Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for November 2015

Russian Cybercrime Gangs Flourish with 1,000 New Employees

Russian Cybercrime Gangs Flourish with 1,000 New Employees

Russian language cybercrime gangs have recruited up to 1,000 new ‘employees’ over the past three years, although there are only around 20 people who make up the core of the average group, according to Kaspersky Lab.

The security vendor’s chief investigator, Ruslan Stoyanov, used a new report, Russian financial cybercrime: how it works, to uncover the cyber-criminals behind global attacks.

He claimed that law enforcers around the world have arrested over 160 Russian-speaking cyber-criminals since 2012 from gangs of all sizes.

In fact, they’ve been responsible for attacks that have harvested over $790 million—most of which ($509m) was stolen from outside the former USSR—although even this figure could be merely the tip of the iceberg.

The Russian-speaking cybercrime underground is flourishing, and motivated primarily by making money, the report claimed. Of the 330+ incidents investigated by Stoyanov and his team, 95% were connected with the theft of money or financial info.

Although the exact number of gangs working across the region is unknown, Kaspersky Lab revealed that they contain around 20 people on average.

It continued:

“We can calculate fairly precisely the number of people who make up the core structure of an active criminal group: the organizers, the money flow managers involved in withdrawing money from compromised accounts and the professional hackers. Across the cyber-criminal underground, there are only around 20 of these core professionals. They are regular visitors of underground forums, and Kaspersky Lab experts have collected a considerable amount of information that suggests that these 20 people play leading roles in criminal activities that involve the online theft of money and information.”

After uncovering five such groups in 2012-13, Kaspersky Lab has been able to understand more about their operation and structure.

Key roles include programmers, web designers, system administrators, testers and cryptors—the latter tasked with ensuring that malware evades detection.

Staff are paid either a fixed wage or employed on a project basis as freelancers and recruited on underground and some mainstream job sites.

“By advertising ‘real’ job vacancies, cyber-criminals often expect to find employees from the remote regions of Russia and neighboring countries (mostly Ukraine) where problems with employment opportunities and salaries for IT specialists are quite severe,” said Stoyanov.

“The idea of searching for “employees” in these regions is simple—they carry a saving because staff can be paid less than employees based in large cities. Criminals also often give preference to candidates who have not previously been involved in cybercrime activity.”

Groups could be organized in “affiliate” programs, small groups of up to 10 people, and large organizations like Carberp and Carbanak—with the latter type apparently the most “destructive and dangerous.”

Major campaigns are preceded by months of preparation—developing and selecting the malware, building the attack infrastructure and studying the target organization(s).

Unfortunately for consumers and companies around the world, such gangs will continue to flourish in the absence of adequate international cybercrime laws, frameworks for co-operation between law enforcement agencies, and a sufficient number of cyber-trained police.

Photo © you

Source: Information Security Magazine

Exploit Kit DNS Activity Soars 75% in Q3

Exploit Kit DNS Activity Soars 75% in Q3

The third quarter saw the creation of DNS infrastructure for exploit kits rise 75% from the same time a year ago, pointing to a coming storm of cyber attacks, according to security vendor Infoblox.

The DNS protection service provider puts together a Threat Index to measure the creation of malicious domains used in malware, DDoS, data exfiltration, exploit kits and more.

The score for Q3 2015 stood at 122 – up 19% from a year ago but down slightly from the record high of 133 in Q2 this year.

When it comes to exploit kits, cybercriminals need to register domains to create the ‘drive-by’ location from which they can infect users, who typically arrive there after clicking on malicious spam or malvertising.

An attack on the Daily Mail website earlier this year led to potentially millions of users exposed to this kind of malicious advertising over 4-5 days.

Once clicked through, an EK will typically take advantage of known software vulnerabilities in common applications like Java and Flash to download malware onto the victim’s device.

“The significant increase in the use of exploit kits compared to the same period in 2014 highlights the growing popularity of these types of attacks, as sophisticated cybercriminals continue to profit from the sale of kits which can be used by relatively unskilled hackers to take advantage of known vulnerabilities,” explained Infoblox systems engineering manager, Malcolm Murphy.

