Cyber Security Intelligence

Twitter< Follow on Twitter >

December Newsletter #4 2014

Cyber Security Intelligence has been collecting and creating weekly newsletters for a year and we will be releasing our Cyber Database in the New Year along with continued weekly Newsletters – thank you for reading our Newsletters and best wishes from Tim Heath and Alfred Rolington CEOs of CSI for 2015.

The Interview is Pirate hit with 1m plus downloads

The unexpected release of The Interview is making headlines around the world, but only people inside the US can see the film legally. It reportedly has already brought in over a $1 million in box office sales on the first day of release for Sony

However over a million people have already circumvented this restriction by turning to torrent sites where the film appeared just an hour after its official release. Even The Pirate Bay joined in and started pointing people to the movie as well.

Sony Pictures was left with no other option than to find online platforms to show the controversial movie to a broad audience during the holidays, and they eventually did. The film is now available for streaming on YouTube, Google Play and Xbox Live.

Shortly after the first stream was made public various pirated copies quickly started to populate torrent sites and other sharing platforms.

According to multiple reports, unnamed government officials have said that the cyber-attack on Sony Pictures was linked to the North Korean government. The Wall Street Journal has said the attack was carried out by Unit 121 of North Korea’s General Bureau of Reconnaissance, the country’s most elite hacking unit.

But if the elite cyber-warriors of the Democratic People’s Republic of Korea were behind the malware that erased data from hard drives at Sony Pictures Entertainment, they must have been in a real hurry to ship it.

Analysis of a malware sample matching the MD5 hash signature of the “Destover” malware that was used in the attack on Sony Pictures by researchers at Cisco revealed that the code was full of bugs, and anything but sophisticated. It was the software equivalent of a crude pipe bomb.

According to South Korean reports, North Korea has been building a cyber-army of incredible magnitude for over a decade. In an interview with the Korea Herald, Professor Lee Dong-hoon of the Korea University Graduate School of Information Security said that North Korea has the third largest military cyber-warfare unit in the world, with over 3,000 troops—more than China. And the cyber-force, Dong-hoon said, is directly under the control of North Korean leader Kim Jong-un.

The international aspect of Sony Pictures, and the layoffs that the company had undertaken earlier this year overseas and in the US gave some credence to the claims by the “Guardians of Peace” that they were acting on behalf of former employees. The unprofessional nature of the code used in the “Destover” wiper malware adds to that illusion. It used commercial components, and looks like something hobbled together from a well-worn malware kit bought off an underground web forum.

However, the communications and tactics used that mirrored other “hacktivist” attacks could have just as easily been adopted by Unit 121 or another state actor to mimic a hacktivist attack, achieving the goals of the state while giving North Korea plausible deniability. Pinning the attack with certainty on North Korea will be difficult precisely because it’s the sort of thing any determined attacker, state or otherwise, could have achieved if properly motivated.

Cybercrime-as-a-Service, a winning model of sale

Security Experts at Sophos have explained the efficiency of the business model known as Cybercrime-as-a-Service in the particular case of Vawtrak botnet.

The term Cybercrime-as-a-Service refers the practice in the cyber criminal ecosystem to provide product and services for use by other criminals. In September 2014, a report from Europol’s European Cybercrime Centre (EC3), the 2014 Internet Organised Crime Threat Assessment (iOCTA) report, revealed the diffusion of the business model in the underground communities and highlighted that barriers to entry in cybercrime ring are being lowered even if criminal gangs have no specific technical skills.

Criminals can rent a botnet of machines for their illegal activities, instead to infect thousands of machines worldwide. These malicious infrastructures are built with a few requirements that make them suitable for the criminals, including User-friendly Command and Control infrastructure and sophisticated evasion techniques.

The botnets are very flexible and could be used for several purposes, including to serve malware or to send out spam emails. For example, the botnet’s computers can be configured to serve as proxies or even — once all the other usability has been sucked out of them — as spambots.

An example of banking malware botnet is Vawtrak, also known as NeverQuest and Snifula. According data provided by Sophos, Vawtrak was the second most popular malware distributed by malicious drive-by downloads in the period between September and November.
Sophos published an interesting paper on the cybercrime-as-a-service model applied to the Vawtrak botnet, titled “Vawtrak – International Crimeware-as-a-Service“.

“If you look at the client-side, the commands used, and the debugging code, suggests that it’s more user friendly than some of the other malware we look at,” said James Wyke, senior threat analyst at Sophos Ltd. “It’s almost certainly going to be a point-and-click Web-based interface. Simplicity is one of Vawtrak‘s positive points.”

