The consumer goods sector has seen more chatter around DDoS than any other sector so far in 2016, according to data from SurfWatch Labs.
The consumer goods sector has become a popular target for DDoS attacks, with new groups like DD4BC emerging on the scene and attempting to extort money from victims in exchange for not launching a DDoS attack against them. Retail stores – especially online retailers – make appealing targets for cybercriminals as they are more likely to pay a ransom demand to avoid service interruption due to the amount of money that could be potentially lost during a DDoS attack.
Gaming networks such as Steam, Xbox Live, and the PlayStation Network are popular targets. Last week, the infamous cyber group Lizard Squad launched a DDoS attack against Blizzard’s gaming servers, effectively taking the servers offline for a couple hours.
DDoS attacks are a popular method of cyber-attack due to their ease of execution and price point. There are DDoS-for-hire services on the web that can be utilized for just $38 per hour. This price is shockingly low considering companies have reportedly lost anywhere from $5,000 to $40,000 per hour during a DDoS attack.
DDoS will remain a popular trend in cybercrime. However, DDoS related CyberFacts have decreased since peaking in January 2016.
Layer 7 DDoS Attack Makes Headlines
Earlier this month, a humongous Layer 7 DDoS attack was spotted reaching 8.7 Gbps of bandwidth through the Nitol botnet, which set a new record for this specific type of DDoS attack. While 8.7 Gbps doesn’t seem like much of a figure compared to traditional DDoS attacks of over 100 Gbps, Layer 7 DDoS attacks are different.
A DoS attack is an attempt by a criminal or hacktivist group to make a computer or network resource unavailable. This is done by interrupting a host’s services that are connected to the Internet. The most common method of DoS is a DDoS attack. DDoS attacks use botnets –- an enslaved group of computers –- to push massive amounts of communication to a targeted server to achieve its goal of service disruption.
A Layer 7 DDoS attack has the same end goal as a traditional DDoS attack, except for a few small differences. It only needs to use a small amount of network packets to disrupt service as this will create massive server processing operations that will exhaust a target’s CPU and RAM resources. This means that a Layer 7 DDoS attack can be pulled off by sending only a few thousand requests per second.
As recent DDoS attacks have shown, cybercriminals have a variety of different ways to disrupt services or attempt to extort money from organization. Businesses should be prepared for the possibility of these attacks and work with a reputable DDoS mitigation company if they are concerned about those risks.
This real-life case study will contain some info, but not all – to protect individuals’ personally identifiable information – as well as our intelligence collection sources – with our goal of highlighting the importance of having visibility into your supply chain cyber risks. In the beginning of April 2016 SurfWatch Labs threat intelligence analysts uncovered a breach into web hosting provider Invision Power Services, whose customers include some professional sports leagues as well as major media and entertainment companies.
The actor, going by the name AlphaLeon, is associated with both the AlphaBot and Thanatos trojans – early strains of these pieces of malware appear to date back to early 2015. AlphaLeon has been known to sell access to these trojans on the dark web. While the actor has not been a seller for very long, the group’s experience and presence indicates they have been active in this space for more than five years – including multiple dark web and open web forums.
After discovering information related to the latest activity of this actor, we alerted Invision Power Services (IPS) who had not yet detected this compromise. We worked with them to validate that the actor appeared to have established a presence within the managed hosting environment that Invision Power Services operated via Amazon Web Services (AWS).
It is our understanding that IPS is still working through their own internal investigation into the incident and additional information may be uncovered, but it appears that the initial cause of the compromise was most likely the result of unpatched software. AlphaLeon indicated that this access, which affected multiple high level brands, would allow them to install Exploit Kits with the purpose of infecting users visiting these sites with their trojan. This would grow the group’s botnet further, which would in turn be sold via various underground markets. The trojan appears to be capable of:
Stealing banking credentials and bitcoins
Gaining (and selling) webcam access
Stealing gaming credentials
Distributed Denial of Service
As of the date of this post it does not appear that AlphaLeon has initiated this specific campaign.
This case study highlights three primary things:
This is a classic case of supply chain risk management. Invision Power Services is a supplier to some of the largest brands. These companies entrusted their web hosting provider to perform a reasonable service based on whatever contractual agreements were in place. Even if the impacted companies are not at fault, they still have their own customers and their brand and reputation to protect. If you are going to outsource a service that has cyber risk tied to it, you are outsourcing a portion of your brand and reputation in some way shape or form and you need to keep some eyeballs on that supply chain.
Having a dark web intel capability is an important component of your overall cybersecurity efforts. In this situation, a bad actor was observed in a dark web forum. This source was key to gaining intel that was not available through normal open channels. The dark web is certainly not the only source you should be pulling from in your intel efforts, but it is an important area for which you should have a collection capability.
The intel process works. SurfWatch Labs analysts observed discussions that concerned us, we notified the victim hosting provider, they confirmed the issue and started to react. That is what is supposed to happen.
