Adam Meyer has served in leadership positions in the defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, Mr. Meyer was the Chief Information Security Officer (CISO) for the Washington Metropolitan Area Transit Authority, one of the largest public transportation systems in the United States. Preceding his role as a CISO, Mr. Meyer served as the Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier engineering and acquisition commands.
The physical damage from Tropical Storm Harvey is expected to spread further in the coming week as the storm continues to move along the Gulf Coast. At least 10 people in Texas have been killed related to the storm, local officials said, and the continuing rainfall could total as much as 50 inches in some areas by the end of the week. On Monday, a day after Louisiana Gov. John Bel Edwards called on the federal government for assistance, President Donald Trump declared a state of emergency in Louisiana. Texas Gov. Greg Abbot described the storm as “one of the largest disasters America has ever faced,” and FEMA administrator Brock Long said the agency is gearing up for the years-long recovery process that will follow.
Naturally, people want to help the victims with that recovery process, and scammers are already capitalizing on that goodwill to defraud individuals and carry out other malicious activity, several agencies have warned.
The Better Business Bureau said it has already seen sketchy crowdfunding efforts and expects the coming months to see the usual flood of “storm chasers” — ranging from legitimate contractors looking for business to scammers attempting to take advantage of those who’ve already been victimized by the storm. In addition, US-CERT is warning users “to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey.”
SurfWatch Labs also noted in a recent customer alert that we have observed hundreds of new domains being registered containing “harvey,” many of which will likely be used for scams related to the storm.
SurfWatch Labs alert on Hurricane Harvey scams.
Scams following national disasters like Harvey have come to be the norm, as malicious actors will attempt to exploit any event or news story that grabs the collective consciousness of a large group of people. For example, researchers recently discovered that the Chinese group APT 17 was leveraging the popularity of Game of Thrones in spear phishing emails designed to infect their targets with malware by teasing potential victims with the headline, “Wanna see the Game of Thrones in advance?”
Similar attack vectors leveraging users’ natural curiosity tend to follow nearly every major news story; however, with natural disasters people are more willing to hand over their payment information and make a donation, so there is more profit — and more incentive — for fraudsters to capitalize on such events. These attack vectors include:
email phishing designed to steal personal and financial information;
fake websites and crowdfunding pages impersonating legitimate charities;
in-person and phone scammers, such as fake contractors or government officials that offer services or aid with no intention of following through;
and social media posts designed to entice users to either visit a malicious site, download malware, provide personal information, or perform acts that will earn the fraudster money.
Fake videos like this one observed by Malwarebytes following the disappearance of a Malaysian Airlines flight are often spread via social media and lead to surveys that harvest personal information or earn affiliate cash for the scammers.
With the National Weather Service describing Harvey as “unprecedented” and “beyond anything experienced,” it is likely that relief efforts will continue for years into the future. As SurfWatch Labs noted after Hurricane Matthew, those who wish to help or are seeking aid should be cautious about who they provide information to in order to avoid falling victim to these social engineering scams. Some tips include:
Never click on links or open attachments unless you know who sent it and what it is. Malicious email attachments and links are among the most common ways for cybercriminals to spread malware and steal information.
Never reply to emails, text messages, or pop-ups that ask for personal information.
Cybercriminals may use a combination of fraudulent emails and phone numbers to increase their appearance of authority. Always verify that communication is valid by contacting the organization directly before providing any sensitive information.
A few weeks ago, our team at SurfWatch Labs released its mid-year threat intelligence report, which largely focused on how leaked exploits have helped to fuel cybercrime over the first half of the year. While the leak of exploits and hacking tools is not new — 2016’s surge of IoT-powered DDoS attacks were propelled by the release of the Mirai source code, for example — several high-profile global attacks leveraging leaked exploits in 2017 have helped to once again push the conversation to the forefront.
At the heart of that conversation is a group known as TheShadowBrokers. TheShadowBrokers is best known for its April 2017 release of stolen NSA exploits such as EternalBlue, an exploit that was leveraged, along with other leaked exploits, into May’s outbreak of WannaCry and June’s outbreak of NotPetya.
However, TheShadowBrokers first made headlines nearly a year ago when it announced that it was auctioning off a cache of tools stolen from the NSA’s Equation Group:
How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. …
At this point, it remains unclear exactly how the sensitive hacking tools and exploits were stolen from the NSA, although investigators are pursuing several theories. What is clear is that multiple individuals were in possession of that data — including NSA contractor Harold T. Martin III, who was arrested two weeks after TheShadowBrokers announced its auction of NSA tools.
Timeline of NSA breach.
Although officials have not linked TheShadowBrokers and Martin, both of them were in possession of stolen NSA tools. Martin’s lawyer said that Martin’s intention was to use the data to get better at his job, not to ever release it. That is not true with TheShadowBrokers, who appear to enjoy toying with the media and have used the publicity around the WannaCry and NotPetya attacks to promote its new monthly exploit service.
What’s in TheShadowBrokers’ Monthly Exploit Service?