“Equipping a greater number of operators with these tools translates to an increase in the number of potential attacks, so organizations must ensure that they are using reliable threat intelligence to enable them to disrupt malware as it communicates through the DNS.”

Angler – the EK connected to the Daily Mail attack – was the most prolific in Q3, accounting for 30% of activity. It’s particularly troublesome as it can be quickly updated to include zero day threats which can be hard for some anti-malware systems to stop and block.

Next came Magnitude (29%), which mainly affected users in the US, Canada and the UK, according to the report.

Infoblox warned that cybercriminals typically go through a two-phase cycle of ‘planting’ and ‘harvesting’ domains for malicious activity, with Q3 activity appearing to tally with the early stages of the latter.

Photo © Andrea Danti 

Source: Information Security Magazine

Cook: ‘We’ll Work with UK but Won’t Stop End-to-End Encryption’

Cook: ‘We’ll Work with UK but Won’t Stop End-to-End Encryption’

Tim Cook has refused to back down over iMessage end-to-end encryption in a stance which could see Apple on a collision course with the UK government, as clamor grows for the security services to be given more snooping powers following the Paris terror attacks.  

In an interview with the Irish Independent Cook explained his repeated position that Apple has never allowed access to its servers or “worked with any government agency from any country to create a backdoor in any of our products or services.”

"The UK government has been clear publicly that they are not seeking to weaken encryption," Cook is quoted as saying.

"And so I take them at their word that they would not do that. And at the moment as you know, we encrypt iMessage end-to-end and we have no backdoor. And we have no intention of changing that. Any change made would contradict the UK government's view that they would not weaken encryption.”

That might not entirely be true because of either confusion or deliberate vagueness by some politicians and intelligence bosses when they talk about not wanting to weaken “encryption” as opposed to “end-to-end” encryption.

In fact, the controversial Investigatory Powers Bill currently passing through parliament contains a passage stating that CSPs must assist with interception warrants and “maintain permanent interception capabilities, “including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.”

However, Cook seemed to suggest that parliamentary scrutiny and common sense would prevail.

“And so I think that we'll work closely with them,” he said. “And I have every faith that through this process of the next year, give or take a year, that the bill will become very clear.”

The fear among opponents of the bill is that recent terror attacks in Paris could be used as justification for extra state snooping powers as proposed in the legislation, including the de facto ban on end-to-end encryption and the forcing of ISPs to retain web browsing records for a year.

CipherCloud CEO, Pravin Kothari, argued that “dismantling privacy for the masses” will push the terrorists deeper underground.

“But diluting commercial encryption won’t prevent the bad guys from using their own proprietary encryption and won’t make us safer,” he added. “Weakening the technology that companies use to protect average users misses the mark. Nor will enacting the IPB better protect the homeland as many of its monitoring provisions already exist in France following Charlie Hebdo.” 

Meanwhile, Context Information Security lead investigative researcher, Tom Williams, argued in a lengthy note that ISIS faces numerous challenges in recruiting and retaining those with the cyber skills to launch major attacks.

He said the possibility of an attack on critical infrastructure, as mentioned by chancellor George Osborne in a speech in which he announced a doubling of the funding for the fight against cybercrime, was unlikely in the short term.

“Due to the likely fluid nature of their cyber capability, both in terms of skill and access to sophisticated malicious software, this prospect cannot and should not be ruled out as a possibility in the medium to long-term,” he claimed.

Any future threat would probably involve a malicious insider working at a targeted facility, Williams added.

Source: Information Security Magazine

Trend Micro: Major Q3 Attacks Could be Sign of Things to Come

Trend Micro: Major Q3 Attacks Could be Sign of Things to Come

Trend Micro blocked 12.6 billion threats in Q3, a 20% decrease from 2012, but warned that seismic security incidents during the period could be an indication of the kind of threats facing individuals and businesses going forward.

The third quarter saw some of the “worst-case security scenarios ever imagined," according to the vendor's Security Roundup report for the period.

