report – SurfWatch Labs, Inc.

How to Organize and Classify Different Aspects of Cyber Threat Intelligence

Over the past few years, cyber threat intelligence has matured to cover many different aspects of business. What threat intelligence is and how people view and define it can vary quite a bit depending on the vendor providing the intelligence, the business unit consuming that intelligence, the deliverables expected of the intelligence, and the ultimate cyber risk management goals of the organization.

The evolution of threat intelligence has generally been a good thing for organizations, but it has also made it more difficult to wrap one’s head around the concept — particularly for those new to the subject. SurfWatch Labs chief security strategist Adam Meyer recently created a threat intelligence mind map to help show the different areas of threat intelligence and how they all tie together for organizations.

“It’s meant to give the individual looking at it kind of an overview of what cyber threat intelligence is,” said Meyer, who came on the latest Cyber Chat podcast to discuss the mind map and associated whitepaper. “If I was to start a cyber threat intelligence program, these are the components of what that program would be — at the high level.”

Adam Meyer’s threat intelligence mind map.

Meyer said he was looking to standardize some of the resources that have already been published in the intelligence community and other thought leadership, as well as bring together some important parts of threat intelligence that weren’t always discussed, such as the people and process behind intelligence.

For example, early adopters of threat intelligence often begin with the mindset of collect, collect, collect, Meyer said, but all that raw data doesn’t necessarily translate into better security.

“Their eyes glaze over and they start realizing, ‘While how am I supposed to process all this information now, and not only process it in general, but how do I process it in a timely fashion; how do I put context around it’ — all those people-and-process-centric type of things,” Meyer said.

As SurfWatch Labs noted in its recent whitepaper on the mind map, the starting point for most organizations should be strategic threat intelligence.

Download the free whitepaper, “How Cyber Threat Intelligence Fits Into Your Security Program”

“Strategic cyber threat intelligence can help to answer many of the big-picture cyber risk questions facing organizations,” the paper noted. “Those answers can help to inform every other aspect of an organization’s threat intelligence operation and help ensure that cybersecurity efforts and investments and aligning with business priorities.”

Meyer echoed that sentiment.

“Basically, it’s looking at who is the decision maker and why do they care,” Meyer said. “Your intelligence should be driving the answer to that question.”

With those high-level questions answered, organizations can dive more deeply into other interconnected areas of the mind map, and those risk areas — whether it’s technology or fraud or supply chains or other risk concerns — will likely continue to blend together in the future, Meyer said.

“There seems to be an increase in awareness of needing to bring things together, which is what drove me to create the mind map.”

For more on the using the Threat Intelligence Mind Map, download the whitepaper or listen to our Cyber Chat Podcast with Adam Meyer below:

Dark Web Markets, Equifax Breach Raise Authentication Concerns

The recent Equifax breach once again has the whole nation talking about cybercrime — and the widespread fraud and identity theft likely to follow in the wake of 143 million compromised consumers. Identity theft is a major concern for individuals, but as SurfWatch Labs chief security strategist Adam Meyer noted, malicious actors spring boarding off of breached information to authenticate as legitimate users is perhaps a more significant concern when it comes to organizations.

Meyer’s thoughts echo the findings of SurfWatch Labs’ recent whitepaper, which found that malicious actors tend to be focused on authentication when it comes to fraud on dark web markets and cybercriminal forums.

Downloaded the full whitepaper, “Fraud and the Dark Web”

The most observed type of dark web fraud in 2017 is account fraud, which has accounted for more than a quarter (25.2%) of all the fraud-related activity observed on the dark web this year. That includes a wide variety of different accounts that can be accessed with stolen customer credentials, including:

online accounts for banking and financial services;
online store accounts, as both buyers and sellers;
accounts tied to monthly subscriptions or other recurring services;
accounts related to the growing number of digital cryptocurrencies;
and more.

By comparison, credit card fraud, which is what many consumers may associate with the dark web, has only accounted for 16.7% of the activity so far this year.

The focus on this more indirect fraud — the buying, selling, and trading of access to accounts connected to payment information or services — is driven by both the huge growth in the number of online accounts and the weak authentication that so often accompanies those accounts.

The Equifax breach has simply exacerbated those authentication concerns to the point where outlets like Wired and The Verge are writing that we may need a “fundamental reassessment in how, and why, we identify ourselves” and that it may be “time to burn it all down and start over.” SurfWatch Labs analysts, along with many other researchers, have been warning for years that the pool of forever-compromised information is continuing to grow deeper and cause more issues for business unprepared to deal with that reality.

What can organizations do to protect themselves? Unfortunately, that is not a one-size-fits-all answer.

“Collectively, organizations lose billions of dollars to fraud-related cybercrime every year,” the whitepaper noted. “Individually, how each organization should address the problem of fraud can vary greatly depending their unique risk footprints.”