TheShadowBrokers claim to have released two sets of data dumps related to its monthly service so far — one for June and one for July — and each month they have continued to jack up the price of the data.
The June dump sold for 100 ZEC (Zcash) or 500 XMR (Monero).
The upcoming August dump is selling for 500 ZEC or 2000 XMR.
At today’s prices, that equates to more than $121,000 worth of Zcash or $101,000 worth of Monero for the August dump. Naturally, security researchers and organizations would like to know if the exploits and other data being released by the group is on par with EternalBlue, something less worrisome, or an elaborate troll job — but that’s a hefty price to pay a malicious actor just find out.
There was a brief crowdfunding effort by security researchers to purchase the exploits, but that was pulled after shortly after it was announced due to “legal reasons.”
TheShadowBrokers ripped me off. I paid 500 XMR for their “Wine of the Month Club” and only they sent me a single tool that already requires me to have a box exploited. A tool, not even an exploit! The tool also looks to be old, and not close to what theShadowBrokers said could be in their subscription service.
An anonymous researcher that has been attempting to track Monero transactions associated with TheShadowBrokers, who posts on Steemit under the name “wh1sks,” later verified that “fsyourmoms” did, in fact, send 500 XMR to TheShadowBrokers’ June monthly dump address.
Image from “wh1sks” on Steemit.
The same researcher has confirmed that TheShadowBrokers likely received three Monero payments for its June data dump (including “fsyourmoms”) and two Monero payments for its July data dump.
“We know that TSB received no more than 2000 XMR [for its July dump],” the researcher wrote last week, although it is possible the group sent itself transactions to make it appear as though sales were occurring.
Like TheDarkOverlord, TheShadowBrokers appears to be trying to project an image of great success — perhaps to entice more people to purchase its services. As the group wrote in its August monthly dump announcement:
July is being good month for TheShadowBrokers Monthly Data Dump Service, make great benefit to theshadowbrokers. … Due to popular demand theshadowbrokers is raising prices for August to 500 ZEC or 2000 XMR.
TheShadowBrokers is also accepting Zcash, which cannot be tracked using the same methods as Monero. Therefore, it’s unclear how many transactions have been made using Zcash, and its possible that a larger number of users may have purchased the group’s data dumps.
If we take “fsyourmoms” at his or her word — who is the only individual to have publicly confirmed a purchase from TheShadowBrokers, as far as I can tell — we know that the June dump contained only one tool, but we don’t know what that tool even was. Was it worth more than $20,000 worth of cryptocurrency? At least one buyer says no. It remains unclear what was in the July dump, and what will be included in the upcoming August dump.
A lot remains unanswered when it comes to TheShadowBrokers, but it appears likely that other users have purchased or will purchase TheShadowBrokers’ data dumps. That means more dangerous tools and exploits could make their way into the hands of malicious actors in the near future, which is bad news for organizations. As we noted in our mid-year report, the impact of these leaked tools and exploits is often more dangerous and has a longer-lasting effect than perhaps any other type of cyber incident.
On Monday, the extortion group known as TheDarkOverlord released the first eight episodes of ABC’s soon-to-be-aired television show “Steve Harvey’s Funderdome” on the torrent site The Pirate Bay.
The leak of the ABC show follows a similar failed extortion attempt and subsequent leak of the first ten episodes of Netflix’s upcoming season of “Orange is the New Black” on April 28. At the time of the Netflix leak, TheDarkOverlord claimed to have stolen hundreds of gigabytes of unreleased and non-public media from a studio — including a total of 37 different film and TV titles. That leak was then tied to Larson Studios, an award-winning audio post-production studio in Hollywood.
As a result, Monday’s leak was likely not a surprise to ABC. TheDarkOverlord has been tweeting about the theft since late April and The New York Times reported that the FBI began notifying the affected companies of the theft a month before that.
Who is TheDarkOverlord?
There isn’t much known about TheDarkOverlord as the group is very careful about exposing information that could relate to its members’ identities. This actor is smart and calculated but also has become bolder and more arrogant as evidenced in communication with recent victims — as well as very recently even setting up a help desk like hotline.
There have been dozens of targets publicly tied to data theft and extortion by TheDarkOverlord over the past year.
“Time to play another round,” the group wrote in a Pastebin post announcing the leak on Monday. “We’re following through on our threats as we always do. We firmly believe that honesty and determination are the two most important factors of any business.”
The tone used by the group — both dismay that the “business” arrangement didn’t work out and a veiled threat to future victims — has become more prominent since TheDarkOverlord first began targeting healthcare organizations in June 2016.
Communication with TheDarkOverlord has shown that there is likely more than one member of the group; however, the language utilized on the group’s accounts suggests that a single member is responsible for the managing the Twitter promotions as it has a common syntax. Generally, healthcare organizations (the group’s primary targets) are under-secured and TheDarkOverlord is taking full advantage.
