Cyber Threat Insider Blog

New Brand, New Insights

February 1, 2021

Dear Reader,

In December 2019, Verint announced plans to separate into two independent publicly traded companies. As of today, the Verint Cyber Intelligence division will become a standalone company traded on the Nasdaq stock exchange and rebranded as Cognyte Software.

As part of the transition, we will continue to publish our posts on the Cognyte blog and our Twitter feed will now be updated through the Cognyte account.

We will keep you updated with professional insights under the Cognyte brand and we look forward to continue our engagement.

How to Avoid 2020 Online Shopping Threats

November 19, 2020

The shopping season is upon us and as in previous years, cybercriminals are preparing multiple ways to target the online shopping community, including phishing attempts to steal financial details, malspam campaigns distributing malware and more. In fact, while examining the credit card trade in the Dark Web during 2019, we discovered that the highest number of stolen cards offered for sale on dedicated marketplaces was in November 2019 with over 32M cards, although we should take in consideration that there are duplications of data, since it is likely that cybercriminals will try to sell the stolen data in multiple marketplaces.

In this post we will provide you with some tips for ensuring a secure shopping spree and we will also take a look at recent attacks and how attack groups operate to target online shoppers and vendors.

Are you shopping online this season? Here are essential Do’s and Don’ts for you:

Be extra aware of phishing attacks, especially with emails requesting you to verify or update your account details, register to get a free item or a coupon, etc.
Verify the URL address of the platform you are about to buy from – make sure the URL address of the official website of the desired brand.
Check that the platform you are shopping on to purchase goods is secured – look for an HTTPS URL, a trusted certificate, etc.
Do not open attachments sent from unknown sources, especially ones requesting to enable macro or editing permissions in order to open them.
Avoid clicking on ads of any kind, especially during the shopping season.
Do not download apps from unofficial App stores, especially shopping-themed apps.
Check apps permissions and update your mobile operating system on a regular basis.
Use 2FA or OTP protocols if provided by the service vendor.

What you see isn’t always what you get: Scam Websites and Fake Domains

Fake domains of popular brands can be used in spam or phishing campaigns that are carried out via mail, SMS, social media platforms and more. In last year’s shopping season, 124,000 suspicious domains were detected, abusing names of 26 brands. The most targeted brands were Apple, Amazon and Target.

This year, we researched how many domains with the word “Amazon” were registered during the first week of November 2020. We detected over 600 of recently registered domains with no official connection to Amazon in their registration details. Although it seems that many of them are not yet “operational”, as they do not lead to an active website, some of them sure look suspicious, for example: verification-amazonservices.com (detected as a phishing website via several AVs), account-verificationamazon.com, amazon-login-verify.com (detected as suspicious by one AV) and even amazon-black-friday.com (first created in 2010 and is being re-registered each year since then).

Scam websites usually use a similar web design and interface to the legitimate online shopping platforms, and therefore it is recommended to check the website’s domain or URL address before purchasing goods using your credit card.

A fake website of Taobao, a Chinese online shopping platform (the upper one) and the legitimate website (bottom)

Keep your systems updated to avoid E-skimming attacks (AKA: Magecart attacks)

E-skimming is one of the most popular ways these days to carry out credit card fraud. Cybercriminals usually exploit a vulnerability in the e-commerce or online payment platform (usually in third parties’ components), in order to inject a malicious code that will capture the user’s credit card data and send it the its operators. Once they hold the data, cybercriminals will probably sell it in the Dark Web or use it to make additional purchases.

Magecart is the name given for this type of attack and to cybercriminals that usually target platforms running outdated versions of Magento (while exploiting flaws, such as CVE-2017-7391 and CVE-2016-4010 in Magento) and use a malicious JavaScript code embedded into the compromised platform. In fact, Magecart attacks are so common that in September 2020, it was reported that approximately 2,000 e-commerce platforms were targeted in one weekend.

Additional ways to carry out e-skimming attacks are by accessing the e-commerce network, using administrative credentials. These can be obtained via phishing, brute-force attacks, or a cross-site scripting attack that redirects users to a malicious website with a JavaScript code. Access to networks of online shopping platforms are also traded on Dark Web forums, allowing threat actors to gain access to databases containing users’ details.

Cybercriminal offers access to a shopping platform on the Dark Web. This can be also used for e-skimming attacks. Source: Verint LUMINAR

Of note, nation-state groups were also spotted using this attack vector in the wild. In July 2020, researchers found that the North Korean group Lazarus was behind a serial of Magecart-style attacks against multiple e-commerce stores around the world.

Therefore, it is vital for organizations that operate online payment platforms to keep them updated and secured. We really can’t stress this enough. It is also recommended to use tools that will help detect such malicious injections and monitor suspicious activities in order to block them on time.

The spamming season: Spam campaigns are used for malware distribution

In the shopping season of 2018, a massive spam campaign distributing Emotet, targeted online shoppers worldwide, especially in North and Latin America and the UK. Emotet is an infamous malware, active since 2014, that was first detected as a banking Trojan, but these days it is often used as a downloader or a dropper for additional Trojans or even ransomware. It is usually distributed via worldwide spam campaigns and malicious attachments that request users to unable Macros. During last year’s shopping season, approximately 130 million malware attacks and ~640,000 ransomware attacks were detected in the US. Based on what we’ve seen in the past few years, it is expected that malware operators will try to lure victims via shopping-themed emails and malicious attachments.

The world goes mobile: The rise in malicious mobile apps

Each year, malicious shopping-themed apps target unaware users during the shopping season, which is why it is recommended to download mobile apps from official platforms and to check the reviews. However, in January 2020, a new Trojan dubbed “Shopper” was spotted leaving fake applications reviews on Google Play, on behalf of the infected device’s owner, leaving users with no trust in apps rating. The Trojan was also detected turning off the Google Play Protect feature, in order to download additional apps without safety checks, using the victim’s Google or Facebook account to register to popular shopping and entertainment apps, spreading advertisements, etc. Infections were spotted worldwide, including in Russia, Brazil and India.