However, there are some general best practices that all businesses should keep in mind when it comes to combating fraud, such as:

Continuous monitoring of malicious actors: Dark web markets, paste sites, social media, and other communication channels are often used to leak stolen data and discuss cyber threats. Organizations should have a way to monitor any leaks or threats that may directly affect their customers, employees, or supply chain. In addition, organizations should stay abreast of any changes in the cybercriminal tactics, techniques, and procedures being used by malicious actors so that they can adapt their cyber defenses.
Discourage the the use of weak or already compromised passwords: Consumers have a growing number of accounts that are either tied to financial information or able to be easily monetized by cybercriminals, and consumers’ poor password habits are frequently exploited by malicious actors. NIST recommends advising users against passwords that have been previously breached, and in August 2017 security researcher Troy Hunt provided a list of 320 million compromised passwords that organizations can implement to encourage the use of more secure passwords as they see fit.
Encourage two-factor authentication: With so much fraud centered on compromised accounts, having an additional layer of authentication can greatly reduce the chances of those accounts being compromised. Organizations may be reluctant to create additional steps in the login process, but there is an expanding number of secondary authentication options available with varying levels of security and usability.
Prioritize and take action against the most impactful threats: In 2014, FICO reported that the average duration of a physically compromised ATM or POS device was 36 days. In 2016, that dropped to just 11 days – and the average number of payment cards affected by a single compromise was cut in half. Implementing training and systems to consistently address the most common and impactful threats facing your organization can have a significant impact in reducing fraud.

In addition to our whitepaper on Fraud and the Dark Web, SurfWatch Labs will also be hosting a webinar on Wednesday, September 20 from 1-2 PM ET.

Cyber Fraud: How it Happens and What You Can Do

The webinar will feature a discussion around cyber fraud, including an in-depth examination of the “Anatomy of Fraud,” what intel can be gathered from Dark Web markets and forums, and recommended courses of action to proactively mitigate the risk of fraud as well as how to effectively respond if fraud occurs.

Leaked Exploits Have Fueled Cybercrime So Far in 2017, Says New Report

Leaked exploits and increased cybercrime-as-a-service offerings — along with the expanding digital footprints of organizations — helped to fuel cybercrime in the first half of 2017, according to a mid-year threat intelligence report from SurfWatch Labs.

The global outbreaks of WannaCry and NotPetya have dominated headlines so far this year. Although vastly different from the record-setting, Marai-powered DDoS attacks that disrupted services in the second half of 2016, the report noted that those events share a similar root cause: leaked exploits and source code.

Download the report: “Leaked Exploits Fuel Cybercrime: State-Sponsored Exploits and Cybercriminal Services Empower Malicious Actors.”

“A year ago, our mid-year report showed the interconnectedness of cybercrime through extensive supply chain hacks and compromised IoT devices,” said Adam Meyer, chief security strategist, SurfWatch Labs. “Find one weak link and maximize it for all it’s worth was the name of the game then … and that still happens today with even more evidence of how the criminal ecosystem maximizes efforts through shared resources, skills for hire and, sometimes, outright theft.”

CF_Types — SurfWatch Labs collected data on close to 4,000 different industry targets in the first half of 2017 across a variety of categories. The main categories – data breaches, cyber-attacks, illegal trading, vulnerabilities, advisories, and legal actions – are shown in the chart above, with larger circles indicating more threat intelligence activity for that target.

The leaked exploits and data from the NSA and CIA have received the most attention, but there was a wide range of other malware and source code leaks that could have consequences for organizations moving forward, such as:

the sale of the Kraken source code used in MongoDB and ElasticSearch extortion attacks;
the release of the Nuclear Bot (NukeBot) banking Trojan’s source code;
the creation of the Android BankBot Trojan from a commercial Trojan’s leaked source code;
and reports that claimed various malicious actors used tools leaked from surveillance company HackingTeam or created by Israeli cyber arms dealer the NSO Group in targeted attacks.

Just last week researchers reported that attackers were using modifying versions of NukeBot to target banks in France and the U.S.

“Much like leaked personal data, once those vulnerabilities, exploits, and tools are exposed, they forever remain in the cybercriminal public domain,” SurfWatch Labs’ report noted. “[Events such as WannaCry and NotPetya] reaffirmed that the most dangerous data breaches often involve the theft of such tools and exploits – and the impact of that type of information being leaked can spread further, wider, and be more long-lasting than perhaps any other type of cyber incident.”

SurfWatch Labs collected cyber threat data from thousands of open and dark web sources and then categorized, normalized and measured it for impact based on our CyberFact information model.

