Windows system such as the operating system version, username, and hostname."By doing this, the attackers actually know what applications and commands they can use without alerting the network administrator during lateral movement and exfiltration," the researchers said.The Poseidon name reflects the fact the espionage group operates "on all domains: land, air, and sea," said Bestuzhev.

Command and control servers have been found inside Internet service providers providing Internet services to ships at sea by hijacking satellites. Other command and control servers have been found inside ISPs providing traditional wireless connections.

The group started hijacking satellites in 2013 to gain anonymity.Windows experts on the prowlThe attackers focused on group management policy and domain rules to get to know the network and use the uncovered information to create the backdoor.

After grabbing the data, the attackers delete the malware from the infected system. Since the malware has a very short life, Poseidon was able to evade detection for a long time. Researchers have found four versions of IGT so far.The attackers used WRI files, which is associated with Microsoft Write, an old text editor found in older versions of Windows.

The use of this obscure file extension was pretty clever, since many organizations specify their email policies to block attachments with extensions such as .exe.
Very few administrators would think to block .WRI, and most antivirus engines won't scan those files by default, the researchers said.The malware was also capable of hooking into older Windows operating systems, as researchers found references to drivers and hotfixes for Windows NT and Windows 95. Some of the targets in Latin America were still using these ancient operating systems, the researchers said.

This should be another reminder why organizations should not be using outdated systems.

Attackers will find unsupported and insecure systems and exploit the security flaws. The attackers are "experts in all things Windows," said Bestuzhev.The group sent highly targeted spear-phishing emails.
In one attack against an energy company in Kazakhstan, the targeted individual was looking to hire someone for a very specialized position, and the attackers sent a message highlighting specific skills relevant to the role. Once the victim opened the attachment, the malware connects to the command and control server to launch the actual data-stealing malware.Poseidon digitally signed its custom malware with rogue certificates. Researchers have found seven rogue certificates, and it appears the attackers sign the certificates with names of companies the target organization is likely to be familiar with.Poseidon's business practicesThe Poseidon Group is the very first commercial boutique cyber-espionage group based out of Brazil.

The fact that the malware executed only on Brazilian Portuguese Windows systems suggests Poseidon is based in Brazil so that attackers have close proximity to the organizations they plan to blackmail.

The command and control servers were also based in Brazil. Linguistics provided another clue to Poseidon's location.

The language used in the spear-phishing emails use speech patterns associated with Brazilian Portuguese, not the Portuguese spoken in Portugal, said Bestuzhev.

The Windows commands showed language preferences that helped narrow the area down to northern Brazil.Kaspersky researchers believe Poseidon is a commercial attack crew and not a state-sponsored actor.