Additional malicious shopping season-themed Android apps were spotted in 2019 luring users with coupons, discounts and other shopping hacks. Some of them were detected sending sensitive information from the infected devices to their operators or containing adware used to spread malicious advertisements.

To conclude, the shopping season is open for all, including cybercriminals who are trying to maximize their gain. Awareness is the key when it comes to what shoppers can do to keep safe, whereas vendors need to take additional measures during these times to avoid financial loss, reputational damage and customer abandonment.

COULD A CYBER-ATTACK ON E-VOTING SYSTEMS AFFECT THE UPCOMING US ELECTIONS?

October 27, 2020

Yes it can. With the US elections just around the corner, we thought this would be a good opportunity to talk about cybersecurity risks of election processes, as more and more elections around the world, are turning into electronic voting (or e-voting) systems.

The first electronic voting systems for electorates were introduced in the 1960s, with the debut of the punched card systems. E-voting systems have evolved over time as technology advanced, and nowadays include Direct Recording Electronic voting machines, optical scanners, ballot marking devices, electronic poll books and online voting over the Internet.

As with all things digital, e-voting systems are too, exposed to hacking and cyber-attacks. Unfortunately, a successful interference with electronic voting, can jeopardize the democratic process and impact a nation’s fate. In this post we review the different cyber risks to be addressed when running, or considering, electronic voting processes.

FROM EXPLOITING VULNERABILITIES TO TAKING ADVANTAGE OF UNSECURED SYSTEMS

If the e-voting systems have vulnerabilities that can be exploited or if they are unsecured and exposed, malicious actors have what to gain. Hackers can launch cyber-attacks that could compromise the systems’ networks, perform supply chain attacks, place remote access software and modems on the specific e-voting system, which could provide attackers with a port of entry to the system, and more.

While exploring different systems from different vendors, we were able to establish some commonalities in the issues affecting these systems. Many of the vulnerabilities found involved exposed and unsecure ports that could be leveraged by physical attackers; the use of old, outdated and vulnerable software; some vulnerabilities pertained to the use of storage cards and disks that could allow attackers to infect the e-voting systems with malware; and finally, several vulnerabilities exploited cryptographic weaknesses.

Evaluating the risk of e-voting systems providers should be a high priority before elections.

VOTERS DATABASE – THE FRAUD AND IDENTITY THEFT JACKPOT

Another significant risk of e-voting systems is through their access to voters’ databases. A vulnerable or unsecure system can become a gateway to a voters’ database. In addition, if the voters’ database resides in an unsecure location, attackers can gain access to that database using various attack methods. The motivation for this type of fraud and identity theft, can either be in context of the election, to influence results, or in general for other cybercriminal activities.

Our analysts have identified multiple examples of discussions and demand for different voters’ databases on the Dark Web. Access to this type of cyber threat intelligence that indicates such risk to your voters’ database in advance, can help prepare and prevent potential attacks.

Post sharing North Carolina database. Source: Verint LUMINAR

VENDORS’ EMPLOYEES DATABASE – AN ENTRANCE TO TAMPERING?

In addition to vulnerabilities in the e-voting systems, election results can be affected if malicious actors gain access to an exposed or unsecure database of employees’ accounts. In such a case, hackers can use the employees’ accounts to gain access to the vendor’s internal network. With that kind of access, if the vendor is also responsible for creating ballot-definition programming files, malicious actors could interfere with how the e-voting machines apportion votes based on the voter’s selection on the touchscreen or mark on the ballot for some of its customers.

INSIDER THREAT – WHEN AN ELECTION EMPLOYEE GOES ROGUE

The concept of insider threat is not new. We have seen cyber incidents caused by a frustrated employee or an ex-employee seeking revenge. When it comes to employees with access to e-voting systems, there are additional, political motivations involved. During our investigations on the Dark Web, we see discussions about e-voting systems and we have recently come across a specific case, where a poll worker was discussing the technical details of the voting device used at his polling station, mentioning a flaw affecting the device.

Insiders with access to the e-voting systems and the technical knowledge of how these systems work or where they are vulnerable, can become a risk that should be addressed. Monitoring the Dark Web and other threat intelligence activities, can reveal insider threat.

Technical flaw in Dominion ImageCast machine discussed on Telegram by election inspector. Source: Verint LUMINAR

WHAT CAN WE LEARN FROM PAST CYBER-ATTACKS AGAINST E-VOTING SYSTEMS?

Two recent e-voting cyber incidents were the attack supposedly conducted against Russian Blockchain-based online voting systems in June 2020, and the attack against the American vendor VR Systems, ahead of the 2016 US presidential election.

According to reports, Russia’s Blockchain-based voting system was attacked amidst the voting process on the proposed constitutional amendments that took place between June 25, 2020, and June 30, 2020. On June 27, 2020, an attempt to attack the online voting system through an election observer’s node was detected. The reports did not reveal how the attack was carried out. However, although government officials confirmed the reports, they have stressed out that the attack did not result in system malfunction, and that all votes recorded on the Blockchain were valid. In addition, voters reported about other issues during the voting period.

In the case of the 2016 US presidential elections, Russian threat actors were accused of hacking the systems of VR Systems, the US voting systems and software vendor, whose e-voting products are used in eight US states. These are the same Russian threat actors that were accused of hacking the computers of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the email accounts of employees involved in Hilary Clinton’s campaign. In mid-2017, a classified report prepared by the US National Security Agency (NSA), about a lasting cyber-attack campaign that targeted elements involved in the US 2016 elections, including the voting infrastructure provided by VR systems, was disclosed to the media.