Some notable takeaways from the mid-year threat intelligence report include:

WannaCry ransomware was the most talked about malware out of nearly 1,200 tags, accounting for 8.6% of all malware tags, followed by the Industroyer malware at 4.8%.
Crimeware trade was the most prevalent tag related to cybercrime practices as malicious actors continued to buy, sell, and trade tools on dark web markets and cybercriminal forums, as well as develop more cybercrime-as-a-service options.
The percentage of extortion-related activity observed in 2017 has more than doubled from 2015 levels and increased by more than 40% when compared to 2016 levels. More industry targets were publicly tied to ransomware and extortion over just the first half of 2017 than in all of either 2014, 2015, or 2016.
Cybercriminals expanded upon successful business email compromise (BEC) scams to implement more attacks. For example, more than 200 organizations reported W-2 data breaches due to phishing messages in the first half of 2017 – a rise from the 175 reported in 2016.
The percent of government cybercrime-related threat data collected by SurfWatch Labs more than doubled from the previous two periods (from 13% to nearly 27%), and government was the top trending overall sector for the time frame (followed by IT at 25% and consumer goods at 17%).
The CIA was the top trending cybercrime target of the period due a nearly weekly series of data dumps from WikiLeaks (followed by Microsoft, the NSA, Twitter, and England’s National Health Service).

“As we’ve repeatedly seen over the past few years, a major breach is rarely isolated, and information stolen or leaked from one organization can be leveraged to attack numerous other organizations,” Meyer said. “Whether it is personal information, credentials, intellectual property, or vulnerabilities and exploits, actors will build off of that hard work and the previous success of other actors by incorporating that information into new campaigns.”

Read the full, complimentary report: http://info.surfwatchlabs.com/cyber-threat-trends-report-1h-2017

Ransomware Disrupting Business Operations and Demanding Higher Payouts

Malicious actors are continually fine-tuning their tactics, and one of the best examples of this is the evolution of ransomware. Ransomware has largely been an opportunistic, rather than a targeted, form of cybercrime with the goal of infecting as many users as possible. That model has worked so effectively that extortion is now ubiquitous when it comes to cybercrime — so much so that even fake attacks are proving to be successful.

As I wrote earlier this month, the surge of extortion attacks impacting organizations has led to a number of fake extortion threats, including empty ransomware demands where actors contact organizations, lie about the organization’s data being encrypted, and ask for money to remove the non-existent threat. Cybercriminals like to follow the path of least resistance, and an attack doesn’t get much easier than simply pretending to have done something malicious.

However, attacks over the past year have proven that infecting organizations with ransomware can result in much higher payouts. The more disruptive the attack, the more money some organizations are willing to pay to make the problem go away. As a result, ransomware actors are shifting their targets towards more disruptive attacks, which we examine in our latest report, Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.

A quick look at some of the ransomware mentioned in SurfWatch Labs new report.

It was just 13 months ago that Hollywood Presbyterian Medical Center made national attention by paying $17,000 to decrypt its files after a ransomware attack. The incident was novel at the time, but those types of stories have since become commonplace.

For example:

On November 25, 2016, an HDDCryptor infection at the San Francisco Municipal Transportation Agency led to the temporary shutdown of ticketing machines and free rides for many passengers, costing an estimated $50,000 in lost fares.
On January 19, 2017, a ransomware infection of the St. Louis Public Library computer system temporarily halted checkouts across all 17 locations and led to a several-day outage of the library’s reservable computers.
On January 31, 2017, a ransomware infection in Licking County, Ohio, led to the IT department shutting down more than a thousand computers and left a variety of departments – including the 911 call center – unable to use computers and perform services as normal for several days.
In February 2017 at the RSA Conference, researchers from the Georgia Institute of Technology presented a proof-of-concept ransomware that targets the programmable logic controllers (PLCs) used in industrial control systems (ICS).

As the Georgia Institute of Technology researchers noted: “ICS networks usually have little valuable data, but instead place the highest value on downtime, equipment health, and safety to personnel. Therefore, ransomware authors can threaten all three to raise the value side of the tradeoff equation to make ICS ransomware profitable.”

In short, if actors understand what is most valuable to an organization and can find a way to effectively disrupt those goals, they can find success in yet-to-be targeted industries. It may require more legwork, but the higher potential payouts may make it worthwhile for some actors to engage in less widespread but potentially much more profitable attacks.

Government agencies, consumer services, educational institutions, healthcare organizations, and more have all had services disrupted by ransomware over the past six months.

In addition, just last week, researchers discovered a new ransomware family, dubbed “RanRan,” that doesn’t even ask for money. Instead, the ransomware attempts to force victims “to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.” The malware is described by the researchers as “fairly rudimentary” and there are a number of mistakes in the encryption process, but it serves as an example of how malicious actors that are not financially motivated can nevertheless leverage ransomware to achieve their goals.

Organizations need to take action to protect themselves against ransomware actors that are trying to find more effective ways to disrupt business operations and demand even higher ransom payouts. For more information on these evolving ransomware attacks, download SurfWatch Labs’ free report: Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.