How TheDarkOverlord Attacks Organizations
TheDarkOverlord favors exploits that allow remote desktop control of a network. The group has also taken data acquired by other actors and exploited the clients found in these breached databases. This shows that TheDarkOverlord is not only proactive with its own targeting, but also opportunistic with regards to the sensitive data of any organization that the group comes across and can and take advantage of — as evidenced by the recent pivot from targeting healthcare organizations to those in the entertainment industry.
TheDarkOverlord initially appeared to to focus on targeting healthcare organizations, but the group has since targeted a variety of other industry groups.
In regards to the targeting of entertainment brands, TheDarkOverlord discovered what may have been a softer target in the form of the post-production company Larson Studios, which is part of several major entertainment brands’ supply chain. TheDarkOverlord claims that it was able to exfiltrate numerous unreleased (still under production) media to use as leverage, although the group has only leaked two shows thus far.
As TheDarkOverlord moves from entertainment brand to entertainment brand with its extortion efforts, the actor is learning what impacted brands are willing to pay (if anything), and the group is then releasing the media publicly in order to harm the targeted brand financially for not giving into demands. “Orange is the New Black” was leaked a full six weeks before its June 9 premiere data, and “Steve Harvey’s Funderdome” was leaked six days before its June 11 premiere. Targeted brands are likely following the impact of releasing the unaired shows very closely.
Furthermore, TheDarkOverlord has a unique relationship with the media. By garnering media attention, the group builds its reputation and applies pressure to the organizations it wishes to extort. There have been reports that TheDarkOverlord first contacts its exploited entity and demands a ransom. Once the entity refuses, the actor then lists the heathcare database on TheRealDeal Marketplace or releases entertainment media publicly and alerts the media to its presence.
Past activity has shown a slight shift in tactics as TheDarkOverlord has breached an organization and followed that up by sending the victim, along with particular media figures who request it, a sample of the data. By involving security reporters and bloggers, TheDarkOverlord lends credibility to its work while causing panic in consumers who might be associated with the breach. Consumers’ dissatisfaction will also add pressure to the extorted entities to provide ransom payment to the actor for the stolen data.
We’ve seen a lot of discussion about the collective threat of the Internet-of-Things, ever since malicious actors proved in October 2016 that they could disrupt whole chunks of the Internet by stringing to together thousands of compromised smart devices and pointing them all at a single target.
The distributed denial-of-service (DDoS) attack against DNS provider Dyn led to a number of popular websites being unavailable throughout the U.S. and elsewhere, including Twitter, Netflix, Reddit, CNN, The New York Times, and many more. There have been other IoT-powered DDoS attacks, both before and after the Dyn attack, but that incident served as a the tipping point in many ways. For years security researchers had been warning of the poor security around insecure Internet-connected devices — from baby monitors to televisions to thermostats to vehicles — and the Dyn attack was the culmination of so many small insecurities being leveraged by malicious actors in a big way.
As I’ve written before, the core pillars of cyber threats are capability, intent, and opportunity. The billions of IoT devices making their way into homes and businesses provide an ample amount of opportunity for attackers, and it was only a matter of time before they exploited that opportunity.
IoT devices have potentially become the largest digital footprint NOT under proper security management. In addition, many reports have projected the number of Internet-connected devices to double or even triple within the next four years. It’s a concern for businesses, particularly since the devices often lack even basic cybersecurity features, but the issues stemming from IoT devices are not new or unique.
The security community has seen similar developments over the past 15 years, as I noted in my recent Security Week column, including Virtual Machines becoming the go-to technology in the early 2000s and BYOD beginning to be adopted later in the decade. In both cases, the digital footprints of organizations expanded, and security strategies had to evolve to match those risks. A similar effort needs to be taken in the face of IoT threats.
Take a look at this chart our threat analysts put together highlighting some of the top trending targets associated with IoT cyber threats over the past year. SurfWatch Labs has collected data on everything from cameras, routers and wearable devices to numerous “Other” tags such as home security systems, printers, light bulbs, and more.
SurfWatch Labs has collected data on dozens of different types of IoT devices that can be exploited by malicious actors.
And there continues to be more developments on the IoT front. Over just the past few weeks we’ve seen:
CIA exploits tied to smart devices, such as WikiLeaks’ claim that Samsung TVs can be placed in a “fake-off” mode and used as a bug to spy on targets.
The discovery of Imeij, a new IoT malware that exploits a vulnerability in devices from AVTech, a surveillance technology company,
New reported breaches related to IoT devices, such as CloudPets line of Internet-connected toys, on the heels of a study that revealed 84% of companies have already experienced some sort of IoT breach.
This is a problem that is likely going to get worse in the near future as more of these types of threats move from the periphery of the cybercrime conversation into center stage.
For more information on this threat join Kristi Horton, Senior Risk Analyst with Gate 15 & Real Estate ISAC, and myself, Chief Security Strategist with SurfWatch Labs, for an upcoming discussion around IOT device risks, trends, and best practices for pulling these devices under better control.