The group doesn't care about uncovering specific business secrets, just "treasures," or information the organization would consider important and the criminals can monetize.For organizations who decline the security consulting offer, that's not the last they hear from the group.
If the company being blackmailed doesn't take up Poseidon's offer the first time, the group steals some more data and returns with a new offer at a later date."They wait a year to approach [you] again. 'Look what I found for you: Are you ready to work with me?'" said Bestuzhev.Poseidon also uses the stolen data to further the other side of its business, by using the information in various "shadow, but still legal" activities, said Bestuzhev.Kaspersky Lab researchers believe the group has been in operation since at least 2005 and has targeted at least 35 businesses across the financial, telecommunications, manufacturing, services, energy, and media industries. While victims have been found in the United States, France, Kazakhstan, United Arab Emirates, India, and Russia, Poseidon's primary focus is on Brazil-based organizations, or multi-national entities with operations in Brazil."Their techniques used to design attack components have evolved over the past 10 years," the researchers said. "The differences in various elements have made it difficult for researchers to correlate indicators and assemble the puzzle."
A major financial institution is likely to be hit by significant cyber criminal activity in 2016, according to the latest ThreatMetrix Cybercrime Report. Analysis of more than 15 billion transactions in the past 12 months by the ThreatMetrix Digital Identity Network revealed a 40% increase in cyber criminal activity targeting the financial sector. A record 21 million fraud attacks and 45 million bot attacks were detected in the last three months of 2015 alone. The data also shows that the financial sector is facing the highest number of organised attacks and multi-channel threats. The biggest emerging threat for financial institutions is bot attacks, which increased 10 times in the last three months of 2015 compared with the previous quarter. A worst-case attack scenario could see a major bank or financial institution completely paralysed for days, leading to millions – if not billions – of pounds of lost business, according to ThreatMetrix analysts. “A trend in our latest report shows bot attacks as the biggest attack vector to financial businesses globally,” said Vanita Pandey, senior director of strategy and product marketing at ThreatMetrix. “Bots and other sophisticated attacks, such as malware, have determined strategies to mimic the behaviour of authentic customers to bypass traditional security defences. This has serious implications for businesses across industries and geographies, as bots are difficult to detect and can cost billions in losses,” she said. Online lending top target for hackers In addition to bot attacks, other trends in the financial services industry include increased mobile usage and attacks targeting both online lending and alternative payments. Online lending is seen as an easier way for the unbanked and under-banked to gain access to loans in a matter of days, and its increasing popularity is making it a top target for cyber criminals. “While convenient for consumers and profitable for financial institutions, online lending presents a risk for new account creation fraud, as cyber criminals stand to profit from fraudulent loans and other financing,” said Stephen Topliss, vice-president of products at ThreatMetrix. “Online lending is a hotbed for fraud because it is a less secure channel and an attractive target for attackers. They are also working with much faster transaction cycles than traditional lenders,” he said, adding that mobile also opens the door for the unbanked and under-banked to easily and conveniently gain access to loans from online institutions and small lenders. Increase in e-commerce and mobile attacks In the last three months of 2015, the ThreatMetrix Digital Identity Network detected and stopped approximately 58 million attacks on e-commerce merchants, preventing billions of pounds in potential fraud losses, as well as potential serious damage to brand reputation, the security firm said. ThreatMetrix analysts said that as retailers look to build trust and long-term relationships with consumers, this has led to an increase in attempted log-in attacks, which are largely carried out by bots attempting to compromise consumers’ stored financial information. The challenge for retailers, said ThreatMetrix, is stopping bots while also avoiding “friction” in the online shopping experience for the customer. According to ThreatMetrix statistics, mobile transaction volume reached a new high in the last quarter of 2015, up 200% compared with the same period the year before. In addition, more than 350 million mobile devices were added to the ThreatMetrix Digital Identity Network in 2015, mainly due to mobile application downloads across industries. This growth makes mobile an attractive target for cyber criminals, who use stolen identities and compromised devices from major data breaches to their advantage for financial gain, according to analysts. “With mobile transactions at an all-time high, so are the attacks targeting mobile. Digital businesses must do everything in their power to prevent these attacks,” said Pandey. “Global shared intelligence and a multi-layered approach to cyber security enable businesses to detect and stop mobile bot attacks, malware, device spoofing, jailbroken devices, rooting and other associated risks,” she said. Digital world must stay ahead of cyber criminals The data also shows that consumers are becoming more comfortable using multiple devices to access online accounts. In the last quarter of 2015, more users than ever before accessed their bank accounts, made payments, streamed content and created accounts using their connected devices, moving seamlessly between devices, such as tablets and smartphones. “We now live in a digital-first world and will continue to see consumers turning to online channels and mobile devices for shopping, banking and other transactions,” said Topliss. “With such a high volume of connected consumers and devices, cyber criminals now have access to endless personally identifiable information at their fingertips. Businesses need to take a digital-first, holistic approach to cyber security to stay one step ahead of fraudsters,” he said. According to Topliss, businesses can use the power of digital identities and shared intelligence to analyse the connection between devices, locations and anonymised personal information to build a unified risk assessment across all digital channels.

cross-platform Adwind RAT

Kaspersky Lab researcher Vitaly Kamluk gave a talk about the latest version of the cross-platform Adwind RAT.