Fake Extortion Demands and Empty Threats on the Rise

I’ve previously written about the rise of extortion as an emerging trend for 2017, but if you didn’t want to take my word for it, you should have listened to the numerous warnings shared at this year’s RSA 2017. Cyber-extortion has become one of the primary cybersecurity-related issues facing organizations — and it appears to be here to stay.

My analyst team has researched cyber extortion and have found that malicious actors are not only engaging in these threat tactics, but they’re using the surging popularity of extortion and ransomware to target organizations with a variety of fake extortion demands and empty threats. We cover this topic in depth in our latest report, The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.

In the graphic below I’ve noted some popular extortion threats, how actors carry out the threats and the impending results. Essentially they’re following the path of least resistance and most profit.

The Many Faces of Extortion: Popular Threats

2017-02-28_extortionittbyyearupdated — The number of organizations publicly associated with ransom and extortion continues to grow, and 2017 is on pace to see the highest number yet, based on data from the first two months of the year.

The gist of it all is that organizations have real fear around these threats and trust that bad actors have the ability to carry out these threats. Putting trust in bad guys is a bad idea!

The fake ransoms are successful in large part because their real counterparts have impacted so many organizations. We’re already on pace to have more organizations publicly tied to ransoms and extortion in 2017 than any other year.

FBI officials have estimated the single subset of extortion known as ransomware to be a billion-dollar-a-year business, and fake ransomware threats have sprung up in the wake of that growth. A November 2016 survey of large UK businesses found that more than 40 percent had been contacted by cybercriminals claiming a fake ransomware infection. Surprisingly, two-thirds of those contacted reportedly paid the “bluff” ransom.

DDoS extortion threats are similarly low-effort cybercriminal campaigns, requiring only the sending of a threatening email. Earlier this month, Reuters reported that extortionists using the name “Armada Collective” had threatened Taiwanese brokerages with DDoS threats. Several of the brokerages experienced legitimate attacks following the threats; however, 2016 saw several campaigns leveraging the Armada Collective name where the threats were completely empty. One campaign generated over $100,000 in payments despite researchers not finding a single incident where a DDoS attack was actually made.

A portion of the extortion email sent to the owner of Alpha Bookkeeping Services in Port Elizabeth, South Africa, in September 2016.

Extortion is also frequently tied to data breaches — both real and fake — as it is an another simple and direct avenue for cybercriminals to monetize stolen data. In January 2017 the E-Sports Entertainment Association (ESEA) was breached and the actor demanded a ransom payment of $100,000 to not release or sell the information on 1.5 million players.

ESEA said in its breach announcement that it did not pay the ransom because “paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data.”

That is what reportedly happened to many of the victims who paid ransoms to have their hijacked MongoDB and other databases restored: they found themselves out both the data and the ransom payment. As noted in our report, it’s hard to have faith in cybercriminals, and organizations who do pay ransoms should be aware that in many cases those actors may not follow through after receiving extortion payments.

For more information on extortion threats and how to keep your organization safe, download the free report: The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.

Organizations Struggle with Third Party and Supply Chain Cybercrime, Says New Report

The past year saw organizations struggle with third-party issues as malicious actors shifted their tactics towards weak points in the supply chain and exploited the interconnected nature of cybercrime, according to a new report from SurfWatch Labs.

“One of the most telling statistics in all of SurfWatch Labs’ evaluated cyber threat data is the rise of CyberFacts related to third parties,” the report stated. “The second half of 2016 saw the percentage of targets publicly associated with third-party cybercrime nearly double compared to the same period in 2015. It is clear that malicious actors are looking for any opportunity to exploit poor cybersecurity practices, and the supply chain provides an abundance of opportunity for cybercriminals to do so.”

SurfWatch Labs annual threat intelligence report, Rise of IoT Botnets Showcases Cybercriminals’ Ability to Find New Avenues of Attack, was based on more than a hundred thousand CyberFacts collected against more than 6,000 targets – 4,066 targets publicly associated with cybercrime and an additional 2,395 observed being discussed on the dark web.

Cybercrime in 2016

Cybercrime is increasingly interconnected, the report noted, and the effects of a data breach or poor cyber hygiene at one organization often move through supply chains to impact other connected organizations. That was true when it came to the growing number of compromised Internet-of-Things devices, which we wrote about last week, and it was true for a number of other cybercrime events as well.

For example:

Previously stolen employee credentials were fed into remote access services in order to compromise new organizations.
Data stolen from one organization went on to have significant economic, political and reputational impact on other parties.
Threat actors used information obtained in previous attacks to establish trust and legitimacy in social engineering campaigns that lead to new data breaches.
Those new data breaches, some of them truly massive, led to even more private information entering the public domain.

That ripple effect was evident in many of the year’s top trending data breaches.