To conclude, there are multiple types of threats and threat actors devoted to gaining from cyber-attacks involving e-voting systems and e-voting systems vendors. From insiders with access to such systems, through cybercriminals who trade in voter databases, to nation-state hacker groups that employ creative means to influence the democratic process of elections.

Given the fact that many of the e-voting systems are often not regularly updated and risk having vulnerabilities, these systems present a clear cybersecurity risk worldwide. Accurate, targeted cyber threat intelligence has a significant impact, when it comes to preventing e-voting systems cyber threats.

For more information, click here to learn more about LUMINAR.

ARE RUSSIAN CYBERCRIMINALS OFFERING HACKING SERVICES IN CHINA ?

October 14, 2020

On July 27, 2020, a group of threat actors published a post in the advertisement section of a prominent Chinese Darknet marketplace offering hacking services. Hacking-as-a-service offers appear frequently on Chinese underground platforms, and many actors publish these services – accompanied by varying degrees of details – on both Clearnet hacking forums and Darknet marketplaces. However, what makes this offer unique is the identification of the actors, who claim to be Russian.

WHAT INDICATES THAT THE HACKERS ARE REALLY RUSSIAN ?

Several linguistic features suggest the actors are indeed non-native Chinese speakers. First, they use anachronistic vocabulary and terms rarely seen in contemporary Chinese online chatter, which is common on these forums. Two examples are the use of the term 万维网 for “World Wide Web,” and the rare version of the word “hacker” 骇客 (pronounced haike, instead of the commonly used term 黑客, pronounced heike); Second, some sentences are oddly phrased, using a combination of wrong vocabulary and/or unnatural syntax or formulation, giving the impression the text was translated from a foreign language, possibly via a machine-translation tool; Third, there are linguistic inconsistencies in the group’s posts on the forum: whereas most of the posts are written in simplified Chinese characters, used in mainland China, one is written in traditional Chinese characters, used in Taiwan and Hong Kong – this transition by the same writer is very uncommon. Furthermore, different variations of the same word or term are used simultaneously in the same post.
Contact details include several Telegram, QQ and Jabber accounts, with the former two widely used by Chinese cybercriminals and hackers selling their services. However, in addition to those, they also offer their services via Yandex email service, which is rarely used outside of Russia and the former Soviet Union countries, and even less so by Chinese users. This corroborates the assumption that these actors are not Chinese, and may indeed be Russian, as they claim to be.

The post from July 27, offering “high quality hacking services”, as appeared on the Chinese Darknet marketplace. The sentence highlighted in yellow reads: “we come from Russia”. Source: Verint LUMINAR

THE THREAT ACTORS’ OFFERING

The hacking services on offer are listed in more detail in another post by the same threat actors, published on this marketplace on June 15, 2020. The list of services includes:

Web penetration and data extraction. The actors state they have mastered the structure and special features of the main database types, such as MySQL, MSSQL, Oracle and PostgreSQL.
Obtaining web shells by exploiting major vulnerabilities, such as CMS, WP and Joomla, among others.
Cracking of software and encrypted files; secondary packaging and unpacking.
Software and source code secondary development.
Various web security-related services, such as penetration tests, code design, vulnerability scanning, emergency response, alerts and web security training, among others.

The post from June 15 listing the services this group offers. Unlike other posts by these actors, this post was written in Traditional Chinese characters. Source: Verint LUMINAR

In addition to these two posts offering hacking and web-security services, in two other posts from May and June 2020, these actors also offer for sale, bots for boosting the number of “friends” and “followers” on social media networks, as well as SMS-bombing services and tools.

Finally, in recent months, we have noticed an increasing trend of Chinese threat actors operating on non-Chinese platforms. They typically use their linguistic skills and familiarity with Chinese underground platforms to make easy profits by offering data sold exclusively on Chinese platforms (usually Darknet marketplaces and Telegram groups) on English-language platforms outside China for a higher price. However, it is highly unusual to see non-Chinese actors actively operating on Chinese-language platforms. If the actors’ claim of being Russian is indeed correct, this is a relatively novel and unusual phenomenon worth noting.

WILL THE NEW SHAREPOINT FLAW BECOME AN ACTORS’ FAVORITE?

September 13, 2020

Attacking SharePoint servers is a popular threat, apparently because in many cases the SharePoint servers are integrated in the Active Directory service. Gaining access to the Active Directory allows attackers to gain a foothold inside the victim’s network. Furthermore, since SharePoint servers are exposed to the internet, attacks can be executed relatively easily. As an example, the CVE-2019-0604 SharePoint vulnerability, disclosed and patched in 2019, has gained popularity among threat actors, who have exploited it in different attacks since it was published. This is particularly true among nation-state actors (such as the Chinese nation-state Emissary Panda group). The vulnerability even became one of the ten most exploited vulnerabilities between 2016 and 2019, according to authorities in the US. Therefore, we estimate the new CVE-2020-1147 SharePoint vulnerability, patched in July 2020, may gain similar popularity among same threat actors, stressing the importance of applying the security update fixing this vulnerability as soon as possible.

CVE-2020-1147: NEW AND DANGEROUS

During July 2020, Microsoft patched a critical remote code execution vulnerability (CVE-2020-1147) affecting Microsoft SharePoint servers (CSVV score: 7.8).

The vulnerability resides in two .NET components, namely DataSet and DataTable, used for managing data sets, and stems from the fact that the software fails to check the source markup of XML file input. An attacker can exploit the vulnerability by uploading a specially crafted document to a server using a vulnerable product to process content. In addition, the vulnerability also affects the .NET Framework and Visual Studio. Since the vulnerability was disclosed, a security researcher published a technical analysis that includes an explanation on how it works, and demonstrates how even an attacker with low privileges can exploit it to execute code remotely on a vulnerable SharePoint server. Although the researcher did not provide a full PoC exploit code that can be used to deploy an attack, his analysis included a detailed explanation of the different stages required for exploiting the vulnerability, which can be used by potential attackers to build an exploit script. Of note, we observed that the researcher’s analysis was already shared on several Dark Web hacking forums.