Malicious actors are continually fine-tuning their tactics, and one of the best examples of this is the evolution of ransomware. Ransomware has largely been an opportunistic, rather than a targeted, form of cybercrime with the goal of infecting as many users as possible. That model has worked so effectively that extortion is now ubiquitous when it comes to cybercrime — so much so that even fake attacks are proving to be successful.
As I wrote earlier this month, the surge of extortion attacks impacting organizations has led to a number of fake extortion threats, including empty ransomware demands where actors contact organizations, lie about the organization’s data being encrypted, and ask for money to remove the non-existent threat. Cybercriminals like to follow the path of least resistance, and an attack doesn’t get much easier than simply pretending to have done something malicious.
However, attacks over the past year have proven that infecting organizations with ransomware can result in much higher payouts. The more disruptive the attack, the more money some organizations are willing to pay to make the problem go away. As a result, ransomware actors are shifting their targets towards more disruptive attacks, which we examine in our latest report, Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.
A quick look at some of the ransomware mentioned in SurfWatch Labs new report.
It was just 13 months ago that Hollywood Presbyterian Medical Center made national attention by paying $17,000 to decrypt its files after a ransomware attack. The incident was novel at the time, but those types of stories have since become commonplace.
For example:
On November 25, 2016, an HDDCryptor infection at the San Francisco Municipal Transportation Agency led to the temporary shutdown of ticketing machines and free rides for many passengers, costing an estimated $50,000 in lost fares.
On January 19, 2017, a ransomware infection of the St. Louis Public Library computer system temporarily halted checkouts across all 17 locations and led to a several-day outage of the library’s reservable computers.
On January 31, 2017, a ransomware infection in Licking County, Ohio, led to the IT department shutting down more than a thousand computers and left a variety of departments – including the 911 call center – unable to use computers and perform services as normal for several days.
In February 2017 at the RSA Conference, researchers from the Georgia Institute of Technology presented a proof-of-concept ransomware that targets the programmable logic controllers (PLCs) used in industrial control systems (ICS).
As the Georgia Institute of Technology researchers noted: “ICS networks usually have little valuable data, but instead place the highest value on downtime, equipment health, and safety to personnel. Therefore, ransomware authors can threaten all three to raise the value side of the tradeoff equation to make ICS ransomware profitable.”
In short, if actors understand what is most valuable to an organization and can find a way to effectively disrupt those goals, they can find success in yet-to-be targeted industries. It may require more legwork, but the higher potential payouts may make it worthwhile for some actors to engage in less widespread but potentially much more profitable attacks.
Government agencies, consumer services, educational institutions, healthcare organizations, and more have all had services disrupted by ransomware over the past six months.
In addition, just last week, researchers discovered a new ransomware family, dubbed “RanRan,” that doesn’t even ask for money. Instead, the ransomware attempts to force victims “to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.” The malware is described by the researchers as “fairly rudimentary” and there are a number of mistakes in the encryption process, but it serves as an example of how malicious actors that are not financially motivated can nevertheless leverage ransomware to achieve their goals.
While new initiatives by the Internal Revenue Service (IRS) are making it harder for cybercriminals to successfully file fraudulent tax returns, those measures have not slowed down the theft of employee W-2 information this year.
The SurfWatch Labs analyst team has observed groups of malicious actors sharing concerns about government efforts to combat fraud, as well as tips on how those protections can be circumvented, in several discussion threads on popular dark web markets. Several of those actors suggested teaming up with other seasoned cybercriminals in order to share tactics and improve their success rates in the face of the new measures. “We’re gonna have to join forces if we are going to beat the odds this year,” wrote one actor on a now-deleted tax fraud discussion thread. Another actor in a separate thread echoed those sentiments: “The process has become much more difficult over the past couple of years, but [it’s] still doable to some extent. Not like in the good ‘ole days though.”
Another actor expressed concern over new verification codes to be included on 50 million W-2 forms during the 2017 tax season — up from two million forms using the codes last year. “My guess is if this is successful, then within 2 years it will be on every W2,” the actor wrote.
An actor in a tax fraud discussion thread speculating that the verification codes used on some W-2 forms may become more widespread in the future.
The IRS has partnered with certain Payroll Service Providers this tax season to provide a 16-digit code designed to help verify the accuracy of millions of W-2s. However, as the IRS noted in its announcement, the verification rollout is only a test and “omitted and incorrect W-2 Verification Codes will not delay the processing” of returns filed this year. Other more tangible efforts to combat tax fraud include the IRS holding any refunds claiming the Earned Income Tax Credit or the Additional Child Tax Credit until February 15 to provide more time to verify the accuracy of returns, and the requirement of an individual’s date of birth and previous-year’s adjusted gross income when using tax software for the first time. Some states also ask for additional identification information, such as driver’s license numbers, in order to file their returns.
Additional anti-fraud efforts have come largely because of the large volume of fraudulent tax returns filed each year. Over the first nine months of 2015, the IRS confirmed that 1.2 million fraudulent tax returns made it into the agency’s tax return processing systems. Attempts to combat the massive amount of fraud resulted in 787,000 fraudulent returns over the same period in 2016 — a nearly 50 percent drop. It’s too early to say how 2017 will fare in terms of the number of fraudulent returns and the total cost to the IRS. What is clear is that cybercriminals are continuing to target tax-related information such as W-2s despite those changes — and they’re having great success.