First came the attack on Hacking Team reported back in July in which 400GB of stolen data was exposed, leading to the discovery of five new zero day flaws and specialist spying tools for iOS and Android.

One of these vulnerabilities was added into the Angler EK and used in attacks in South Korea and Japan and another in attacks on sites in Taiwan and Hong Kong.

Then came the Ashley Madison data dump, which it is claimed led to follow-up extortion and blackmail attacks on those exposed, even resulting in reports of suicide.

Trend Micro even discovered some honeypots it set up were used to create profiles on the site, leading some to speculate that some innocent netizens may also have been caught up in the fall-out from the attack.

The report had the following analysis:

“We believe we will see more of these chain reaction-type attacks. Bigger and better-secured organizations may experience breaches of their own if ever attackers successfully manage to leech off data from their smaller, less-secure partners. Consumers may also find their personal information at risk if companies continue to get breached due to this lateral progression of attacks.”

Elsewhere the quarter saw another major Android vulnerable—Stagefright—and even trojanized apps featuring a malicious version of Xcode were found on the App Store, putting iOS users at risk.

Despite blocking 1,588 threats per second, the figure continues to fall from 2012 highs, possibly due in part to attackers focusing their efforts on “well-chosen victims for better results,” Trend Micro said.

Trend Micro chief cybersecurity officer, Tom Kellermann, argued that incident response plans must be tweaked to manage the “secondary stages of attacks.”

“Intrusion suppression will become the goal of incident response as it is imperative that the dwell time of an adversary be limited. We must disrupt the capacity of an adversary to maintain a footprint on hosts, and thus inhibit their ability to conduct secondary infections,” he added.

“Virtual shielding, integration of breach detection systems with SIEMs, and file integrity monitoring will be key instruments in mitigating the punitive attacks of 2016.”

Source: Information Security Magazine

Casinos and Video Piracy Mark Malware Campaign Affecting 1 Million

Casinos and Video Piracy Mark Malware Campaign Affecting 1 Million

Three casino websites were the decoys in for one of the largest malvertising attacks seen to date.

Researchers at Malwarebytes Labs have identified a campaign that’s been active for at least three weeks, preying on visitors of sketchy websites offering things like free downloads of copyrighted movies, pirated live streams, pirated software and more. Those websites host malicious ads, which then redirect the victim to one of the casino websites (, and

From there, the sites would silently load malicious iframes from disposable domains which ultimately led to the Angler exploit kit. In one case, the casino website was a direct gateway to Angler EK.

Further, the malvertising campaign used a surprising 30 or more different pieces of malware to infect victims. Researchers found the infamous CryptoWall ransomware as well as the Bunitu Trojan.

The impact is widespread.

“In all likelihood, a very large number of people were exposed to malware because of this campaign,” said Jerome Segura, senior security researcher at Malwarebytes Labs, in a blog. “When looking at the number of visitors to those websites, we see a troubling pattern. Before September, the traffic for all three combined was almost non-existent, but by mid-October, traffic spiked through the roof for a total of more than 1 million monthly visits.”

Because the campaign affected dubious publishers likely to turn a blind eye to ‘advertising issues’ and visitors knowing they were consuming illegal content, there was little reason for anybody to report the incident. The ad networks were almost all registered via Domains By Proxy LLC, meaning no information was available about the registrant.

“In fact, each of these malvertising attacks taken on its own does not stand out, but realizing that they were all connected gives us the bigger picture in how large of an operation this was,” Segura said.

But, they were all through GoDaddy, and on the same ASN: AS15169; this leads the researchers to believe they were actually all related to one another. Going through 10 ad domains, AdCash was one of the advertising networks affected—and it’s through this outlet that Malwarebytes was able to report the campaign.

A look at some of the stats behind those ad domains shows some staggering numbers. According to SimilarWeb, a service that estimates website traffic and provides various analytics, these ad networks generated over 2 billion visits in October.

“To be clear, this is not how many people were exposed to malvertising since this only affected a few particular rogue campaigns, and not all campaigns running on these networks,” Segura added.

