Threat Lab

Everyday cybercriminals actively take advantage of basic OPSEC (Operational Security) tactics, aiming to risk-forward their fraudulent/malicious online activity to a third-party, while continuously seeking to launching their malicious/fraudulent campaigns in an anonymous fashion. Having successfully matured from, what was once a largely immature market segment to today’s growing market segment, in terms of active implementation of OPSEC concepts, the blackhat market is prone to continue expanding, further providing malicious and fraudulent adversaries with the necessary capabilities to remain beneath the radar of law enforcement and the security industry.

In a series of blog posts we’ve published throughout 2013, we proactively highlighted the emergence of the TDoS (Telephony Denial of Service) attacks in the context of cybercriminals’ growing non-attributable capabilities to target and exploit (basic) vulnerabilities in telephone/mobile systems internationally. Largely relying on fraudulently obtained SIM cards and compromised accounting data at legitimate VoIP providers, as well as active utilization of purely malicious infrastructure, TDoS vendors constantly seek new tactics to apply to their OPSEC procedures.

Having proactively profiled the TDoS market segment throughout 2013, we’re also keeping eye on value-added services/features, namely, the modification of a mobile device/USB dongle’s International Mobile Station Equipment Identity (IMEI), for the purpose of adding an additional layer of anonymity to the fraudulent/DoS process. Let’s profile several vendors offering IMEI modification services and discuss their relevance within the TDoS market segment.

More details:

read more…

Cybercriminals continue to maliciously ‘innovate’, further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends – 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of ‘malicious economies of scale, type of economically efficient model, successfully contributing to international widespread financial and intellectual property theft. Thanks to basic cybercrime disruption concepts, such as modular DIY (do-it-yourself) commercial and publicly obtainable malware/botnet generating tools. In 2014, both sophisticated and novice cybercriminals have everything they need to reach an efficient state of fraudulent/malicious operation.

We’ve recently spotted a commercially obtainable modular, Tor C&C enabled, Bitcoin mining malware/botnet generating tool. Let’s discuss its features, key differentiation factors and take a peek inside it’s Web-based command and control interface.

More details:

read more…

Thanks to the commercial and public availability of DIY (do-it-yourself) modular malware/botnet generating tools, the diverse market segment for Web malware exploitating kits, as well as traffic acquiring/distributing cybercrime-friendly traffic exchanges, cybercriminals continue populating the cybercrime ecosystem with newly launched services offering API-enabled access to Socks4/Socks5 compromised/hacked hosts. Largely relying on the ubiquitous affiliate network revenue sharing/risk-forwarding scheme, vendors of these services, as well as products with built-in Socks4/Socks5 enabled features, continue acquiring new customers and gaining market share to further capitalize on their maliciously obtained assets.

We’ve recently spotted a newly launched affiliate network for a long-run — since 2004 — compromised/hacked hosts as a service. Let’s profile the service, discuss its key differentiation factors, and take a peek inside its Web based interface.

More details:

read more…

Cybercriminals continue adapting to the exponential penetration of mobile devices through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, successfully setting up the foundations for commercial managed/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile  malware/spam campaigns. In addition to boutique based DIY operations, sophisticated, ‘innovation’ and market development-oriented cybercriminals are actively working on the development of commercially available Android-based botnet generating tools, further fueling growth into the market segment.

In a series of blog posts, we’ve been profiling multiple cybercrime-friendly services/malicious Android-based underground market releases, further highlighting the professionalization of the market segment in terms of sophistication and QA (Quality Assurance).

We’ve recently spotted a service offering 5M+ harvested and segmented Russian mobile phone numbers on a per business status/gender/driving license basis. What’s particularly interesting about this service is the fact that it exposes a long-run fraudulent Win32:SMSSend serving infrastructure (SEVAHOST-AS Seva-Host Ltd (AS49313), segmented harvested mobile phone numbers of Sochi citizens, a fake (paid) medical leave/absence service targeting Sochi citizens, and a portfolio of rogue mobile apps leading to the exposure of a mobile botnet, surprisingly relying on an identical hardware/bot ID.