As you outsource capabilities to other vendors, your cyber risk exposure expands. Make sure you cast a wide net in regards to your intelligence collection capabilities. It is critical to understand this and to keep a watchful eye on not only your internal environment, but that of the vendors you do business with.
We’re already a quarter of the way through 2016, and a clear trend is the rise of social engineering. Based on the cyber event data that we’ve collected, roughly 25% of all targets can be tied to a social engineering attack. This is the highest percent we’ve seen since the beginning of 2015, and over the last 6 months the share of social engineering attacks have doubled.
Just a few examples of common social engineering practices include:
Phone calls from a “Microsoft customer support representative” who needs remote access to your computer to fix an issue
Leaving an infected USB stick in a parking lot that when found and inserted into a computer by an unsuspecting person, malware/spyware is dropped onto the machine
However, the largest percentage of social engineering attacks (25%+) revolve around different types of phishing. While email is the most common delivery method, phishing attempts are made through text messages, Facebook, etc.
Over the weekend I received several phishing emails from individuals I know. These emails weren’t spoofed to make it look like they were coming from people I know, but actually sent from their email accounts without their knowledge.
The emails were both related to a “signed document” that needed my attention — except I had no previous knowledge any e-docs to sign should be coming my way. Of course, that’s because they should not have been coming at all.
Having been in the security industry as long as I have, I am cautious (or some would say paranoid) — especially compared to friends and family who say they “get it,” but don’t really. Even still, these emails came from legit addresses from people within my circle, and the content within the emails also looked reasonable. Luckily, I knew better, but many don’t.
Here are some quick security tips to consider when it comes to phishing attacks:
Watch out for spoofed email addresses. Confirm the sender of the email is an address you recognize/know. Don’t just check the name in the “From” field, but actually look at the email address. This tip would not have made a difference in the instance above, but it is still a good way to catch a phishing email.
Do not blindly trust links within an email. Banks and credit cards are usually pretty good about directing you to type in the url to go to their homepage and how to navigate to a specific place if necessary, as opposed to including links in their communications to you. This is a good practice to follow with any emails that include links. In my situation the links sent looked like DocuSign links, with familiar DocuSign branding and all. But it was missing the security code. Links can also be spoofed, so make sure you know what it is you are clicking on before you click.
If you have any questions, pick up the phone. Is a vendor asking you to provide information or is a contact of yours asking you to click on a link? Questioning it is good. Call the vendor or individual and have them confirm.
Social engineering is one of the trickiest types of attacks to prevent because it plays on human nature and less on technology. Looking at the intel so far in 2016, the bad guys are going back to a tried and true method for gaining access to sensitive information. Be aware and think before you click.
In early 2015, the FBI issued a warning about the rise of ransomware attacks, noting that “there’s been a definite uptick lately in its use by cybercriminals.” A year after that warning we’re seeing a new surge in attacks, and concern over ransomware has risen sharply in the first quarter of 2016.
Last year, the FBI explained that ransomware was continuing to evolve, writing that in the past “computers predominately became infected with [ransomware] when users opened e-mail attachments that contained malware.” That tactic had shifted and computers were now being easily infected using a “drive-by” method “where users can infect their computers simply by clicking on a compromised website, often lured there by a deceptive e-mail or pop-up window.”
The way cybercriminals demand ransom payments has also evolved. Initially, cybercriminals asked for ransom payments on pre-paid cards. Now Bitcoin has been implemented, a better option for criminals “because of the anonymity the system offers.”
SurfWatch Labs’ data identified 49 companies associated with ransomware attacks so far in 2016, although the total number of companies affected by this threat is likely much higher as many companies do not disclose these attacks — particularly if they choose to pay the ransom.
The healthcare sector in particular has been a focus of ransomware discussion this year.
The reason ransomware has continued to gain popularity is simple — it is a cheap tool that has a high profit margin. Not long ago, malware developers were selling Cryptolocker ransomware kits with source code included for just $3,000. It wouldn’t take long for a criminal to recoup that initial investment as the average ransom demand is anywhere from $300 to $500. Recently, Hollywood Presbyterian Hospital reportedly paid $17,000 after suffering a ransomware attack.
Trending Ransomwares in 2016
There are three variants of ransomware that have stood out in the beginning of 2016: KeRanger, TeslaCrypt and Locky.
KeRanger malware has received a lot of discussion due to its connection with Apple. Locky ransomware has been observed in several attacks in 2016, and TeslaCrypt, which has been around for more than a year, continues to evolve.
The newest addition on the list, KeRanger Ransomware, first made headlines in the beginning of March due to its accomplishments. It is the first ever fully functional Mac OS X ransomware in existence.
KeRanger was able to successfully infect a BitTorrent client used on OS X known as Transmission. More specifically, it infected Transmission version 2.90. Transmission has since warned users that version 2.90 was malicious and prompted users to download version 2.91.