Looking at the stats of the casino sites that acted as an intermediary for the exploit kit is interesting as well. Interestingly, before September, the traffic on those three domains was quasi-nonexistent; but, once the campaign started, traffic spiked through the roof for a combined total of more than 1 million visits.

Photo © monamis

Source: Information Security Magazine

IBM: Ransomware, Insider Threats Top 2015 Cyber-Trends

IBM: Ransomware, Insider Threats Top 2015 Cyber-Trends

2015 has been a challenging year as insider threats and malware as well as stealthy and evolving attacks affected enterprises. Taking stock, IBM Security has identified the top four cyber-threat trends of the year: amateur hacker carelessness, ransomware, insider threats and C-suite attention.

The first notable trend is amateur hackers exposing sophisticated criminals in onion-layered attacks. While 80% of cyberattacks are driven by highly organized and sophisticated online crime rings, it is often inexperienced hackers (“script kiddies”) who unknowingly alert companies to these larger, sophisticated hackers lurking on a network or inside an organization. These amateur hackers leave clues like unusual folders or files in a temporary directory, deface corporate web materials, and more. When organizations look into these mischievous attacks, they often find much more complex attacks.

“As the name suggests, an onion-layered security incident is one in which a second, often significantly more damaging attack is uncovered during the investigation of another more visible event,” the firm said in its Q4 2015 IBM X-Force Threat Intelligence Quarterly report. “The security team has to carefully peel back layers of forensic information in order to determine the root cause of each event under scrutiny.”

Also, it’s almost undeniable that 2015 was the year of ransomware, with this type of infection ranking as the most commonly encountered infection. In fact, the FBI reported Cryptowall ransomware attacks have netted hackers more than $18 million from 2014-2015. IBM researchers believe that it will remain a common threat and profitable business into 2016, migrating to mobile devices as well.

“For ransomware to succeed, attackers rely on a multitude of security and procedural breakdowns. In some cases, clients had recurring infections during the year,” IBM said. “This was because, although some of the factors leading to infection were addressed and resolved, nothing was done to resolve the fundamental breakdowns that facilitated the initial infection.”

Those breakdowns include not backing up data, poor patching procedures and a lack of user awareness.

The report also noted the ongoing danger of malicious attacks from inside a company. This is a continuation of a trend seen in 2014 when IBM’s 2015 Cyber Security Intelligence Index revealed that 55% of all attacks in 2014 were carried out by insiders, individuals with insider access to an organization’s system, knowingly or by accident.

A series of patterns emerged from the ERS team’s investigations:

• There were shared accounts with administrative privileges.

• Password sharing between team members was not discouraged.

• Passwords were routinely set to never expire.

• Passwords were “easy.”

The common thread is that accountability was not enforced.

“Bad password policies seriously compromised the efficacy of termination procedures,” IBM said. “Whenever a system or network administrator left the organization, disabling their personal accounts did not limit their ability to perform unauthorized activity on the network via one or more of the shared accounts they had routinely used in their job. As a result, ex-employees with ill will toward former employers held powerful weapons they could use to express their resentment. They simply needed a way to get back into the network.”

And, the final trend could be entitled, “C-Suite Cares.” In 2015, cybersecurity became a true concern at the boardroom level with more positions of power asking questions about their organizations’ security posture. In fact, a recent survey of CISOs by SMU and IBM, revealed that 85% of CISOs said upper-level management support has been increasing, and 88% said their security budgets have increased.

“Organizations today are going back to the basics. The major cybersecurity trends of 2015—the challenge of recognizing stealth attackers on the network, ransomware, malicious insider attacks and growing management attention to enterprise security readiness—can largely be addressed by focusing on security 101,” IBM said. “Think patch management, user education, proper password procedures and standard security practices.”

Photo © asylum

Source: Information Security Magazine

Threat Intelligence Will Be UK Firms’ Investment Priority For 2016

Threat Intelligence Will Be UK Firms’ Investment Priority For 2016

UK firms are filing to capitalize on holistic and integrated view of security performance as performance, skills, and costs remain biggest hurdles to true data-driven security over the coming year, research from IDC and SecureData has revealed.