A technical analysis regarding the new SharePoint vulnerability (CVE-2020-1147) shared on the Dark Web

Both Microsoft and the researcher emphasized the utmost importance of applying the patch as soon as possible, and stressed that the vulnerability exists in several additional .NET-based applications, and could therefore be exploited against additional products besides SharePoint, so even if an organization does not use SharePoint, it can still be affected by this vulnerability and exposed to attacks.

SHAREPOINT VULNERABILITIES GAIN POPULARITY AMONG NATION STATE ACTORS

The previous CVE-2019-0604 vulnerability in SharePoint allows attackers to execute arbitrary code remotely. The vulnerability stems from a failure to check the source markup of an application package and can be exploited by uploading a specially crafted SharePoint application package to a vulnerable version of SharePoint. The vulnerability was addressed and patched in February 2019.

We identified that mostly Chinese and Iranian state-sponsored groups exploited the previous SharePoint vulnerability (CVE-2019-0604) against multiple sectors around the world, and therefore it is highly possible the same threat actors will exploit the new vulnerability (CVE-2020-1147) as part of future campaigns. Throughout 2019-2020, we identified attacks against North America, Europe, Australia and the Middle East exploiting this vulnerability, targeting mainly government agencies, energy companies, International organizations, and academic institutions.

In May 2019, two different campaigns exploiting this vulnerability were uncovered. The first campaign, which focused on the technological and academic sectors in Canada, exploited the vulnerability to install the known China Chopper WebShell, active since 2012, mostly in the hands of Chinese threat actors. The second campaign, which targeted organizations in Saudi Arabia, also exploited the SharePoint vulnerability to install the China Chopper WebShell on all the folders on the victims’ SharePoint servers, and then distributed additional malware to collect information from the infected network.

Later, researchers discovered that the Chinese APT group Emissary Panda exploited this vulnerability to install WebShells on vulnerable SharePoint servers of government entities in two different Middle Eastern countries.

The researchers found code overlaps between the WebShells installed on the vulnerable SharePoint servers of the government entities in the Middle East and those used in the attacks against Canada and Saudi Arabia.

In December 2019, details emerged about a new data wiper malware named ZeroCleare that targeted the energy and industrial sectors in the Middle East. The malware was apparently developed by two Iranian APT groups – OilRig (also known as APT34) and xHunt (also known as Hive0081.) First, the attackers used brute-force to gain initial access to the targeted network, and then exploited a vulnerability in SharePoint to install different WebShells (such as China Chopper and Tunna) and move laterally across the network and wipe data from the disk. Although the researcher did not disclose the CVE identifier of the vulnerability, due to the similarities between this attack and the campaigns described above, we estimate this is possibly the same vulnerability – CVE-2019-0604. Either way, this attack demonstrates the popularity of SharePoint vulnerabilities among threat actors, and especially nation-state backed actors.

CYBER ATTACKS USING SHAREPOINT FLAWS DURING 2020

Even though this is a vulnerability from 2019, reports about its exploitation continued into 2020. For example, at the end of January 2020, it was reported that the UN offices in Geneva and Vienna had fallen victim to a cyber-attack that affected dozens of their servers and resulted in a data leak. The attack was described as sophisticated, and nation-state threat actors are believed to be behind it. The incident was discovered after an internal UN document was leaked to the press. According to this document, the attackers may have exploited the CVE-2019-0604 vulnerability during the attack.

In April 2020, authorities in the US and Australia issued an advisory warning regarding an increase in the exploitation of vulnerable web servers by malicious actors to install WebShells to gain and maintain access to victims’ networks. The advisory explores the most popular and common vulnerabilities exploited by threat actors to install WebShells, with one being the Microsoft SharePoint CVE-2019-0604 vulnerability. Later, in May 2020, US authorities published an advisory detailing the ten most exploited vulnerabilities between 2016 and 2019, which included the CVE-2019-0604 SharePoint vulnerability.

Finally, in June 2020, Australian authorities published an advisory alerting of an increase in cyber-attacks against Australian companies and government entities, executed by nation-state actors, supposedly from China. According to the advisory, the attackers exploited known remote code execution vulnerabilities affecting Internet-facing systems in an attempt to gain initial access and infect the victims’ network with the PlugX malware, used by multiple Chinese APT groups in the past. One of the vulnerabilities exploited by the attackers for this purpose was the CVE-2019-0604 SharePoint vulnerability.

Finally, we estimate that we will soon witness the new SharePoint vulnerability (CVE-2020-1147) exploited in different cyber-attacks and nation-state campaigns around the world.

GLOBAL RANSOMWARE ATTACKS IN 2020: THE TOP 4 VULNERABILITIES

August 20, 2020

Our team recently investigated the prominent ransomware attacks reported since the beginning of 2020 in order to draw general conclusions about these attacks and to reveal commonalities between them. We also wanted to better understand the threat they pose and how to protect against it. While examining approximately 180 different ransomware incidents, we found that the most targeted sectors were Technology (11%), Government (10%), Critical Infrastructure (8.6%), Healthcare and Pharmaceutical (8%), Transportation (7%), Manufacturing (6%), Financial Services (5%) and Education (4%). It was also found that Sodinokibi/REvil, Maze and Ryuk are the most active ransomware strains.

A very interesting finding our investigation uncovered was that the operators behind these ransomware attacks commonly abused four notable vulnerabilities, that will be elaborately discussed in this blog post. This highlights the importance of timely installation of security updates as a defense mechanism to minimize the risk of ransomware and other malware attacks.