Breaches at Yahoo, LinkedIn and others collectively accounted for well over two billion passwords being fully or partially exposed, as well as the exposure of some users’ security questions and answers. The massive breach at Panamanian law firm Mossack Fonseca led to ongoing international probes as well as the Prime Minister of Iceland stepping down. The breach at the Democratic National Committee took center stage on the campaign trail as leaked emails and other cybersecurity issues helped to shape, in part, who would be the next president of the United States.

“The amount of private data circulating among cybercriminal groups combined with an environment in which organizations are providing more points of access for customers and employees means that many organizations are more exposed than ever,” the report stated.

Key trends and statistics from SurfWatch Labs’ 2016 cybercrime data include:

More cybercrime tied to third parties: SurfWatch Labs analysts contribute this third-party growth to the expanding ecosystem of partners and suppliers that provide various products and services. This business model requires a natural need to extend the “level of presence” of organizations by sharing or fully outsourcing the creation and management of sensitive data, increasing the chance of a compromise.
Compromised credentials surged: The amount of publicly exposed user credentials grew significantly in 2016. SurfWatch Labs collected data on more than 1,100 organizations associated with the “credentials stolen/leaked” tag across both public and dark web sources over the past year, up from 828 last year.
Healthcare led way for supply chain cybercrime: SurfWatch Labs collected data on more targets tied to third-party cybercrime in the healthcare facilities and services group than any other, although the numbers may be skewed due to more strict reporting requirements in the sector.
Infected IoT devices led to increased service interruption: Over the past two years, the “service interruption” tag has typically appeared in approximately 16% of the negative CyberFacts collected by SurfWatch Labs. However, that number jumped to more than 42% over the last half of the year due to growing concern around IoT-powered botnets such as Mirai.

To read the full, complimentary report, visit info.surfwatchlabs.com/reports/2016-cybercrime-trends-year-in-review. Join SurfWatch threat intelligence analysts for a webinar on January 11, 1pm ET for a discussion of the report findings.

Hacktivists Use Automated Tools, Growing Reach to Target Government Organizations

Despite recent media attention surrounding nation-state hackers infiltrating government organizations and attempting to influence elections, the bulk of government-related cybercrime tends to be driven by less sophisticated and more ideologically-motivated campaigns carried out by hacktivist actors, according to a new report from SurfWatch Labs.

govriskchart — Government sector risk scores compared to the average for all sectors over the past year.

Government is the third most active sector when it comes to cybercrime, behind only information technology and consumer goods, and more than a third of the government CyberFacts collected by SurfWatch Labs this year have been related to hacktivist activity — far more than any other sector.

“The global reach of the Internet and social media along with the relative anonymity of cyber-attacks has provided hacktivists with a larger platform than ever to share their message, recruit new actors, and ultimately impact organizations,” noted the report, Cybercrime Gets Political: Automated Tools and Growing Reach Empowers Hacktivists.

It continued: “As a result, the most common cybercrime story in the government sector has involved websites and data being targeted by hacktivist groups resulting in service downtime, website defacement, and various types of information being stolen and publicly leaked.”

government-atep-4 — SurfWatch Labs’ data shows that hacktivists have been the top trending actor category across many different government subgroups so far this year – in some cases appearing in more than two-thirds of CyberFacts.

Hacktivist-driven data breaches are not a new problem for the government sector. In 2013, the FBI warned that anonymous hacktivists using Adobe exploits were able to infiltrate agencies such as the U.S. Army, the Department of Energy, and the Department of Health and Human Services in order to steal sensitive information.

“It is a widespread problem that should be addressed,” the 2013 alert stated.

Three years later, hacktivists remain as a top source of government-sector data breaches.

2016-09-27-govbreachactors — Hacktivists are the top trending known actor group associated with government data breaches so far in 2016.

Government agencies across the world have been targeted by hacktivists using well-known attack vectors such as SQL injections, social engineering and stolen credentials.

For example:

Shortly after Anonymous Philippines defaced the COMLEC website in protest of “questions and controversies” surrounding the country’s electoral process, LulzSec Pilipinas posted the entire COMLEC database online. The incident has been described as the largest government-related data breach in history – affecting more than 55 million people.
A hacker supporting Palestine published the names and personal information of FBI and Department of Homeland Security employees. The hacker said he first compromised the email account of a Department of Justice employee. Then he socially engineered access to the portal by pretending to be a new employee. Finally, he was able to find databases of employee information on the DOJ intranet.
The Anonymous #OpAfrica campaign led to several breaches including a one terabyte dump of information from Kenya’s Ministry of Foreign Affairs and International Trade. Kenya’s Ministry of Information and Communications Technology cabinet secretary Joseph Mucheru said the information was stolen due to a phishing attack that duped employees into clicking a link to change their credentials, which provided the hacktivist access to email accounts.
A hacker known as Hanom1960 breached several government agencies – including the Costa Rica Ministry of Culture and Foreign Affairs, the Columbia Ministry of Information Technologies and Communications, and Columbia’s Ministry of National Education – and subsequently leaked information on various government employees. “I see many mistakes in [their IT] systems,” the hacker told news outlets. “It is something that does not concern governments.”