Almost all (96%) of UK firms already use threat intelligence products and services and each and every one intend to do so within the next 24 months. There were clear benefits for doing so: companies saw that use of such products could bring about faster attack detection and response (55%), better understanding of threats and attacks (43%), and finding new or unknown threats (42%).

Yet the survey also revealed a number of major challenges that needed to be addressed such as optimizing performance and response times (75%), training and expertise (59%), and the costs of tools, maintenance and personnel (52%). Analytics-based issues were also found to be a significant hurdle. Correlating events (49%) and reducing false positives/negatives (36%) were the highest ranking worries in this regard. Two-thirds of organizations (66%) plan to invest in Big Data analytics engines, but only a quarter are ready to invest in third-party intelligence products or services.

Only a third of those surveyed by IDC believe that threat intelligence includes intrusion monitoring or the sharing of information within the security community (35%). An even smaller group includes analytics either based on behavior (6%) or correlation of security data (6%), while just 3% believe cloud-based intelligence sharing is part of threat intelligence.

Of the most concerning findings  in report was the trend for many  organizations to collect a substantial amount of information across their IT security infrastructure, but then fail to integrate this with their threat intelligence platform. Just under three-fifths of respondents were found to integrate data from their firewall or UTM devices while almost half (47%) of the 86% of organizations using an MDM to manage mobile devices integrate data from their system with their threat intelligence platform. only a third of firms correlate external data such as threats or attacks on peer companies with their threat intelligence platform.

“Threat intelligence is not simply information,” commented IDC research director Duncan Brown. “It is a service delivering a collated and correlated range of data feeds and sources to provide actionable advice to security operations. Getting this holistic view of security beyond IT is critical to understanding the full context of threat information, but our study suggests firms are taking a somewhat traditional view of intelligence that discounts more innovative developments.”

“IDC’s findings suggest Chief Information Security Officers are not considering the wider context in which their business operates, either from a physical security and application security perspective, or from a broader industry viewpoint,” added SecureData CEO Etienne Greeff. “Nevertheless, the fact they recognize the importance of increased context and intend to invest in such insight as a priority is encouraging as it will enable them to adopt an offensive security posture – one that mitigates the ever-expanding attack surface and better protects their infrastructure, applications and valuable information assets.”

Source: Information Security Magazine

UK’s NCA Shares Threat Data with 50 Web Hosters

UK’s NCA Shares Threat Data with 50 Web Hosters

The UK’s National Crime Agency is claiming a new threat information sharing initiative has already helped web hosters reduce the threat to their servers by 12%, potentially saving them millions.

The NCA said last week that it shared details related to over 30,000 separate threats with internet hosting companies as part of a joint program with CERT-UK.

Around 50 organizations took part over a near three-month-long program, using info on malware infections, phishing attacks, DDoS and command and control (C&C) systems to help take remedial action.

The crime agency’s initial analysis claimed the 12% reduction in the volume of malicious domains over a whole year could reduce cybercrime losses by “tens of millions of pounds.”

Specially trained officers from police Regional Organised Crime Units (ROCUs) are now being sent out to support those organizations that benefited from the threat intelligence.

“Working with industry to jointly combat cybercrime is a priority for the NCA, and sharing timely, customized intelligence with hosting companies can contribute to the protection of the UK internet infrastructure,” said NCA industry partnerships boss Paul Hoare.

“Many alert recipients have taken timely action against the threats identified, and this is likely to have prevented losses to individuals and businesses further down the line.”

The threat alerts are also available to firms who sign up to the government’s Cyber-security Information Sharing Partnership (CISP) initiative, designed to improve situational awareness for members by facilitating the sharing of threat and vulnerability information.

Governments and their law enforcement and intelligence agencies are increasingly being put under pressure to share the wealth of threat information they collect with the private sector, in order to bolster the resilience and economic well-being of UK PLC.

BH Consulting founder and Europol advisory group member, Brian Honan, welcomed the news.