As I’ve noted in other articles, cybercriminals follow the path of of least resistance and most profit. While cybercriminals face more resistance than in the past, their motivation, opportunity and capability are clearly still there.
Tax-related cybercrime is cyclical, and cyber threat intelligence around the subject peaks around this time every year. However, this past February was the most active month in terms of the volume of data SurfWatch Labs has collected around tax fraud since May 2015, and that spike in 2015 was due to a large amount of threat intelligence data surrounding the theft of taxpayer information from the IRS’ “Get Transcript” service.
The amount of SurfWatch Labs’ tax-related cyber threat intelligence data peaked in February (data through March 6, 2017).
Much of the recent data directly relates to phishing incidents that have resulted in the theft of employee W-2 information. As we wrote in a blog early last month, malicious actors are using the same simple but effective phishing tactics that led to last year’s wave of successful W-2 thefts. This week we saw the number of organizations that have publicly confirmed breaches due to W-2 phishing surpass 100 for the year, and that number does not even include the numerous organizations that had W-2 information stolen through other means, such as data breaches or incidents at tax preparation firms or payroll providers.
That stolen W-2 information is then used to file fraudulent tax returns, commit other forms of identity theft, or sold on various dark web markets for around $10 each. That can translate into a decent profit for a cybercriminal actor who can successfully dupe a handful of payroll or human resource employees into handing over hundreds — or thousands — of W-2 forms at a time.
A vendor from AlphaBay says they have “tons” of stolen W-2 tax forms for sale for only $10 each.
But as we noted above, W-2 forms are now only part of the information needed to successfully dupe the IRS. Many returns will also need information such as the individual’s date of birth and previous year’s adjusted gross income. That information can be harder to come by, and how to best obtain that information is one of the key discussion points on the cybercriminal forums observed by our analysts.
“How do I get to know the AGI [Adjusted Gross Income]?” one actor asked the group in a discussion thread on a dark web forum. Another actor, who claims to have gone solo this year after previously being part of a group engaged in tax fraud, said information such as AGI generally requires other forms of data collection or social engineering. “You’ll have a tricky time getting it,” the actor warned. Later, the actor advised that AGI can often be found in an individual’s car note or home loan documentation.
An actor responding to previous posts about finding AGI figures, as well as the value of targeting 1120S corporate tax forms.
In a separate thread, the same actor wrote a long post that is part inspirational pep talk to wannabe fraudsters frustrated by the recent changes, part FAQ on how to best perform tax fraud. We won’t share the full details of that post here (including details such as which financial institutions and methods work best for receiving fraudulent tax return payments), as this post is meant to help illuminate the thought process of cybercriminals, not to serve as a walkthrough on how to successfully commit tax fraud. Nevertheless, the section on how to find an individual’s AGI is worth noting due to the lengths the actor claims to go — and may now need to go — in order to pull off a successful season of tax fraud.
The actor explained, “For everyone I targeted, I started researching them 6 months ago” by looking through public data for things like birth announcements (to “add that baby child credit”) or for minor offenses such as driving under the influence (to find people who have jobs “in the good bracket” that are also more likely to be “one of the last minute tax filers”).
“Lots of social engineering goes into this as well,” the actor wrote. “I have even been so bold to call some, pretending to solicit them into ‘free tax assistance’ [to] find out when they plan on filing.”
An actor offering advice on how to scout targets for tax fraud.
That extra legwork is why listings on dark web markets that include information such as AGI tend to sell at much higher prices than those without. For example, the listing below, which “contains all info needed for filing [a] tax refund,” was priced at $50, five times the price of a listing selling only stolen W-2 information.
A listing on the Hansa Market selling W-2 information along with the victim’s date of birth and the previous year’s adjusted gross income.
These discussions indicate that efforts made by the IRS, financial institutions, and others have made the practice of filing fraudulent tax returns more difficult for cybercriminal actors. Despite those efforts, a number of tax-related breaches continue to occur and a great deal of effort continues to be made by malicious actors to successfully bypass those protections and steal a slice of that lucrative tax pie.
As one actor reminded everyone: “Tax fraud is a billion dollar entity. Take your cut along with the others. Don’t be dissuaded.”
I’ve previously written about the rise of extortion as an emerging trend for 2017, but if you didn’t want to take my word for it, you should have listened to the numerous warnings shared at this year’s RSA 2017. Cyber-extortion has become one of the primary cybersecurity-related issues facing organizations — and it appears to be here to stay.
My analyst team has researched cyber extortion and have found that malicious actors are not only engaging in these threat tactics, but they’re using the surging popularity of extortion and ransomware to target organizations with a variety of fake extortion demands and empty threats. We cover this topic in depth in our latest report, The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.
In the graphic below I’ve noted some popular extortion threats, how actors carry out the threats and the impending results. Essentially they’re following the path of least resistance and most profit.