More details:

read more…

Security and privacy were hot topics at this year’s SXSW Interactive festival, and deservingly so. While at the event in Austin, I had the pleasure of participating on a panel discussing malicious mobile apps, mobile device security and user privacy. With me on the panel was Alan Murray, Senior VP of Products at Apperian and Erich Stuntebeck, Director of Mobile Security at AirWatch. Fahmida Rashid, Analyst for PC Mag, moderated the event.

Questions initially focused on malicious app behaviors such as accessing private user data, SMS history and GPS tracking as well as spyphone apps, rooting apps and the increased focus on exploiting mobile devices. All panelists agree that obtaining apps from either Google Play or Apple’s Application Store are the safest ways to go, but that there is still risk involved with using any app – especially those which interact with sensitive information.

A great case and point to this is the recent WhatsApp security oversight, detailed in this blog post. Basically another installed app could easily offload and decrypt saved SMS history with only needing two permissions, internet and access to the SD card – both very common to the vast majority of apps. This is especially concerning considering WhatsApp has over 450 million users, many who install apps from 3rd party sources. It also further demonstrates that security is not being prioritized during the app development process. While WhatsApp was using encryption to protect saved SMS history, the use and public availability of a decryption tool made their encryption irrelevant.

Questions also focused on security differences between iOs and Android. There is a widespread belief that iOS is more secure, however the discovery of the SSL ‘gotofail’ exploit has definitely shaken things up. Last year Android suffered a similar critical exploit, known as ‘Master Key,’ which enabled an installed app to replace the code of an existing app and piggyback its permissions. Both of these discoveries will not be the last of their type and are good examples of how difficult it is to design secure systems – even when that is a top priority. Apple does have an advantage with iOS as they manufacture all iOS devices. When a security patch is released, they can quickly update all iPhones and iPads. Google’s Android is in an entirely different boat. While Google does make devices which support Android, they are one of dozens. This has created an uneven landscape where millions of devices are using older, more vulnerable versions of Android which contain many known, and since fixed, exploits. The trouble is, these users lack an easy way to upgrade to the latest and most secure version.

During the course of the panel’s discussion, a few key themes emerged. One is that app developers play a big role in user privacy. They have the ability and technology to handle private data securely – but doing so hasn’t been a priority or focus. The other is that users should not be overly burdened with the responsibility of keeping their private data secure. Encrypting data shouldn’t be a user decision, it should happen, by default, through the application. Authentication is another area in need of improvement. Four digit pins and swipe screens are not sufficient. The panel was optimistic that future biometrics technology will greatly improve authentication and provide a seamless experience without the burden of passwords.

In all, it was a great event and there is a lot of interest in improving data security and privacy on our mobile devices. Continued discussions like this are essential to the advancement of new technology and the mobile security space is ripe for improvements.

Regular readers of Webroot’s Threat Blog are familiar with our series of posts detailing the proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications.

We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants. Let’s profile the campaigns, provide actionable intelligence on the rogue domains involved in the campaigns, as well as related MD5s known to have interacted with the same rogue infrastructure.

More details:

read more…

Sticking to good old fashioned TTPs (tactics, techniques and procedures), cybercriminals continue mixing purely malicious infrastructures with legitimate ones, for the purpose of abusing the clean IP reputations of networks, on their way to achieving positive ROI (return on investment) for their fraudulent activities. For years, this mix of infrastructures has lead to the emergence of the ‘malicious economies of scale’ concept, in terms of efficient abuse of legitimate Web properties, next to the intersection of cybercriminal online activity, and cyber warfare.

In a series of blog posts, we’ve been emphasizing on the level of automation and QA (Quality Assurance) applied by vendors of cybercrime-friendly tools and services, compromised/hacked Web shells in particular. Largely utilized for the hosting of fraudulent/malicious content, in addition to acting as stepping stones for the purpose of providing a cybercriminal with the necessary degree of anonymity when launching campaigns, the concept continues representing an inseparable part of the cybercrime ecosystem, due to the ever-green public/OTC (over-the-counter) marketplace for high page-ranked Web shells.

We’ve recently spotted a newly released commercial Windows-based compromised/hacked Web shells management application that empowers potential cybercriminals with the necessary capabilities to maintain and manage their portfolio of Web shells. Let’s take a peek at the application, and discuss some of its features.