The remote access Trojan is unique in that it’s written in JavaScript, giving this version — which is also known as Frutas, AlienSpy and JSocket — the flexibility to be used liberally in cybercrime operations as well as in targeted attacks.

From Kaspersky Security Analyst Summit 2016 on Tenerife, Spain.

SafeShare Global teams up with Solfyre to develop offering solving login and fraud issues and revolutionise the cyber security insurance marketLondon – 11th February 2016 - British cybersecurity pioneer Solfyre and London based SafeShare Global, an insurance and technology startup enabling the sharing economy, have today announced a partnership to develop the world’s first identity theft and identity fraud insurance solution. According to a white paper released in 2011 by the Detica and the UK Cabinet Office on the Cost of Cybersecurity it estimated the total cost of cybercrime in the UK to be £27bn annually, of which it cost UK citizens £3.1bn (£1.7bn identity theft and £1.4bn online scams) annually.The Office of National Statistics (ONS) has now included cybercrime statistics for the first time when releasing national crime statistics. Due to cybercrime and other fraud being missed out of official data - the Office for National Statistics has carried out new research showing the total number of crimes is double what was previously thought. There were 5.1 million estimated cybercrimes and frauds last year plus 2.5 million offences under the Computer Misuse Act – hacking, identity theft, malware, and so on. Solfyre SID iPhone app is available in the App Store soon. Android and Windows Mobile versions will be available in Spring 2016. The new app ensures that unique and complex passwords can be used for all of your online accounts including online banking without the need for each password to be written down. Instead it is encrypted on your phone and not stored on the Internet. The partnership between Solfyre and SafeShare will provide another layer of protection to those active online by developing new state of the art, pay as you use, identity insurance products.Craig Vallis, founder and CEO of Solfyre said, “I am very encouraged to see that the authorities are at last taking cybercrime very seriously and feel that we as individuals need to be keeping up to speed with our online identity and safety. This is why we are anticipating great success in partnering with SafeShare to help people satisfy their identity and privacy insurance requirements.” SafeShare’s ambition is to protect every transaction that occurs in the sharing economy, and to create the necessary security to ensure that it thrives. Through striving to protect the platforms, they hope to simultaneously offer assurance to relevant investors that their interests are also protected. This philosophy forms the basis of the partnership with Solfyre in the cybersecurity space.Alexander Steinart, CEO of SafeShare explained, “Solfyre is a shining technology business giving back personal data ownership to consumers. We are extremely excited about working together on this project, as SafeShare’s ethos is based around enabling more control and peace of mind for our online activities.”Solfyre has recently received global recognition by being shortlisted in three categories of the Tech Trailblazers Awards. Voting closes on Friday, 12th February. The IT community can support Solfyre in the Mobile, Security and Firestarters categories here: About SolfyreSolfyre is a British startup specialising in identity and password management.Headquartered in London, the company is committed to igniting the Identity Revolution. The first step is the development of SID, a mobile app that simplifies password management and ensures passwords are always secure and always accessible. The app will available as an IOS version in November and Android and Windows Mobile versions available in early 2016. For more information, visit the Solfyre website on: or follow them on Twitter on About SafeShare Global SafeShare is an insurance technology business, created to capitalise on innovation in the insurance market. The company works alongside emerging technology businesses, developing ‘smart insurance’ products to cover our increasingly dynamic and technology-enabled lifestyles. SafeShare’s aim is to develop the insurance infrastructure to support and build confidence in rapidly evolving worldwide markets.For more information, visit the Safe Share website on: or follow them on Twitter on ContactOmarketing for Solfyre Rose +44(0)208 255 5225@omarketingnewsSource: RealWire