The Many Faces of Extortion: Popular Threats
The number of organizations publicly associated with ransom and extortion continues to grow, and 2017 is on pace to see the highest number yet, based on data from the first two months of the year.
The gist of it all is that organizations have real fear around these threats and trust that bad actors have the ability to carry out these threats. Putting trust in bad guys is a bad idea!
The fake ransoms are successful in large part because their real counterparts have impacted so many organizations. We’re already on pace to have more organizations publicly tied to ransoms and extortion in 2017 than any other year.
FBI officials have estimated the single subset of extortion known as ransomware to be a billion-dollar-a-year business, and fake ransomware threats have sprung up in the wake of that growth. A November 2016 survey of large UK businesses found that more than 40 percent had been contacted by cybercriminals claiming a fake ransomware infection. Surprisingly, two-thirds of those contacted reportedly paid the “bluff” ransom.
DDoS extortion threats are similarly low-effort cybercriminal campaigns, requiring only the sending of a threatening email. Earlier this month, Reuters reported that extortionists using the name “Armada Collective” had threatened Taiwanese brokerages with DDoS threats. Several of the brokerages experienced legitimate attacks following the threats; however, 2016 saw several campaigns leveraging the Armada Collective name where the threats were completely empty. One campaign generated over $100,000 in payments despite researchers not finding a single incident where a DDoS attack was actually made.
A portion of the extortion email sent to the owner of Alpha Bookkeeping Services in Port Elizabeth, South Africa, in September 2016.
Extortion is also frequently tied to data breaches — both real and fake — as it is an another simple and direct avenue for cybercriminals to monetize stolen data. In January 2017 the E-Sports Entertainment Association (ESEA) was breached and the actor demanded a ransom payment of $100,000 to not release or sell the information on 1.5 million players.
ESEA said in its breach announcement that it did not pay the ransom because “paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data.”
That is what reportedly happened to many of the victims who paid ransoms to have their hijacked MongoDB and other databases restored: they found themselves out both the data and the ransom payment. As noted in our report, it’s hard to have faith in cybercriminals, and organizations who do pay ransoms should be aware that in many cases those actors may not follow through after receiving extortion payments.
There are a lot of cybersecurity trends to reflect on as we kick off the new year — the growth of ransomware and extortion, the emergence IoT-powered botnets, the evolving cybercriminal landscape — but I believe the biggest risk trend to watch in 2017 may revolve around how organizations react to dealing with those new threats as their attack surface continues to expand.
The digital presence of many companies has extended on a variety of fronts, including social media, customer engagement, marketing, payment transactions, partners, suppliers and more. That increased exposure clearly has benefits for organizations. However, it also makes it difficult for organizations to track, evaluate and take action against the constant barrage of the growing threats — many of which are at least one step removed from the direct control of internal security teams.
accidental exposure of sensitive data by third-party vendors
shoddy cybersecurity practices causing breaches at vendors that house organizations’ data
vulnerabilities in software libraries or other business tools being exploited to gain access to an organization
vendor access being compromised to steal sensitive data
credentials exposed in third-party breaches causing new data breaches due to password reuse
It’s clear that organizations are struggling with these expanding threats. Not only are organizations at risk from threats trying to break down their front door, those threats are increasingly coming through side doors, back doors, windows — any opening that provides the path of least resistance. For example, a 2016 survey of more than 600 decision makers found that an average of 89 vendors accessed a company’s network each week and that more than three-quarters of the respondents believed their company will experience a serious information breach within the next two years due to those third parties.
SurfWatch Labs’ annual cyber threat report echoed that concern, finding that the percentage of targets publicly associated with third-party cybercrime nearly doubled from the second half of 2015 to the second half of 2016.
“Cybercrime is increasingly interconnected, and issues at one organization quickly moved through the supply chain to impact connected organizations in 2016,” the report noted. “That interconnectedness is evident in the growing pool of already compromised information being leveraged by threat actors, the expanding number of compromised devices and avenues to exploit compromised data, and the way in which data breaches and discovered vulnerabilities ripple outwards – sometimes several layers deep through multiple vendors – to touch unexpecting organizations.”
That interconnectedness is pushing organizations to try to gain more context around the growing number of threats so they can better prioritize actions. As I wrote in a previous blog, organizations are spending more money than ever around cybersecurity, yet they are not necessarily becoming more secure.
Cyber threat intelligence can help to peel back that layer of uncertainty and guide those tough cybersecurity decisions by answering questions such as:
What is the biggest cyber threat facing my organization and what steps can be taken to mitigate that risk?
Which threats are active within my industry and impacting similar organizations?
Have any vendors or suppliers suffered a data breach that may impact my organization in the future?
Is any information related to my organization being sold on the dark web?
Is my organization at risk from employee credentials exposed via third-party breaches?
What new and old vulnerabilities are currently being exploited by threat actors?