Despite Wyke hasn’t personally evaluated the Vawtrak for legal and ethical reasons, Sophos was able to investigate the activities Vawtrak platform is being used for. The experts recognized a pattern in the “modus operandi” of the Vawtrak clients, which used the botnet to target banks and other financial institutions worldwide. The attackers are able to run sophisticated attacks in a methodical way, by-passing two-factor authentication mechanisms and implementing custom injection mechanism.

The experts revealed that Vawtrak was used by criminal organization in US to compromise both large banks (i.e. Bank of America and Citigroup) and smaller financial institutions (i.e. Bank of Oklahoma, Cincinnati’s Fifth Third Bank, the Columbus-based Huntington National Bank).

There are tens of thousands of computers already infected and in the network, Wyke said.

That makes it smaller than some of its competitors but, because of its business model, it might actually be more profitable.

The cybercrime-as-a-service model developed for the Vawtrak botnet allows customers to choose specific types of infected machines, to customize the botnet to hit a specific target (i.e. banks, private firms) or to request specific types of stolen data.

“If you want banking credentials for certain banks, or certain regions of the world, they can start campaigns targeting those banks or those countries,” said Wyke. “We’re moving away from the model where the cybercriminals write their own software, or sell you a kit and you go away and create your own botnet,” Wyke said.

The availability of stolen data makes the model of sale Cybercrime-as-a-Service very attractive for criminals that can use them to run further attacks by having more information on the targets.
The Vawtrak botnet provides also specific data hijacked by the botnet, including banking access credentials, that allows the criminals to deliver new strain of malware to the infected computers.

“This is a flexible business model,” he said. “Once the machine starts sending out spam it becomes obvious that it’s infected with malware and it’s not going to be infected much longer,” he said.

Experts at Sophos suggest to keep defense systems up-to-date and provide a free removal tool for the Vawtrak  botnet on the company website.

UK Police under-skilled to fight cyber crime

John Klossner

British police are woefully under-skilled to tackle the rapidly expanding world of cybercrime, according to a new report of police intelligence analysts.

The report, conducted by PA Consulting, gathered responses from 48 different police bodies, and its findings don’t make pretty reading. Less than a third of respondents have the technology or skills to fight cybercrime, with 75% of analysts spending less than 10% of their time on cybercrime analysis.

Cyber security expert and author of the report Nick Newman commented that it was disturbing that police were’ nowhere near equipped’ to deal with the cyber crime threat. The government has backed the training of 2,000 detectives in new cyber techniques by April 2015, but when you consider how much of modern life is spent in the cyber world, and how much cybercrime is present in society, this seems unequivocally disproportionate.

One huge problem that the police face is recruiting highly skilled cyber security specialists, who in the private sector command a much greater salary than the police can offer. Cyber security is a critical issue in a technology driven world, whether it be individuals, businesses or governments.

Serena Gonsalves-Fersch, head of KPMG’s Cyber Security Academy commented:
‘Both private and public sector organisations need to focus on developing the skills of their existing workforce and on integrating cyber training into their overall training and development policies.’

The Government’s own, four-year, £650 million cyber security strategy focuses on protecting the national infrastructure and helping raise awareness of cyber security amongst organisations through its Cyber Essentials Scheme. It seems clear to me that they need to dig a little deeper to support and train the Police.

List of cyber attacks and data breaches in 2014

Please note: The following list is only a snapshot of 2014’s events and shouldn’t be considered a definitive list. For even more hacks and breaches, please click the desired month and you’ll be directed to our monthly summary.

1 January, 2014 – 1.1 MILLION customers’ credit card data was swiped in Neiman Marcus breach
20 January, 2014 – Credit Card Details of 20 Million South Koreans Stolen
21 January, 2014 – Microsoft blog hacked by Syrian Electronic Army
24 January, 2014 – CNN website, Twitter and Facebook hijacked by Syrian Electronic Army
25 January, 2014 – Michaels Stores confirms payment card information compromised in breach

5 February, 2014 – Texas health system attacked, data on more than 400K compromised
14 February, 2014 – Hacked by Syrian Electronic Army Because of “Hate for Syria”
16 February, 2014 – Kickstarter hacked: Passwords, phone numbers, and phone numbers stolen
24 February, 2014 – YouTube ads spread banking malware
25 February, 2014 – Mt. Gox exchange goes dark as allegations of $350 million hack swirl

10 March, 2014 – Hackers steal 12 million customer records from South Korean phone giant
14 March, 2014 – Credit Card Breach at California DMV
17 March, 2014 – Morrisons employee arrested following data breach involving details of 100k staff
20 March, 2014 – EA Games website hacked to phish Apple IDs from users
28 March, 2014 – Malware in 34 Spec’s stores, payment data compromised for 550K