"Many though have criticized these initiatives as being primarily one way, whereby information from the private sector is going into the public sector but very little is coming back in return. This type of sharing from the NCA is a welcome change to that status quo and the quality of the information they share will be of major benefit to the ISPs," he told Infosecurity.

"One can only hope that now the ISPs have real actionable information they will work on it to make the internet a safer place for all."

In the US, efforts to legislate on such matters have backfired, after rights groups and technology giants came out against the Cybersecurity Information Sharing Act, which was nevertheless passed by the Senate last month.

Its opponents argue that the law could introduce major privacy issues and even make it harder for international firms to do business with their US counterparts.

Source: Information Security Magazine

New POS Malware Lands Ahead of Busy Festive Shopping Season

New POS Malware Lands Ahead of Busy Festive Shopping Season

Security researchers are warning of a new POS malware strain which has the potential to cause yet more pain for retailers and their customers in the run up to the busy festive season.

AbaddonPOS was initially discovered by Proofpoint analysts as it was being downloaded as part of a Vawtrak infection, they wrote in a blog post.

Specifically it was delivered via either weaponized Office documents downloading Pony malware or an Angler EK Bedep infection. Downloader TinyLoader was then loaded by Vawtrack to download more shell code—finally triggering AbaddonPOS.

AbaddonPOS is only around 5KB in size but has been fitted with anti-analysis and obfuscation techniques to prevent manual and automatic analysis.

For example, it uses a CALL instruction to hinder static analysis.

Most of the malware’s code is not obfuscated, however, except for the code used to encode and transmit stolen credit card data.

It then relies on a custom binary protocol to exfiltrate the stolen data, rather than HTTP.  

The firm concluded:

The practice of threat actors to increase their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice. While using this technique to deliver point of sale malware is less common, the approach of the US holiday shopping season gives cyber-criminals ample reason to maximize the return on their campaigns by distributing a new, powerful PoS malware that can capture the credit and debit card transactions of holiday shoppers.

AbaddonPOS isn’t the only piece of malware set to cause problems for retailers as they prepare for the busy Christmas shopping period.

Cherry Picker has been active since 2011 but remained under the radar thanks to its highly covert nature, according to Trustwave.

The POS malware apparently cleans itself from an infected system once it has found what it was looking for, using remote software TeamViewer to remove and overwrite files and logs.

Source: Information Security Magazine

Google Preps New Service after Global Email Encryption Warning

Google Preps New Service after Global Email Encryption Warning

Email encryption is getting better but certain countries are deliberately preventing SSL requests from initiating, undermining industry efforts, according to a new report from Google.

The study, in partnership with the University of Michigan and the University of Illinois, reveals that overall email security is better than it was two years ago.

To this end, the number of encrypted emails received by Gmail from non-Gmail senders during the period increased from 33% to 61%.

In addition, the percentage of messages encrypted with TLS sent from Gmail to non-Gmail addresses increased from 60% to 80%.

And over 94% of inbound messages to Gmail were said to have carried some form of authentication.

But there were also causes for concern, as Google wrote in a supporting blog.

“First, we found regions of the internet actively preventing message encryption by tampering with requests to initiate SSL connections. To mitigate this attack, we are working closely with partners through the industry association M3AAWG to strengthen ‘opportunistic TLS’ using technologies that we pioneered with Chrome to protect websites against interception.

Second, we uncovered malicious DNS servers publishing bogus routing information to email servers looking for Gmail. These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name. While this type of attack is rare, it’s very concerning as it could allow attackers to censor or alter messages before they are relayed to the email recipient.”

In Tunisia, Iraq, Papua New Guinea, Nepal, Kenya, Uganda and Lesotho, over 20% of emails are delivered without encryption because computers force communication in plain text. In Tunisia the figure is above 96%.

This so-called “STARTTLS stripping” happens on over 60% of the 700,000 SMTP servers Google found in the world that are still failing on encryption.

The Mountain View giant said that to help notify users of possible dangers, it is looking to roll-out new functionality which will alert them when they receive an email through a non-encrypted connection.

Source: Information Security Magazine