Hacktivists are often characterized as graffiti artists or vandals that simply deface websites and cause other nuisance-level problems for organizations.

Those types of attacks are common, with SurfWatch Labs’ data showing that website downtime and website defaced are the most popular effects of hacktivism; however, the threats from hacktivists go beyond those simple attacks.

According to the report:

“Government officials noted in 2015 that the bulk of the cybercrime-as-a-service economy may be powered by as few as 200 individuals, yet those services put traditional cybercrime tools such as malware, botnets and DDoS attacks at the fingertips of a vastly larger pool of actors. … This trend, along with the large number of federal, state and local government agencies across the world, the global reach of hacktivist actors, and a never-ending series of political causes means that hacktivists have the ability, reach and will to cause harm to government organizations on a level never before seen.”

Hacktivists don’t have the resources of state-sponsored actors, but they are much more open about their attacks — often using public channels to coordinate attacks, gain media attention and recruit other actors to the campaign.

“This chatter can lead to valuable threat intelligence around what types of organizations are being targeted, how those attacks are impacting organizations and, ultimately, what can be done to better protect your organization,” the report concludes. “Monitoring hacktivist chatter and utilizing external cyber threat intelligence, along with your own internal data, can help to paint a full picture of the cyber risks facing your organization, determine what assets are at greatest risk, and inform where cyber defense efforts should be focused in the future.”

For more information, download the full report, Cybercrime Gets Political: Automated Tools and Growing Reach Empowers Hacktivists.

Learning from Cybercriminals: Using Public Tools for Threat Intelligence

Effective cyber threat intelligence is largely about gaining proper context around the risks facing your organization. As SurfWatch Labs chief security strategist Adam Meyer recently wrote, there are three pillars when it comes to evaluating those cyber threats: capability, intent and opportunity.

The first two, the capability and intent of threat actors, are mostly external aspects that you have no control over, but the third pillar, the opportunity for actors to exploit your organization, is something that can be controlled, evaluated and improved upon.

Malicious actors are relentless when it comes to finding information on that opportunity, and organizations need to use that same relentlessness when searching for potential weaknesses in their cybersecurity, according to a recent report from SurfWatch Labs.

“Knowing where attackers get their information and how they use it is an important piece of your overall cybersecurity strategy,” noted the paper, Top Sources of Information for Cyber Criminals: Where the Bad Guys Go to Conduct Research on Their Targets.

Over the past few months on this blog, we’ve profiled some of the top cyber threats and items for sale on various dark web marketplaces, but not all malicious activity occurs on this “underground web.” Much of it can be found wide out in the open — using simple tools and services that are available to anyone. Here are the top three public websites and tools used by malicious actors, as described in the paper, and how they can help those actors find the opportunity to attack your organization.

1. Shodan

Shodan was originally launched in 2009 by developer John Matherly and bills itself as “the world’s first search engine for Internet-connected devices.” This simple idea has grown from a basic list of IPs and ports to maps showing where devices are located to screenshots taken from these devices (including webcams, unsecured servers and workstations). The original focus for Matherly’s scans was to highlight the growing problem of the “Internet of Things,” but his research also uncovered industrial control systems, wide open computer systems, unsecured security cameras and more.

Researchers using Shodan frequently find publicly-exposed data that leads to breach notifications. Just one example is MacKeeper security researcher Chris Vickery discovering personal information from child tracking platform uKnowKids earlier this year.

“One of the uKnowKids databases was configured for public access, requiring no level of authentication or password and providing no protection at all for this data,” Vickery wrote. “There’s no way for me to know for sure how long this data was exposed to the public internet, although the information collected by Shodan.io suggests that the database had been up for at least 48 days.”

uKnowKids CEO Steve Woda reacted by describing Vickery as a hacker whose method “puts customer data and intellectual property at risk.” However, malicious actors can just as easily utilize Shodan to find opportunity for attacks.

As SurfWatch Labs’ paper summarized: “If it’s online, Shodan will find it. The lesson to be learned from this site, without a doubt, is secure something before it goes online.”

2. VirusTotal

VirusTotal describes itself as “a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.” But that simple tagline masks a deeper set of capabilities.

Security researchers have previously suspected that malicious actors use VirusTotal as a tool to help test and hone malware before sending it out in the wild, and in 2014 researcher Brandon Dixon confirmed those suspicions by discovering several hacking groups using the tool, including two nation-state groups.

Dixon said nation-state actors using a free online service to fine-tune their attacks was ironic and unexpected, but that speaks to the usefulness of VirusTotal.

“The power behind VirusTotal is how it adds and saves the metadata and behaviors of the files it analyzes,” noted SurfWatch Labs’ paper. “You can use the domain search to look at the IP history of the domain and get the current WHOIS for the domain, but VirusTotal will also show you a list of every time it detected something malicious on the site, as well as list all of the samples that attempted to communicate with the searched for domain.”