Here they are: The four top vulnerabilities abused in 2020 ransomware attacks (ordered from the most abused one):

CVE-2019-19781
CVE-2019-11510
CVE-2012-0158
CVE-2018-8453

Let’s take a closer look:

CVE-2019-19781

The CVE-2019-19781 vulnerability affects remote access appliances manufactured by Citrix, whose products are used by numerous organizations. The vulnerability was publicly disclosed at the end of December 2019 and fixed a month later. The vulnerability affects Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC. Successful exploitation of the vulnerability could allow an unauthenticated attacker to connect remotely and execute arbitrary code on the affected computer.

Since the vulnerability was disclosed, it was successfully exploited by threat actors in a significant number of incidents. In January 2020, security researchers reported the REvil gang leveraged the vulnerability in its attack against the Gedia Automotive Group. No technical details about the attack were disclosed, but from the information published by the attackers, it appears the company used the vulnerable products. The Ragnarok ransomware gang also exploited this vulnerability in January 2020. The attackers exploited the vulnerability to download scripts and scan the targeted system for computers vulnerable to the EternalBlue vulnerability.

In February 2020, the cloud company Bretagne Telecom reportedly suffered a cyber-attack by cybercriminals operating the DopplePaymer ransomware. The DopplePaymer gang stated it carried out the attack in the first half of January 2020, when a fix for the vulnerability had still not been released. This suggests the attackers discovered the vulnerability even earlier. At the end of March 2020, it was reported the MAZE ransomware gang had also leveraged the vulnerability in an attack on the cyber insurer company, Chubb.

In a different incident from the beginning of June 2020, it was reported that the IT services giant, Conduent, had also fallen victim to a MAZE gang ransomware attack. According to reports online, MAZE targeted a Citrix server of the company that was not patched or properly updated. On June 22, 2020, it was reported that the Indian conglomerate, Indiabulls, had suffered a cyber-attack carried out by the CLOP ransomware operators. Cyber security company Bad Packets reported that Indiabulls used Citrix NetScaler ADC VPN Gateway, which was vulnerable to CVE 2019-19781. However, the company did not confirm this vulnerability was exploited in the attack. Recently, the New Zealand CERT (CERT NZ) reported that many threat actors are leveraging this vulnerability, and the Nephilim ransomware gang may have also attempted to exploit it.

CVE-2019-11510

The CVE-2019-11510 vulnerability affects VPN Pulse Secure products. It allows attackers to remotely access the targeted network, remove multi-factor authentication protections and access the logs that contain cached passwords in plain text. Although the vulnerability has already been publicly disclosed for some time now and patched back in April 2020, many organizations have not yet patched it and remain exposed to attacks.

In recent months, the vulnerability was reportedly successfully exploited in a number of ransomware attack incidents. In two incidents, the attackers gained domain admin privileges and used an open-source remote access software, VNC, to perform lateral movement on the targeted network. Then, the attackers turned off security software and infected the system with the REvil ransomware. The most notable ransomware attack affected Travelex at the end of December 2019. The company did not patch its VPN solution, which allowed the REvil ransomware gang to carry out a successful attack that paralyzed the company’s systems for a number of weeks, persisting into 2020.

In another incident reported in April 2020, the IT systems of several hospitals and government entities in the US were infected with an unknown ransomware by nation-state threat actors. In addition, in June 2020, the operators of the Black Kingdom ransomware reportedly attempted to exploit the vulnerability as well.

CVE-2012-0158

The CVE-2012-0158 is an old vulnerability in Microsoft products, but is still one of the most exploited vulnerabilities in recent years, according to the US CERT. In December 2019, our team also reported that it is one of the top 20 vulnerabilities to be patched before 2020, based on the number of times it has been exploited by sophisticated cyber-attack groups operating in the world today. The vulnerability allows the attacker to remotely execute code on the victim’s computer through a specially crafted website, Office or .rtf document.

In recent months, security researchers reported exploitation attempts for the CVE-2012-0158 vulnerability in COVID-19-related attacks. The researchers reported attack attempts against medical and academic organizations in Canada. One of the campaigns included infection attempts with the EDA2 ransomware, a strain of a wider ransomware family, known as HiddenTear. The attackers used an email address that resembles and imitates the legitimate address of the World Health Organization. The phishing emails sent to the targeted organizations contained malicious files designed to exploit this vulnerability to execute code remotely and infect them with the ransomware. An additional phishing campaign attempted to infect victims from the above mentioned organizations with a ransomware dubbed RASOM.

CVE-2018-8453

The CVE-2018-8453 resides in the win32k.sys component of Windows, since it fails to properly handle objects in memory. A successful exploitation can allow an attacker to run arbitrary code in kernel mode, install programs; view, change, or delete data; or create new accounts with full user rights.

The Sodinokibi/REvil ransomware was first spotted exploiting CVE-2018-8453 in 2019 in multiple attacks in the Asia-Pacific region, including Taiwan, Hong Kong, and South Korea. In July 2020, it was reported that it was exploited again by the same ransomware gang against Brazilian-based electrical energy company Light S.A. The attackers first demanded a ransom of 106,870.19 XMR (Monero), and after the deadline has passed the ransom doubled to 215882.8 XMR, which amounts to approximately $14 million.

SUMMING UP: THE PATCHING PARADOX

In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox”: common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.

PERSONAL DATA OF TAIWAN’S ENTIRE POPULATION FOR SALE

June 30, 2020

A May 2020 media report disclosed that a Taiwanese database containing personal data from over 20 million citizens (Taiwan’s entire population) was posted for sale on the Dark Web. According to researchers, the source of the leak is governmental and originates from the Department of Household Registration, under the Ministry of Interior.

The sale offer was posted on May 19, 2020 in an English language underground Dark Web marketplace. The seller indeed claimed the database contains data of the entire country’s citizens and attached a sample where one can see each line in the database is arranged by full name, landline number, ID number, home address and sex. The seller has offered to sell the database for US$ 2,500.