TeslaCrypt Ransomware initially made headlines back in early 2015 for infecting computer gamers. Over the last year, TeslaCrypt has continued to evolve, with the latest version TeslaCrypt 4.0 released earlier this month. The ransomware is now capable of attacking organizations and home users.
The latest edition of TeslaCrypt features RSA 4096 for encrypting data. This feature makes decrypting data impossible. Tools developed to combat previous TeslaCrypt versions, such as “TelsaDecoder,” will not work with TeslaCrypt 4.0.
TeslaCrypt ransomware has evolved quickly. In just over a year, malware creators have been able to release four versions of the ransomware, each more sophisticated than the last version. If any weaknesses are found in TeslaCrypt 4.0, look for malware creators to move quickly in creating a new version addressing those weaknesses.
Locky ransomware was discovered in February 2016. The ransomware works like most strains: it infects a user’s computer, encrypts the content on the computer, and then a ransom is extracted in order to decrypt the information. It is in the encryption step that the ransomware gets its name, as it renames all the user’s files with the extension .locky.
This ransomware is being distributed through malicious macros in Microsoft Word attachments. In typical cases, victims receive a spoofed email with a Microsoft Word attachment seeking some sort of payment for a service or product. When the attachment is clicked, a document appears with scrambled text. The user is then instructed to click an Office macro to unscramble the text, which leads to infection.
This ransomware variant made huge headlines for causing Methodist Hospital of Henderson, Kentucky, to declare an “internal state of emergency.” Fortunately, Methodist Hospital was able to regain their data without paying the cybercriminal’s ransom demand of four bitcoins ($1,600).
Being Prepared is Key
Although ransomware has been making headlines for the last few years, data from 2016 suggests more criminals are going to focus on this tactic and more organizations are going to be victimized. Businesses need to be aware of this threat and take action now to mitigate the effects of a potential attack.
As recent attacks have shown, the overall cost of a ransomware attack can be much greater than just the ransom demand.
Cybercriminals have shifted their focus away from stealing payment card data in favor of targeting personal information and directly extorting victims, according to a new report from SurfWatch Labs.
The trends aren’t surprising, said SurfWatch Labs chief security strategist Adam Meyer, who discussed the report on this week’s Cyber Chat podcast. Cybercrime is a business, and malicious actors gravitate towards the process that gives them the largest return on their effort.
While extortion is perhaps the most direct path towards monetizing cybercrime, stolen personal information has a long shelf life and can be easily sold or used for authentication purposes. It also tends to be the low-hanging fruit as retailers and financial institutions improve at preventing or minimizing the losses around payment card information.
“All these identifiers that make you ‘you’ can be used in 20 different ways to conduct an attack,” Meyer said. “It makes complete sense why we’re seeing this trend come up.”
While 2014 was dominated by headlines surrounding point-of-sale (PoS) breaches, only three PoS breaches cracked last year’s top 25 trending cybercrime targets: Starwood Hotels & Resorts (#14), Hyatt Hotels (#17) and Dixon’s Carphone (#23).
Altogether, SurfWatch Labs collected CyberFacts related to 4,562 distinct industry targets last year.
The top trending cybercrime targets last year — the United States Office of Personnel Management, Anthem, and Avid Life Media — all centered around the theft of personal information.
“A Failure of Corporate Culture”
The rise in stolen personal information can be attributed to failures at the top of many organizations, Meyer said.
“The biggest vulnerability that we have in my opinion is outdated corporate culture,” he said. “They completely have their heads in the sand about what’s going on in the world.”
Despite all of the recent headlines around cybersecurity, many organizations still do not adequately assess their level of cyber risk and take the necessary precautions.
“No one is really trying to solve this problem at the decision maker level,” Meyer said. “The organizations are falling down on educating themselves on these issues until its too late.”
He added: every organization is a custodian of data, and the first step to mitigating cyber risk is to put a thought process in place assessing the risks facing your data, your infrastructure, your industry, and your partners and suppliers.
Dark Web and Other Cyber Risk Trends
Dark Web markets can provide valuable insight into many cybercrime trends.
“The black market is a great resource to look at what is the typical state of the underground economy,” Meyer said. “You can see what’s being bought and sold. You can see what prices they’re generating. You can see the tempo and the supply and demand aspect of things, and you can use that information to compare against where would you fit in that.”
Unfortunately, there’s not enough education on what happens to data once it is stolen, he added.
“This is where the stuff goes most of the time, and we’re not educating anybody on where it’s going and why it’s going there. And people just keep repeating the mistakes over and over and over.”
About the Podcast: SurfWatch Labs recently released a threat intelligence report detailing cyber risk trends. They noted that cybercriminals have shifted their targets over the past year from focusing on credit card information at financial institutions to increasingly stealing personal information across a swath of industries.
On today’s Cyber Chat we talk with our own Adam Meyer, Chief Security Strategist at SurfWatch Labs, about the report, cyber risk trends and what businesses need to do in order to stay ahead of cybercriminals.