And other questions unique to your organization …
That context is what many decision makers say is lacking within their own organizations. Going back to that 2016 survey of key decision makers — more than half of them believed that threats around vendor access were not taken seriously and almost three quarters believed that the process of selecting a third-party vendor may overlook key risks.
A smart and thoughtful approach to cybersecurity that provides the necessary context can help to both shine a light on those new risks and filter out the excess chatter so your organization can focus on practical and relevant solutions that have an immediate impact on your cyber risk.
Cyber threat intelligence came a long way in 2016, but many organizations remain overwhelmed by the number of cyber threats and are continuing to experience data breaches. Expect the use of relevant and practical cyber threat intelligence to see continued growth in 2017 as organizations more to address their blind spots and more effectively manage their cyber risk.
The new year is underway, and one of the biggest causes of concern carrying over into 2017 is the threat posed by the growing number of compromised Internet-of-Things (IoT) devices. As I stated in myprevious cyber forecast blog on extortion, I prefer to base my “predictions” around actual intelligence and verifiable data. IoT-related security threats have been talked about for the past few years, but they have been relegated to the periphery of the cybercrime conversation due to the fact there wasn’t much threat data around real-world attacks. However, the second half of 2016 saw those concerns move front-and-center due to a series of incidents tied to the Mirai botnet:
In September, both KrebsOnSecurity and French hosting provider OVH were hit with massive DDoS attacks, reportedly hitting 620 Gbps attack and 1 Tbps in size.
Those attacks were quickly tied the Mirai botnet, the source code of which was subsequently released by a user on Hackforums.
A few weeks after the source code went public, DNS provider Dyn was hit with what appears to have been an even larger DDoS attack – causing major sites such as Twitter, Netflix, Reddit, Spotify and others to be disrupted across the U.S. and Europe.
Those attacks will certainly lead to increased scrutiny within the IoT marketplace both now and in the future, but in the meantime cybercriminals are focusing their attention on finding new ways to leverage the numerous vulnerable IoT devices for their own malicious purposes. The past few months have seen various hacking groups fighting to take control over their share of those compromised devices, as well as companies such as Deutsche Telekom and others suffering outages as those groups tried to expand their botnets by attempting to infect customers’ routers with Mirai. One group has even been observed selling IoT-powered DDoS services that claim to provide as much as 700 Gbps in traffic.
All of that activity has led to one of the clearest trends in SurfWatch Labs’ data over the past few months: an enormous rise in threat intelligence surrounding the “service interruption” category.
This chart from SurfWatch Labs’ 2016 Cyber Threat Trends Report shows a sharp increase in the amount of threat intelligence related to the service interruption category in Q4 2016.
“Over the past two years, the ‘service interruption’ tag has typically appeared in approximately 16% of the negative CyberFacts collected by SurfWatch Labs,” SurfWatch Labs noted in its annual cyber trends report, Rise of IoT Botnets Showcases Cybercriminals’ Ability to Find New Avenues of Attack. “However, that number jumped to more than 42% over the last half of the year due to growing concern around IoT-powered botnets such as Mirai.”
The problem of botnets powered by compromised IoT devices goes beyond just service interruption. It reflects many of the larger cybersecurity issues facing organizations in 2017:
an expanding number of vulnerable devices
the problem of default or easy-to-guess credentials
the difficulty of identifying vulnerabilities and patching them in a timely manner
questions of who along the supply chain is responsible for security
and issues outside your organization’s direct control that impact your cyber risk
Compromised IoT devices are a perfect example of the interconnectedness of cybercrime and how the poor security of one component by one manufacturer can led to hundreds of thousands of devices being vulnerable.
The sudden surge in concern around IoT devices reminds me of similar cyber risk discussions that have occurred around ICS/SCADA over the last few years. In both cases, the devices were often designed without cybersecurity in mind and those cybersecurity implications are now leading to serious potential consequences. However, unlike ICS/SCADA devices, IoT devices are primarily consumer focused. As we noted in the 2016 Cyber Trends Report, the potential of having multiple devices per household for any developed nation means that collectively these vulnerable devices are the largest digital footprint in the world not under proper security management.
DDoS attacks have always been a staple of cybercrime, but the expanding number of potentially compromised devices, along with cybercriminal tools designed to easily exploit those devices, has created growing concern around the tactic. Due to these concerns, I forecast with moderate confidence that IoT-driven botnets will affect a greater number organizations in 2017 as suppliers, manufacturers, regulators and the security community all continue to wrestle with this ongoing issue.
I’ve read report after report showing that security budgets were increasing, yet the number of breaches at companies of all sizes also continues to climb. This leads me to believe that somewhere there is a breakdown in how cybersecurity programs are being run — where allocating more spend and focus on cybersecurity oftentimes does NOT actually produce better outcomes.
There is an abundance of information out there that backs this up — this isn’t just me pontificating. Here are some highlights:
“Companies are spending more to safeguard their digital assets, but cybercrimes are still growing in frequency and severity. What’s needed now isn’t more security, but better security.”