Taiwan’s Population Database for Sale
Source: Verint Luminar

NOT THE FIRST TIME WE’VE SEEN SUCH AN OFFER

Although this database leak was defined by the above reports as unique, this is not the first time we have seen an offer for a database consisting of personal information for the entire population of Taiwan. In Chinese sources, such offers have appeared since August 2018 at least. Our findings, detailed below, may imply the database offer is in fact a resell of a previous database offered several times in the past in Chinese underground sources. These findings show the flow of data from one underground arena to another and stress the importance of multi-language monitoring across various sources to get a full picture of the origins of leaked databases.

THE TAIWANESE DATABASE ON THE CHINESE DARK WEB

Our first indication of a Taiwanese population database was in August and September 2018. In August 2018, an offer appeared on the Chinese Darknet marketplace to sell a Taiwanese population database consisting of the full names, landline numbers, gender and home addresses of 21,141,314 people.

Taiwan’s Population Database for Sale, August 2018
Source: Chinese Dark Web marketplace

About a month later, an actor who has offered several other major database leaks on the same Chinese language Darknet marketplace (including the Marriott database), offered a full database of the Taiwanese population, consisting – according to him – of approximately 25 million lines of data, claiming the data was updated to September 2017.

Taiwan’s Population Database for Sale
Source: Chinese Dark Web marketplace

Since then, similar offers have occasionally appeared in both the Darknet marketplaces and other underground chat groups operating on Telegram.

SIMILARITIES BETWEEN LEAKED SAMPLES SHARED ON THE DARK WEB

According to our research, the last time a similar offer was published was January 2020, when an actor on a Chinese Darknet marketplace offered a 25 million line Taiwanese population database containing – once more by that order: full names, landline telephone numbers, ID numbers, home addresses and sex. The actor also attached a short sample to prove the authenticity of the database. According to the marketplace’s inner data, this transaction was completed twice, meaning two different actors have purchased the database since. Of note, the same actor also offered the same database in April 2019, attaching a similar sampler. The two screenshots below show the two offers, from January 2020, and April 2019.

Offer to Sell Taiwan’s Full Population Database, Containing ~25 million Lines, January 2020. Source: Chinese Dark Web Marketplace

Similar Offer from the Same Actor, April 2019
Source: Verint Luminar

The two samples attached to the offers – the two Chinese posts from April 2019 and January 2020 and the English post from May 2020 – show different names but look strikingly similar. The pattern of the data is identical, and it is arranged in the exact same order: full name, landline number, ID number, home address and sex. Furthermore, the current seller admitted he obtained the data in 2019, which is in line with the date the same offer was published on a Chinese marketplace.

All the above leads us to conclude the current offer of the Taiwanese population database is an attempt to resell the same database leaked in the past in Chinese underground platforms. As the asking price for the data sold on the Chinese platform was merely US$ 200, whereas he offered the same database for US$ 2,500, we believe it is highly probable this actor acquired the database on the Chinese marketplace and then tried to make an easy profit from actors operating on other platforms who do not have access to the Chinese marketplace and/or cannot read Chinese.

THE SELLER HAS OTHER ACTIVITIES ON THE DARK WEB

According to our analysis, the seller was seen operating under the same nickname on a Chinese Telegram underground chat group, a Russian Clearnet hacking and fraud forum, and two English-language Darknet forums.

In all instances, he offered credit card user data from China Industrial Bank containing over 460,000 lines. In one of the offers seen below and posted on the English-language forum, the actor quoted a price of US$ 380 for the database.

The China Industrial Bank Credit Card User Database offered on a Chinese Underground Telegram Group

A Similar Offer by the Same Actor Posted on an English-language Darknet Forum for US$ 380
Source: Verint Luminar

BUY IN ONE LANGUAGE, RESELL (FOR A NICE PROFIT) IN ANOTHER

As in the case of the Taiwanese population database, the China Industrial Bank database offered by this actor appeared before in Chinese underground platforms. In March 2020, the offer was posted on a Chinese Darknet marketplace for US$56 (see first screenshot below.) According to this marketplace’s inner data, it was sold 21 times. A month later, in April 2020, it was also offered on a Chinese-language underground Telegram group (see second screenshot below.) This demonstrates a similar modus operandi by this actor, and presumably by many other actors who operate across various, multi-language platforms: acquiring databases in one language (Chinese) and reselling them at higher prices on platforms in other languages.

The Chinese Industrial Bank Database offered on a Chinese Darknet Marketplace, March 2020

The Same Database offered on a Chinese Telegram Group, April 2020. Source: Chinese Darknet Marketplace

DDoS Attacks for Hire: How the Gambling Crave Fuels Cybercrime in China

May 21, 2020

The Forbidden Fruit – Gambling in China

Many card and board games are believed to have originated in Ancient China. Some of these games involved betting and gambling and they have been an inherent part of the Chinese leisure culture for centuries.

This changed when the Communist Party seized power in 1949, declaring gambling a “corrupt, feudal practice” and hence strictly banned by law.

When the Reform and Opening-up policy was introduced in China in the late 1970’s and early 1980’s, the authorities have somewhat released their strong grip on gambling and card games. Gaming and carding parlors (known in Chinese as 棋牌室, literally meaning “chess and card rooms”) sprang up in every street corner and card games and private betting among groups of friends thrived. Despite this, gambling remained illegal outside the two national lotteries (the China Sports Lottery and the China Welfare Lottery) and these establishments were far from satisfying the crave.

What do you do when your Favorite Pastime is Forbidden by Law?

Travel to Casino Hubs Abroad

A partial solution was found overseas. Chinese gamblers have flocked to casinos around the globe and went to neighboring Hong Kong to participate in horse race betting. And then there was Macau – with the help of the Chinese government, the former Portuguese colony just across the border from Guangdong Province has become the world’s largest casino center, surpassing Las Vegas since 2006.