7 April, 2014 – Germany suffers biggest ever data breach in its history
8 April, 2014 – The Heartbleed bug: serious vulnerability found in OpenSSL cryptographic software library
15 April, 2014 – German space centre endures cyber attack
15 April, 2014 – Welsh Councils break DPA 2.5 times a week
22 April, 2014 – Iowa State server breach exposes SSNs of nearly 30,000
29 April, 2014 – Security breach at AOL. Users told to change passwords

8 May, 2014 – Orange Suffers Data Breach Again, 1.3 Million Affected
9 May, 2014 – WooThemes users notified of payment card breach, 300 reports of fraud
21 May, 2014 – eBay Suffers Cyber Attack, Users Asked to Change Passwords
27 May, 2014 – Avast Suffers Cyber Attack; 400,000 users affected

14 June, 2014 – P.F. Chang’s Confirms Credit Card Breach
17 June, 2014 – Hackers Takeaway Domino’s Pizza Customer Data; More Puns Inside
19 June, 2014 – Hacker puts Code Spaces out of business
19 June, 2014 – Sun and Sunday Times Websites Hacked by the Syrian Electronic Army
22 June, 2014 – British Gas Help Twitter account hacked, customers pointed towards phishing sites
23 June, 2014 – ‘Most sophisticated DDoS’ ever strikes Hong Kong democracy poll
25 June, 2014 – European Bank Hit by Cyber Attack; £400,000 stolen

1 July, 2014 – Energy Firms Hacked by Cyber Espionage Group ‘Dragonfly’
4 July, 2014 – $3.75 Billion Brazilian Boleto Malware Attack
8 July, 2014 – Closes after Data Leak
15 July, 2014 – CNET Hacked, One Million Users’ Data Stolen
16 July, 2014 – Information Commissioner’s Office Suffers Data Security Breach
23 July, 2014 – eBay has suffered a security breach for the second time this year
31 July, 2014 – Gizmodo Brazil hacked, fake Adobe Flash download opens backdoor
31 July, 2014 – Massive Paddy Power hack: nearly 650,000 customers’ records stolen

5 August, 2014 – Goodwill and FBI Investigate Possible Security Breach
15 August, 2014 – Supervalu supermarket chain begin investigating possible data breach
19 August, 2014 – US Cyber Crime Goes Nuclear: NRC Computers Hacked THREE Times
21 August, 2014 – Over 50 UPS franchises hit by data breach
27 August, 2014 – Norwegian oil industry under attack by hackers
27 August, 2014 – Records of 25,000 Homeland Security Employees Stolen in Cyber Attack
28 August, 2014 – FBI Probes Possible Hacking Incident at J.P. Morgan

4 September, 2014 – Home Depot suffers breach that may be larger than Target’s
5 September, 2014 – 800k Payment Cards Compromised in Goodwill Industries Breach
5 September, 2014 – ObamaCare Website Hacked
18 September, 2014 – Home Depot: 56M Cards Impacted, Malware Contained
23 September, 2014 – 880,000 Affected by Viator Payment Card Breach
25 September, 2015 – Payment card data stolen in Jimmy John’s data breach
29 September, 2014 – Hundreds of US Stores Affected as POS Provider is Hacked
30 September, 2014 – SuperValu compromised again – for the second time in three months

3 October, 2014 – JPMorgan suffers data breach affecting 76 million customers
10 October, 2014 – Dairy Queen data breach hits 395 stores
14 October, 2014 – ‘Big K’ raided by hackers: Kmart warns customers after malware discovered
21 October, 2014 – Staples stores investigated: suspected payment card breach
23 October, 2014 – POODLE attack digs up downgrade flaw in TLS
29 October, 2014 – White House unclassified network hacked

7 November, 2014 – Home Depot admits 53 million email addresses stolen in data breach
13 November, 2014 – Data breach affects 2.7 million HSBC Turkey cardholders
17 November, 2014 – US State Department network shut amid reports of cyber breach
18 November, 2014 – Staples confirms POS malware attack
25 November, 2014 – Sony Pictures Entertainment hacked
27 November, 2014 – Syrian Electronic Army attack on Gigya affects Telegraph, Independent, Evening Standard…

4 December, 2014 – Possible credit card breach at Bebe Stores
11 December, 2014 – Union Station parking lot suffers suspected data breach
11 December, 2014 – Electronic payment company CHARGE Anywhere suffers five-year breach
15 December, 2014 – Personal information leaked in University of California, Berkeley, data breach
19 December, 2014 – KeyPoint cyber attack compromises 48,000 federal employees
22 December, 2014 – Staples confirm details of six-month breach, 1.16 million cards affected

It’s not been a good year and we should expect an even worse year in 2015. It appears we’ll be going into 2015 with mystery still hanging over the Sony story.


The full web site is currently under development and will be available during 2015