Now to be clear, this is not meant to serve as a doom and gloom piece. Certainly, there are pockets of goodness here and there and a lot of people are working hard on many good efforts, but holistically, the state of cyber security still has a long road ahead of it. And the question becomes how can we ensure that as we spend more effort and budget on cybersecurity, that we are at the very least impacting the cybersecurity outcome in a similar level of uptick?
I recognize that my own observation is just my perception, which is based on what I personally read and do each day. As such I wanted to get some additional input from my peers, so I did some crowdsourcing through LinkedIn:
“We all see the news reports regarding how security budgets are increasing each year but yet for some reason nothing ever seems to get better. Why is that? I have my own specific thoughts on the question but wanted to share and see if anyone had an answer of their own.”
A wide range of opinions followed as to why cybersecurity continues to be a challenge and where we as a community need to focus our efforts. The responses (summarized and paraphrased) to date have been interesting to say the least:
A handful of opinions appeared to point some attribution to cybersecurity vendors. My interpretation of those comments is that the vendor-driven FUD has generated a sense of urgency for organizations to purchase specific solutions and therefore fatten the vendor pockets — or at a minimum create a very complex marketplace which presents a challenge to those trying to navigate it.
Several opinions revolved around the idea that although budgets have risen, the volume and sophistication of threats are either out-pacing or out-maneuvering those security professionals who are trying bring more resources to bear.
A handful of opinions appeared to state that security departments are underfunded and have an uphill battle for additional resources as security is generally viewed as a cost center as opposed to a revenue generator. Additionally, one individual stated that a potential area to look at is what budget is being used to cover past investments, therefore allowing fewer resources to be applied to emerging risks and in turn giving the appearance or possibility of a gap.
Poor leadership was mentioned several times, with comments stating that there are those that promote waste and will buy any new flashy thing that hits the street and that ensures that investments are not as strategic as touted to be.
I also had a few individuals who seem to disagree with the question and stated I was irresponsible or I was performing a disservice for even asking such a thing.
The crux of all the input, with the exception of few outliers, revolves around a more simplified question of are we allocating “resources” to all the proper areas? Well, I think the answer to this really depends on your reality, which is ultimately your perception based on your experiences.
“Everything you see or hear or experience in any way at all is specific to you. You create a universe by perceiving it, so everything in the universe you perceive is specific to you.” – Douglas Adams
I raise the perception/reality point to highlight that the responses to my Linkedin question are based on individuals’ experiences. Some folks have worked for or alongside poor leaders, have had poor experiences with vendors, or have had to do the budget defense drills. Some apparently don’t even see an issue and took offense to the question. These perceptions are also what drive a lot of these research reports that I listed above. Many of these are survey-based and while the survey structure and questions I am sure follow best practices for research processes, these surveys are being answered by people whose perceptions are their own reality.
My perception is based on my current role as head of the SurfWatch threat analyst team and from my previous role as CISO for a major transportation authority as well as a similar position for a DoD entity, where I tried to take an outcome-based model as much as reason dictates. Outcomes can be measured, they can be defended, and they can give you insight. Theoretically, if I apply more resources to a given defined problem the outcomes should change in some manner either good or bad. If the outcome does not change after putting more focus on that area, then I am going to start questioning a few things:
Was the problem defined correctly?
Was the problem measured correctly?
Were the resources applied correctly?
Following these three key questions are a few more that hopefully prompt you to think about changing your perception/reality:
Problem Definition: The Art of The Plausible
Do you use some type of analytical process to identify threats to your organization? And I don’t mean you base it off of news chatter, I mean you use a defined set of analytic inputs and analysis to determine what is true and what is not.
If you have, have you analyzed what an actor’s capabilities and intentions are?
If you do know what their capabilities and intentions are, have analyzed their tactics, techniques and procedures?
Problem Measurement: The Art of The Possible
Have you observed using both internal and external data collection efforts any indications of previously defined threats or new undefined threats?
What is your false positive rate for observing defined and undefined threats? Meaning you detected a threat, but investigation determined the threat to be untrue.
What is your false negative rate? Meaning you did not detect a threat and post incident analysis determined the threat to be true.
Resources Applied To The Problem: The Art of Reality
If you lead a cyber program, do you have a list of defined products and services that you deliver to the organization?
Do you know what the exact budget allocation for labor and material is for every single one of those products and services?
Have you defined policy, process and procedures for each one of those products and services?
Can you identify what products and services specifically are applied to a defined threat?
The bottom line here is I believe that security spend is increasing and that many people and organizations are working hard and doing good things. But I also believe that we do not use intelligence enough to help define the problem area. If we can measure the problem, we know what resource to apply to it to change an outcome for the better. Instead, generally speaking we as a community deploy capabilities based on what we perceive to be the problem and hope that the outcome does not change for the worse.
As a former CISO, I have personally used intelligence-driven, analytical processes to identify what is true and then apply resources to address the “known knowns.” It takes diligence and determination, but by leveraging intel to drive our cybersecurity strategy, we can start to see a light at the end of what can be a long, dark tunnel.
SurfWatch Labs, Inc. 