Another casino hub attracting hordes of Chinese gamblers in recent years is the Philippines, where the hosting and entertainment industry, catering to the needs of the Chinese, was booming until the outburst of Covid-19 pandemic. This is manifested in job openings in the Philippines for Chinese nationals, many of which re published in dubious online platforms, such as QQ and Telegram groups dedicated to gambling and fraud as well as in Chinese-language underground forums. Another negative side to this craze is gambling-related crime, which has escalated in the Philippines over the past years.

However, traveling abroad is not accessible to everyone in China with a crave for gambling and even those who do travel, cannot always travel as often as they’d want to. There was a market rip for solutions, and with travel restrictions following the outburst of Covid-19 pandemic, this market’s potential grew even larger.

From Casino Hubs to Online Gambling Arenas

they satisfied the Chinese gambling community for about a decade. Since then, China has outlawed online gambling as well and the active websites are also situated offshore, on servers located outside the country.

These online casinos, gaming websites and gambling arenas cause a big headache to the Chinese Communist Party. If a decade ago the authorities have largely turned a blind eye to this phenomenon, nowadays, with the clear aim to promote a “civilized, harmonious society”, China sees it as a challenge and tries to fight these online platforms. Of course, these moral considerations, important as they may be, are dwarfed by the financial problem, as online gambling is draining hundreds of millions of yuan out of the country. Yet China is finding it hard to stop websites that are registered and operated abroad, especially when the hosting counties, such as the Philippines, are not so keen on cooperating.

Enter Cybercrime

The size of the market is a huge business incentive, creating more and more actors and fierce competition. These online casinos use various methods in order to lure more gamblers onto their websites. One of these methods, is fraud. For example, one of the common frauds that takes place is when fake gambling websites pretend to be official sites of famous casinos in Macau.

But competition does not stop there. In order to gain bigger chunks of online traffic, gambling websites fight and attack one another, and their weapon is – ironically – online traffic.

chinese-gambling-website-1024x519

Chinese Gambling Website Posing as Macao’s Venetian Official Online Casino

The DDoS Fighting Ring

Chinese hackers are more than eager to lend a helping hand. As most state-sponsored cyber activities handled by patriotic hacking groups from the early 1990’s until about a decade ago, are now under the wings of the Chinese intelligence apparatus, many idle hackers have turned into cybercrime, looking for easy profit. This type of cybercrime is mostly directed inbounds.

One of the ways in which Chinese hackers are involved in the online gambling industry is by breaching online casinos and gaming websites, stealing their user data and selling it on Darknet marketplaces or offering it on designated QQ and Telegram groups.

gambling-site-database-leak

Sample from a Gambling Site Database Leak,
Offered for Sale on a Chinese Darknet Marketplace

Another way, which drives a whole underground sector of cybercrime in China, is by conducting DDoS attacks against competitors. These attacks take the gambling websites down and thus, hopefully, drive their customers to the gambling site that ordered the attack.

DDoS has also become a popular weapon for pornography websites and Darknet marketplaces, who launch DDoS attacks against each other. For example, China’s largest online marketplace on the Darknet, has experienced a large-scale DDoS attack during the summer, disrupting its activity for several weeks.

flashing-ads

Flashing Ads on a Chinese Hacking Forum, Offering Tailor-made DDoS Attacks,
among other Hacking Services

The DDoS Chain

The first step in a DDoS attack is to gain control of a large number of computers and other online devices and to turn them into bots, in order to divert huge traffic to the attacked website and thus shut it down. In Chinese hacking slang, these computers are named “broilers” or “meat chickens” (肉鸡). Members of Chinese underground hacking forums constantly offer tools for detecting these “broilers”, namely scanners that trace vulnerabilities in computers and servers. These tools allow the attacker to penetrate these vulnerable devices, implant trojans in them and hence control them remotely. The tools are referred to in Chinese as “Chicken Catchers” (抓鸡) and hackers who operate on those forums trade them between themselves.

broiler-detection

‘Broiler’ Detection Tool Offered on a Chinese Hacking Forum

In addition to buying tools to detect “broilers”, DDoS attackers can also buy these “broilers” directly, as these are sold in bulks on forums and designated QQ/Telegram groups. Based on the number of messages in forums and chat groups, of people requesting to buy “broilers”, it is quite clear they are in high demand.

The customers of the “broiler” market are in turn becoming the suppliers of DDoS attacks and offer their tailor-made services online. Whoever orders the attack can contact the attacker via private messaging, define the target and agree on a price according to the length of the attack and the nature of the attacked website. According to a report published by the Chinese tech firm Tencent, this is what the chain of custom-made DDoS attacks looks like:

DDOS-diagram-1024x595

The Offer: DDoS as-a-Service

The screenshot below, showing an offer posted on a prominent Chinese Darknet marketplace, can shed light on the how these DDoS as-a-service transactions are conducted. It also demonstrates what kind of websites are legitimate targets and which websites are off-limits, for fear of being prosecuted by the authorities. The post reads:

ddos-as-a-service

DDoS as-a-service Offer Posted on Chinese Darknet

Translation:

ddos-as-a-service-translation

Hunting Down Cybercriminals

Chinese law enforcement authorities are well aware of this problem and are relentlessly trying to crack down these cybercriminals and their activities. In late 2018, a man in his twenties from Suining County, Jiangsu Province, was arrested by local authorities, after discovering he had implanted a malicious code, which allowed him to remotely control a local server. During his investigation, he admitted to being part of a team of at least 20 hackers from all over the country that had used “broilers” in order to conduct DDoS attacks by demand.

The team had been involved in more than a hundred DDoS attacks, harming or controlling more than 200,000 websites and earning more than 10 million yuan along the way. Members of the team were arrested across China, yet this only emphasized the magnitude and popularity of the DDoS and DDoS as-a-Service markets, and the success of taking down this cybercriminal operation was merely a drop in the ocean.

