Weekly Cyber Risk Roundup: Another Botnet and the Gamification of Cybercrime

Botnets were once again front-and-center this past week as new developments were announced by security researchers, malicious actors and government officials.

2016-12-09_ITT.pngTo start, CloudFlare observed a ten-day long series of distributed denial-of-service (DDoS) attacks that have generated as much as 400 Gbps in traffic, sparking fears of yet another massive botnet that can disrupt organizations. The attacks “are not coming from the much talked about Mirai botnet,” the researchers wrote. “They are using different attack software and are sending very large L3/L4 floods aimed at the TCP protocol.”

Following that announcement, the hacker known as BestBuy, who had previously begun advertising a Marai-based DDoS service, claimed to have taken control of 3.2 million routers. He told Motherboard that a server he set up automatically connects to vulnerable routers and pushes a malicious firmware update to them. “They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” he said in an online chat. “Bots that cannot die until u throw device into the trash.”

If true, those developments are certainly worrisome for organizations like Deutsche Telecom, the UK Postal Office, TalkTalk, and Kcom ISP – all of which have seen customer outages due to attempted Marai infections – not to mention the businesses that may be targeted with DDoS attacks from all those compromised devices.

One piece of good news on the botnet front: the cybercriminal network known as Avalanche was dismantled in what authorities are describing as the largest-ever use of sinkholing to combat botnet infrastructures. Europol said that the four-year investigation with global partners resulted in over 800,000 domains being seized, sinkholed or blocked. Although exact calculations are difficult, monetary losses associated with attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide.

2016-12-09_groups

Other trending cybercrime events from the week include:

  • Massive thefts announced: Technical trade secrets were stolen from ThyssenKrupp, one of the world’s largest steel makers, in what the company described as a “massive cyber attack.” The theft occurred at the steel production and manufacturing plant design divisions, the company said. Two billion rubles ($31 million) was stolen from banking clients that hold accounts at Russia’s central bank, according to a bank spokesperson. The hackers attempted to steal approximately five billion rubles, but the bank managed to recover some of the money. Reuters reported that hackers broke into accounts at the bank by faking a client’s credentials, citing a report issued by the bank.
  • Ransomware updates: The ransomware attack that affected about 900 computers at the San Francisco Municipal Transportation Agency cost the agency an estimated $50,000 in lost fares due to passengers being unable to pay. Ransomware behind the infection that caused an NHS hospital trust to shut down systems and cancel 2,800 patient appointments in early November has been confirmed as Globe2. Allegheny County district attorney Stephen Zappala Jr. admitted that his office was hit in January 2015 and that the office paid nearly $1,400 in ransom. The announcement came after several victims of the Avalanche network were revealed via court documents.
  • Malicious insiders face consequences: A former computer support technician employed at Experian subsidiary Hotwire.com pleaded guilty to accessing the emails of executives and using that non-public information to illegally profit from trading Expedia stock. The man accessed documents and emails on the devices of the Chief Financial Officer and the Head of Investor Relations. A former employee of Internet service provider Pa Online was sentenced to 24 months in prison and ordered to pay $26,000 in restitution for hacking into Pa Online’s network after being fired and installing malware that caused files and directories to be erased and the network to crash.
  • Third-party breaches: More than 43,000 Indian patient pathology reports, including those of HIV patients, were left publicly exposed by Health Solutions. Security researcher Troy Hunt said the information is now removed from public view after a lengthy process to track down and motivate those behind the leak and that the incident appears to be the result of shockingly poor security. A breach of a contractor’s email account exposed the information of individuals who participated in the U.S. Olympic Committee’s 100-Days Out event in April 2016. Members of the Scotland Supporters Club were sent phishing emails from the Scottish Football Association’s official email account after a third-party email database was compromised.
  • Other data breaches: An Intranet server for South Korea’s cyber command was contaminated with malware, and the attack appears to have come from North Korea, the South Korean military said. An official said that some military documents had been hacked, including confidential information, but that they have yet to determine the full extent of the leak. Around 420,000 customers may have had their personal information leaked due to a data breach at an online store run by IPSA, a subsidiary of Japanese cosmetics maker Shiseido. A University of Wisconsin–Madison law school database was breached, resulting in 1,213 applicants having their names and Social Security numbers compromised.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2016-12-09_ittnew

Cyber Risk Trends From the Past Week

2016-12-09_risk

One of the more interesting developments over the past week is the new tactics being used by malicious actors in order to spread malware and encourage cyber-attacks. For example, a new ransomware called “Popcorn Time” is encouraging victims to spread ransomware by offering them options when it comes to decrypting their files. They can go the usual route of paying the 1 bitcoin ransom, or they can go the “nasty way” and infect other users in order to avoid payment.

popcorn_ransomware_referral.png

“Send the link below to other people, if two or more people will install this file and pay, we will decrypt your files for free,” the malware authors wrote. This is the first time SurfWatch Labs has observed ransomware developers using the tactic of leveraging victims in order to intentionally spread the malware.

Another interesting cybercriminal tactic is being used by a DDoS collaboration service called “Surface Defense.” A set of Turkish hackers is using gamification to encourage others to attack political organizations are not in line with Turkey’s government. They provide a point system for attacks, rewards that can be earned, and a live scoreboard. Rewards include cybercriminal tools such as click-fraud bots and the Sledgehammer DDoS tool. Two dozen organizations are being targeted by the gamified-DDoS service, including the German Christian Democratic Party, The People’s Democratic Party of Turkey, the Armenian Genocide Archive, and the Kurdistan Workers Party. Users can also suggest new targets.

Malicious actors are continuing to experiment with new ways to expand their reach. It is difficult to judge how successful these types of tactics will be, but expect other actors to incorporate similar features in the future if they are proven to be successful.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s