More details:

read more…

Opportunistic cybercriminals continue ‘innovating’ through the systematic release of DIY (do-it-yourself), Web-based, botnet/malware generating tools, seeking to monetize their coding ‘know-how’ and overall understanding of abusive/fraudulent/malicious TTPs (tactics, techniques and procedures) – all for the purpose of achieving a positive ROI with each new release.

We’ve recently spotted a newly released, Web-based DNS amplification enabled DDoS bot, and not only managed to connect it to what was once an active DDoS attack, but also, to the abuse of a publicly accessible open DNS resolver which has been set up for research purposes. Let’s discuss some of its features and take a peek at the bot’s Web-based command and control interface.

More details:

read more…

The threat landscape today is very different from a few years ago. With an increasingly creative number of threat vectors through which to launch an attack, it has never been more challenging to secure our data and devices in all the ways we connect. In today’s hyper-dynamic landscape, well over 8 million malware variants are discovered each month. The majority are financially motivated, very low in volume and very sophisticated. On the mobile front, cybercriminals have shown a clear focus on compromising devices made evident by an explosion in the discovery of malicious mobile apps and websites. Also on the rise are attacks orchestrated by organized cybercrime rings which are now focused on large retail establishments, department stores and hotel chains. And of course, there is the ever persistent battle of state vs. state cyber espionage with hacktivists vying for influence. With such a complex and diverse threat landscape, complicated by a variety of device types and platforms, providing security has only become more challenging.

Companies today struggle digesting data created by various security solutions as they all act independently from one another. For example, the network firewall doesn’t communicate or share data with the endpoint security software. As companies add on layers of protection, they are presented with additional feeds of data which, again, are all independent. This has led to solutions such as Security Information & Event Management (SIEM) systems which aim to correlate data from various independent data feeds. The problem however, is that the sources of data remain independent and unaware of each other. Additionally, data is only correlated within a single environment, unaware of other corporations and their encounters with security events. Ultimately, what this leads to is time wasted by dealing with data collection and correlation when it could be used for incidence response and remediation.

To deal with today’s threats you need the ability to transform data feeds into actionable intelligence. To succeed, you must have the ability to provide context and to show interconnectivity at a granular level, whether it be for internet security, endpoints, or mobile devices – and to do so on a large scale by correlating data from millions of sources across consumer and corporate environments alike. Data does not equal intelligence, and without a way to bring it all together, to break it down and understand it, responding to the threats at hand becomes all the more challenging. Intelligence is making sense of data and working with the results to respond, remediate, and to protect against future attack.

BrightCloud Security Services provide the necessary context, detail and interconnectedness needed to transform data into actionable intelligence.

Deceptive ads continue to represent the primary distribution vector for the vast majority of Potentially Unwanted Applications (PUAs) that we track. Primarily relying on ‘visual social engineering’ tactics, gullible end users fall victims to these privacy-violating applications, largely due to the fact that they instantaneously agree to the terms in the End User’s Agreement presented to them.

We’ve recently spotted yet another variant of the InstallBrain family of Potentially Unwanted Applications (PUA’s), tricking users into installing a bogus PC performance boosting application. Let’s assess this campaign and provide actionable intelligence on the domains/IPs and related privacy-violating MD5s known to have shared the same infrastructure as the initial PUA profiled in this post.

More details:

read more…

2013 was not a good year in terms of cyber security. Despite companies spending an increasingly significant percent of revenue on security technology – systems designed to thwart, detect and prevent hackers from gaining access to their networks and sensitive data – attacks continue to succeed.

Recently, the trend has shifted to attacking point of sale (POS) systems. While Target is the largest example, similar attacks have occurred in industries ranging from department stores to hospitals to hotel chains. Basically anywhere large scale financial transactions take place. The focus on POS systems doesn’t come as a surprise. Cybercriminals have always been after money. What is surprising, however, is how long it takes for the attacked to realize they’ve been compromised – and that’s what I’ll discuss in this blog.

I’ve chosen to use Target as an example for two reasons. First, the size and sophistication of the compromise is interesting and ideal for analysis, and the second being that Target’s example is very common to other similar attacks in the scope of realizing an attack has occurred.