In addition to organizations using VirusTotal to help identify if they’ve been previously targeted, VirusTotal should be seen as a baseline site that can be used for detecting and analyzing suspicious and malicious files.

3. Your Own Company Website

The best way to get information about a particular company is often directly from the source: your own company website. Company websites can provide a treasure trove of information that can be leveraged by attackers to target a specific organization. This includes names of VIPs, email addresses of company executives and other employees, photographs, links to LinkedIn profiles and other social media, and more.

But beyond the surface level, there may be even more valuable information, as the paper explained:

Are you hosting any PDFs for people to download? Word documents, or PowerPoint presentations? Did you remember to remove potential metadata from those documents that could potentially contain additional names, email addresses, usernames, or software versions of the program used to create it? Some pretty simple Google searches (just type “site:yourpublicsite.com filetype:pdf” into the google search box) can reveal much more information that you may not have been aware you were “leaking.”

These types of leaks can lead to costly data breaches.

Free tools and services such as the ones described above provide malicious actors with valuable insight into the opportunity for cyber-attacks, and they are certainly one of the first places those actors turn to gather information on your organization. To make matters worse, all of this information can be discovered with minimal effort or expertise.

The good news is that those same tools can be used to gather cyber threat intelligence and to ensure that you are performing the same level of diligence as the threat actors who are trying to harm your organization.

Download SurfWatch Labs Top Sources of Information for Cyber Criminals: Where the Bad Guys Go to Conduct Research on Their Targets for more information.

Cybercrime is Increasingly Interconnected, Says New SurfWatch Labs Report

The first half of 2016 is over, and SurfWatch Labs analysts have spent the past few weeks sifting through the huge amount of cybercrime data we collected — totaling tens of thousands of CyberFacts across more than 3,400 industry targets — in order to identify threat intelligence trends to include in our mid-year 2016 report.

“If anything,” the report notes, “the stories behind these breaches seem to contradict the increasingly familiar spin that follows most incidents: ‘We were the victim of a sophisticated attack. The incident has been contained.'”

Download the full Mid-Year 2016 Cyber Trends Report

To the contrary, the data behind the year’s many incidents indicates many cyber-attacks are neither sophisticated nor isolated.

For example, this year’s top trending cybercrime target was LinkedIn. In May 2016 LinkedIn announced that a 2012 breach, which was believed to have been contained four years ago by resetting passwords on impacted accounts, was much larger than originally thought. An additional 100 million members were affected. Since that announcement, reports continue to surface of secondary organizations having their data stolen due to a combination of those now exposed LinkedIn passwords, widespread password reuse among employees, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.

To make matters worse, LinkedIn was just one of several massive credential dumps to make headlines — not to mention the numerous high-profile breaches affecting personal information or other sensitive data.

Trending Industry Targets Tied to Cybercrime in 1H 2016

SurfWatch Labs collected data on 3,488 industry targets tied to cybercrime in the first half of 2016. Of those, 1,934 industry targets were observed being discussed on the traditional web and 1,775 were observed on the dark web.

Malicious actors excel at taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. As we noted in May, this has led to many companies making headlines for data breaches — even though a breach may not have occurred. For example:

Music service Spotify had a list of user credentials posted to Pastebin that were collected from other data breaches. This led to a series of articles about the company “denying” a data breach.

China’s online shopping site Tabao had hackers use a database of previously stolen usernames and passwords to try to access over 20 million active accounts.

GitHub, Carbonite, Twitter, and more have all forced password resets for users after large-scale targeting of user accounts or lists of user credentials appeared on the dark web.

Other unnamed companies have confirmed to media outlets that sensitive information has been stolen recently due to password reuse attacks.

SurfWatch Labs’ data paints a picture of an increasingly connected cybercrime world where malicious actors leverage past successes to create new victims. The pool of compromised information widens; the effects of cybercrime ripple outwards.

However, those effects are largely dependent on industry sector and the types of information or resources that are attractive to different individuals, hacktivists, cybercriminal groups, and other malicious actors. SurfWatch Labs’ data so far this year reflects that fact.

Updated_Effect_Heatmap2 — Infected/exploited assets, service interruption and data stolen/leaked were the top trending effect categories overall in the first half of 2016, based on the percentage of CyberFacts that contained those tags.

For example, SurfWatch Labs report identifies infected/exploited assets as the top effect category overall, although it only appeared in 14% of entertainment and government-related CyberFacts. In those sectors, the majority of discussion was around account hijacks (37%) and service interruption (33%), respectively, as actors targeted social media accounts with large followings or hacktivists utilized defacement and DDoS attacks to spread their messages.

Similarly, the healthcare sector saw increased chatter around the financial loss and data altered/destroyed categories due to several high-profile ransomware attacks and warnings from various bodies about potential extortion attacks.