Changes in the Threat Landscape under the Global Influence of COVID-19

April 30, 2020

In this report, Verint’s Cyber Threat Intelligence Group (powered by SenseCy) presents an analysis of how the COVID-19 global outbreak changed the threat landscape and how in the case of cyber threats too, the curve has flattened and the number of COVID-19 related cyber incidents, is in decline.

Key Findings

The peak of the curve was in the second half of March 2020, after which we see a decline in the number of COVID-19 related malicious activities.
Malspam and phishing/spear-phishing have been the most popular attack vectors between the 1^st of March and 18^th of April – used in 66.6% of the campaigns analyzed.
The healthcare industry is the most targeted industry when it comes to COVID-19 related attacks, with over 20% of campaigns targeting healthcare organizations.
Out of the four most popular vulnerabilities exploited, one dates back to 2012 (CVE-2012-0158).

To read the full report, click here.

The New SMBGhost Wormable Vulnerability is Gaining Popularity in The Dark Web

March 24, 2020

smbg_cover_1920x960-1024x512

On March 10, 2020, details about a zero-day vulnerability (CVE-2020-0796) affecting the Microsoft Server Message Block (SMB) protocol, were accidentally exposed by security companies. SMB is a network communication protocol responsible for granting shared access to files, printers and serial ports between the different devices on the network.

In this blog post we reveal some of the activities we identified in the dark web and explain why this specific vulnerability has the potential to become a “wormable” attack that can spread fast.

The CVE-2020-0796 vulnerability, which received the moniker SMBGhost, is a buffer overflow vulnerability that exists due to an error in the way the vulnerable protocol handles a maliciously crafted compressed data packet. It could be exploited by a remote, unauthenticated attacker to execute arbitrary code and gain control over vulnerable systems.

In addition, researchers noted the vulnerability could be exploited in a “wormable” attack, in which an attacker could easily and quickly move from one victim on the network to another. In this aspect, this vulnerability resembles the “wormable” CVE-2017-0144 vulnerability, which also affected an earlier version of the SMB protocol (SMBv1) and was exploited during the massive WannaCry and NotPetya ransomware outbreaks in 2017, using the EternalBlue exploit allegedly developed by the NSA and leaked by the Shadow Brokers hacking group in April 2017.

Will the SMBGhost vulnerability lead to cyber-attacks in the magnitude of WannaCry and NotPetya? We don’t know yet. What we do know is that the world is currently in a very different and much more vulnerable place, with the Coronavirus outbreak sending millions of employees to work remotely, in a much less secure environment. The balance between risk and security has shifted.

Time To Patch SMBGhost

As the vulnerability only affects SMBv3, which is the latest version of the SMB protocol that exists only in recent versions of the Windows operation system, only Windows 10 and Windows Server 2019 versions of the OS are vulnerable, and specifically the following builds of both OS versions: 1903 and 1909.

The vulnerability was patched by Microsoft shortly after its publication, with the release of a security update on March 12, 2020.

Users are urged to install the relevant security update issued by Microsoft. However, if installing the patch is currently not possible, the company advises to disable SMBv3 compression using the following PowerShell command:

powershell-command

PowerShell Command

Unfortunately, prioritizing patching is always a challenge. Considering the fact that most IT departments in any organization nowadays, are currently occupied by ensuring employees are able to work remotely, in order to maintain business continuity, it is possible that patching will not be a first priority.

Discovered PoC Exploits

Since the vulnerability was made public, various repositories connected to the vulnerability have been created on GitHub. Many of these contain scanner scripts for detecting vulnerable systems.

In addition, several repositories containing PoC exploits for the vulnerability were also identified. One such repository contains a PoC written in Python that supports SMBv3.1.1. This PoC targets Windows 10 systems running the 1903/1909 build.

According to our analysis, this PoC triggers a buffer overflow and crashes the kernel, but could be modified into a remote code execution exploit. We identified additional similar PoC exploits on GitHub, all of which would eventually cause the targeted system to crash. However, none of the exploits we observed allow remote code execution.

poc-description-1024x424

Description of the PoC

Dark Web Discussions

Right after details of the SMBGhost vulnerability were published, discussions about the vulnerability emerged on different Dark Web platforms, where the vulnerability is also dubbed CoronaBlue (possibly a paraphrase on the EternalBlue exploit and the current Coronavirus pandemic outbreak). At first, we mainly observed the sharing of publicly available reports about the vulnerability.

news-reports

News Reports about the SMBGhost Vulnerability Shared on a Russian Dark Web Forum (Source: Verint LUMINAR)

However, threat actors soon started expressing their interest in a working PoC. For instance, on March 11, 2020, a member of a hacking-related Discord channel asked how many GitHub repositories containing fake exploit codes for CVE-2020-0796 exist (since it is not uncommon to find fake repositories allegedly containing exploit codes circulating on the Web after a new zero-day vulnerability is revealed). One of the replies he got was that it “would be good” to have a working PoC, and another member shared a link to a scanning tool for tracking vulnerable systems, which is publicly available on GitHub. That same scanner was also shared on a Russian forum, and an additional scanner on GitHub was shared in a Persian Telegram channel. Furthermore, our researchers have found multiple discussions in different underground forums, where users are trying to find exploit kits for the CVE-2020-0796 SMBv3 vulnerability.

Our research team will continue to monitor the new SMBGhost vulnerability and the threat actors that express interest in the vulnerability and in obtaining a working PoC exploit for it. As several PoC exploit codes have been made available on GitHub, it is possible we will soon witness exploitation attempts. Although none of the currently available PoC codes could allow the attacker to remotely execute arbitrary code on targeted systems, these exploits could be modified to enable remote code execution, and potentially constitute a more serious threat. Furthermore, the fact this vulnerability could be leveraged in a “wormable” attack, stresses the importance and the urgency of applying the relevant patch.