So let’s start by reviewing a few facts we now know about the Target breach. While the attack began collecting credit card transaction data on November 27^th, precisely timed with Black Friday to capture as much data as possible, it wasn’t discovered until December 15^th – and it wasn’t Target who made the discovery, rather US law enforcement connected the dots and Target was informed. This is very concerning and, unfortunately, is very much the norm for most compromises. The 2013 Verizon Risk report found that in 62% of breaches, the attack went unnoticed for months or years!

Looking again at Target, we know when the collection of data began, but the initial compromise of their network happened nearly two weeks prior on November 15^th. Apparently, an employee for a HVAC service company fell for a phishing attack which ultimately infected his computer with a password stealing trojan. Target eventually used this company to assess their power and AC consumption and had provided a few employees with credentials to access their network. Once the employee with the infected PC connected to Target’s network, his credentials were stolen and later used in the attack. The big lesson here is that you are only as secure as those you trust with access to your network. In this case, a few clicks by an unsuspecting HVAC employee led to one of the largest credit card data breaches on record.

So how could all this have happened, especially to the #2 US retailer? Why was Target unable to detect the initial compromise of their network, and then unable to identify the attack once it was underway?

To answers to these questions, we first need to understand the Data Security Standards (DSS) which are provided by the Payment Card Industry (PCI) Security Standards Council or more commonly known as PCI DSS 3.0. These standards, of which Target was certified as compliant (though details of the attack show they were clearly not followed), detail 12 specific requirements to protect cardholder data, build and maintain secure networks and systems, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks and provide an information security policy. The document is very comprehensive, and PCI DSS 3.0 does a good job of providing a framework to protect against compromise – but compromises still occur.

Some might say that PCI DSS 3.0 is to blame, and that their recommendations are not sufficient to defend against today’s sophisticated attacks – and they might be right – but I think the problem goes beyond that. While I cannot say which specific vendor security solutions were in use at Target, I know they were in place because it is required to be PCI DSS 3.0 compliant. PCI DSS 3.0 does not tell you which vendors to use, just that you must use software to protect systems from malware, or similarly, a firewall to protect your network. Here in lies the real issue – not all vendor security solutions provide the same capability or level of functionality. When considering the fact that most attacks go unnoticed for months if not longer, it seems the focus should be on technology and processes designed to frequently confirm the integrity of all involved systems. This is actually spelled out in PCI DSS 3.0 under sections 10 and 11 but the trouble is that the burden of awareness falls back to the security solution in place. And unfortunately, many endpoint solutions today are not capable of reacting to a missed infection.

So back to my original questions – how could this have happened and why did it take so long to detect?

The answer is twofold. First, Target failed to strictly follow PCI DSS 3.0 standards, especially with respect to tracking and monitoring all access to network resources and systems – and they are not alone. This is one of the more challenging standards to follow, especially for larger retailers with hundreds if not thousands of locations. But the blame isn’t solely on PCI DSS 3.0 or retailers who attempt apply their standards. The second factor is the underlying technology which is trusted and relied upon by retailers. This is a more complex issue. Retailers lack information about the metrics which matter in defending against complex and targeted attacks. Upfront detection rates are meaningless as malware for these attacks is always custom built and specific to the targeted environment. With this fact in mind, what becomes much more important is understanding a solutions ability to react to a missed threat – to understand the reaction time from first observation to identification and notification.

The attack on Target, and analysis from hundreds of other compromises, exposes there is a real weakness with awareness. Companies spend millions on security technology, trusting their investment will prevent a compromise, but the majority of today’s solutions are unable to provided what is needed – the ability to react to something new – something never encountered before.

Webroot is a pioneer in this space and the SecureAnywhere line of products were designed around improving awareness and being able to rapidly identify and instantly protect against emerging and targeted threats. This is accomplished within the Webroot Intelligence Network by focusing on what our users encounter. This approach ensures we have the necessary visibility to identify even the most targeted of attacks and applies to our endpoint, mobile and Web solutions. For more information, feel free to shoot me an email at gmilbourne@webroot.com or visit our website at http://www.webroot.com/.