Other interesting data points and trends from the report include:

IT, global government, and consumer goods were the most targeted industries. Of all the CyberFacts analyzed, the information technology industry was hit the hardest in the first half of 2016. Microsoft was second behind LinkedIn as the top target. After IT, the government sector had the highest number of publicly discussed cybercrime targets, led by a breach at the Commission on Elections in the Philippines. The consumer goods sector made up the largest share of industry targets with information bought, sold, or otherwise discussed on the dark web.

Employee data is being targeted more often. Some organizations reported falling victim to scams targeting data such as W-2 information even though they were able to successfully identify and avoid other more traditional wire fraud scams. Malicious actors may be trying to take advantage of these “softer” targets in the human resources, bookkeeping, or auditing departments by performing attacks that are not as easily recognizable as large-dollar wire fraud attempts.

Point-of-sale chatter remains relatively low. Point-of-sale breaches are not making as many headlines, but breaches so far this year have proven that for many organizations the associated costs are as high or higher than they have ever been.

Ransomware and extortion threats continue to grow. The first half of 2016 saw a spike in ransomware and extortion-related tags as researchers, organizations, and government officials tried to deal with the growing and costly problem of data or services being held hostage for ransom.

For more threat intelligence trends, download the full Mid-Year 2016 Cyber Trends Report from SurfWatch Labs.

Cybercriminals are Increasingly Targeting Personal Info, Says Report

Cybercriminals have shifted their focus away from stealing payment card data in favor of targeting personal information and directly extorting victims, according to a new report from SurfWatch Labs.

The trends aren’t surprising, said SurfWatch Labs chief security strategist Adam Meyer, who discussed the report on this week’s Cyber Chat podcast. Cybercrime is a business, and malicious actors gravitate towards the process that gives them the largest return on their effort.

While extortion is perhaps the most direct path towards monetizing cybercrime, stolen personal information has a long shelf life and can be easily sold or used for authentication purposes. It also tends to be the low-hanging fruit as retailers and financial institutions improve at preventing or minimizing the losses around payment card information.

“All these identifiers that make you ‘you’ can be used in 20 different ways to conduct an attack,” Meyer said. “It makes complete sense why we’re seeing this trend come up.”

While 2014 was dominated by headlines surrounding point-of-sale (PoS) breaches, only three PoS breaches cracked last year’s top 25 trending cybercrime targets: Starwood Hotels & Resorts (#14), Hyatt Hotels (#17) and Dixon’s Carphone (#23).

Altogether, SurfWatch Labs collected CyberFacts related to 4,562 distinct industry targets last year.

The top trending cybercrime targets last year — the United States Office of Personnel Management, Anthem, and Avid Life Media — all centered around the theft of personal information.

“A Failure of Corporate Culture”

The rise in stolen personal information can be attributed to failures at the top of many organizations, Meyer said.

2H2015_PersonalInfo — *The percent of CyberFacts collected by SurfWatch Labs tied to stolen information has risen steadily the past 18 months.*

“The biggest vulnerability that we have in my opinion is outdated corporate culture,” he said. “They completely have their heads in the sand about what’s going on in the world.”

Despite all of the recent headlines around cybersecurity, many organizations still do not adequately assess their level of cyber risk and take the necessary precautions.

“No one is really trying to solve this problem at the decision maker level,” Meyer said. “The organizations are falling down on educating themselves on these issues until its too late.”

He added: every organization is a custodian of data, and the first step to mitigating cyber risk is to put a thought process in place assessing the risks facing your data, your infrastructure, your industry, and your partners and suppliers.

Dark Web and Other Cyber Risk Trends

Dark Web markets can provide valuable insight into many cybercrime trends.

“The black market is a great resource to look at what is the typical state of the underground economy,” Meyer said. “You can see what’s being bought and sold. You can see what prices they’re generating. You can see the tempo and the supply and demand aspect of things, and you can use that information to compare against where would you fit in that.”

Unfortunately, there’s not enough education on what happens to data once it is stolen, he added.

“This is where the stuff goes most of the time, and we’re not educating anybody on where it’s going and why it’s going there. And people just keep repeating the mistakes over and over and over.”

Listen to the full conversation with SurfWatch’s Adam Meyer below, or download the SurfWatch Cyber Risk Report: Year in Review.

About the Podcast:
SurfWatch Labs recently released a threat intelligence report detailing cyber risk trends. They noted that cybercriminals have shifted their targets over the past year from focusing on credit card information at financial institutions to increasingly stealing personal information across a swath of industries.

On today’s Cyber Chat we talk with our own Adam Meyer, Chief Security Strategist at SurfWatch Labs, about the report, cyber risk trends and what businesses need to do in order to stay ahead of cybercriminals.

Download the Cyber Risk Report: Year in Review here: http://info.surfwatchlabs.com/cyber-risk-year-in-review-2015