STE WILLIAMS

You don’t have to be a stealthy hacker or member of organized crime to buy and sell goods in the North American cyber underground: it’s a wide open, easily accessible cyber marketplace that makes it easy for anyone to illegally buy weapons, crimeware, and botnets.

What sets the North American underground economy apart from that of Russia and other more stealthy cyber-based crime conduits is that it’s easy for novices to access — there’s no limited access like in the Russian underground. And that means it makes it easy for anyone to conduct cybercrime or access the tools for physical crime, a new report from Trend Micro has found.

“It’s more of an Amazon [type] shopping mall for goods and services, a one-stop shop for anything nefarious,” says Tom Kellermann, chief cybersecurity officer at Trend Micro.

Many of the underground sites studied by Trend Micro are searchable via the Web. All it takes is the right search query, and a novice can access what he or she needs to perform criminal acts, such as guides for how to use VPNs or TOR for nefarious purposes, and goods and services for cybercrime (stolen payment card information), physical fraud (fake passports), drugs, and even murder. “You can get ransomware in the US for $10,” Kellermann notes.

But the brazen openness of the North American cyber underground also means it’s in the sights of law enforcement, a tradeoff the peddlers and buyers seem willing to risk. They get around getting busted by constantly changing up their sites: “Although several criminal transactions are done out in the open, they are very fickle. The life span of most underground sites is short. They could be up one day and gone the next. Investigations will have to keep up with this fast pace,” Trend Micro’s report says.

There’s also rampant competition among the vendors, which has made the purchase of these wares relatively inexpensive.

[When you think cybercrime, Japan probably isn’t top of mind. But like anywhere else, the bad guys there are following the money, and an emerging yet highly stealthy underground economy is growing in Japan. Read Japan’s Cybercrime Underground On The Rise.]

One of the trademark offerings in the North American underground is crypting services, which offer bad guys a way to camouflage their malware from anti-malware systems. They submit their malware, and the providers check it against security tools and then encrypt it such that it’s no longer detectable. That service is available from $20 for a one-shot deal to $1,000 for a monthly offering.

The Xena RAT Builder crimeware kit is price anywhere from $1 to $50, and offers two levels of customer service:  silver ($15) and gold ($20). Gold encrypts it so it’s undetectable. Would-be cybercriminals can buy a worm from between $7 and $10; botnet or botnet-builder tools for between $5 and $200; ransomware for $10; and the Betabot DDoS tool for $74.

There also are DDoS-as-a-service options, which start as low as $5 for 300 seconds of a 40 gigabits-per-second DDoS attack, to $60 for a 2,000-second 125Gbps DDoS. Bulletproof hosting services are also available for $75 per month.

A phony US passport costs $30, and a phony US driver’s license, $145, Trend Micro’s researchers found.

“They’re [the sellers] trying to enable anyone with criminal intentions. That’s problematic,” Trend Micro’s Kellermann says. “It speaks to more crime having a duality to it, and with cyber-components.”

Unlike the Russian underground, North America’s has no organizational structure, he says. “Germany’s is the most sophisticated in operational security … Russia is selling the most zero-days and advanced attack platforms.”

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/endpoint/brazen-north-american-cyber-underground-offers-diy-criminal-wares-for-cheap/d/d-id/1323449?_mc=RSS_DR_EDT

The idea of a network perimeter is quickly morphing into something more complicated. We work outside of the corporate network on our own devices, storing and moving things through clouds of applications, storage, and service providers. How will security change in the next few years to adapt to this new reality?

Almost since its inception, digital security has followed a perimeter model, which may seem like the Maginot Line of cybersecurity. We are spending more and more time outside the firewall, so we need to think beyond it. At the same time, attackers are finding new vulnerabilities to get under the walls, developing new techniques to get around them, and finding softer targets with valuable assets to compromise. With the wide scale adoption of server virtualization and cloud computing, the concept of an enterprise data center has evolved into private and hybrid clouds that span on-premises and cloud-hosted servers in a seamless fashion.

The new security model needs to follow the data and users, as well as their devices and services. This does not mean that security will be completely cloud-based, with no on-premises component. Cloud computing and storage will still incorporate a perimeter and access approach, as will the data center. The data center needs to shift focus from servers to applications and data, which move in a dynamic manner with decreasing emphasis on location or ownership of hardware. But it will have to augment this with multiple vantage points of traffic flows, analytics, and collaborative intelligence. Encrypted communications make it difficult for firewalls to inspect individual traffic flows, increasing the importance of multiple perspectives.

This is strikingly similar to the physical security world we find around us. Attackers are not defined by physical borders, so defenses need a much higher level of collaboration, large volumes of intelligence, and powerful analytics to pull insight out of the noise and chatter.

Real-Time Security

The key to successful security operations in the new data center is real-time dynamic provisioning and orchestration. Security must follow the data, follow the application, and follow the user. One approach is a dynamic perimeter that forms around every flow. The network is no longer static or deterministic; it has become fluid, and security needs to be agile. This means implementing cloud security solutions that can redirect flows between endpoint devices and applications for inspection, analysis, and prediction. These solutions need to ask, “Is this normal activity between this device/location/user/application?”

With mobile users and IoT devices connecting directly to the cloud, the new model means securing the channel between endpoints and applications, not just with encryption but by watching out for attacker redirection and man-in-the-middle attacks that could disrupt devices or data enough to affect your operations. Encryption and tokenization become critical when corporate data is stored on shared resources in hybrid or public clouds. Data must be secured both at rest and at all points of the flow to protect it from hardware or virtualization exploits. Identity and policy management will become extremely important in such a dynamic environment, defining and enforcing policies that prevent sensitive information such as personally identifiable data or health details from straying outside of secure locations and devices.

Another approach of real-time dynamic provisioning and orchestration is shrinking the perimeter around each individual device, forcing the devices to protect themselves. Many devices will not have the compute power necessary to do this, requiring a mix of hardware-enabled trust and cloud-based processing.

Perhaps the most important part of this new security model is the analytics necessary to put together multiple observations from different agents at varying points in the cloud into a cohesive picture that can differentiate signal from noise, without an overwhelming number of false positives.

An interesting analogy to this method is how airplane flight control systems were developed. Different developers in different locations using different languages and algorithms running on different hardware developed systems for the same set of controls. In operation, only when multiple systems were within tolerance would the airplane actually take action. In security, this approach not only reduces false positives, it makes it far more difficult for attackers to develop threats that can evade the detection algorithms because multiple are in use at any time.

We need to build security solutions that are designed from the ground up to operate in this new dynamic environment: Multiple perimeters, hardware-based trust, and cloud-scale analytics fuelled by large volumes of shared threat intelligence must enable local and cloud-based agents to detect and disrupt attacks at machine speeds. 

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/intel/perimeter-inversion-turning-digital-security-inside-out/a/d-id/1323451?_mc=RSS_DR_EDT

While there are plenty of mobile device vulnerabilities just waiting for bad guys to pick up on, some of the lowest hanging fruit for mobile-oriented attackers isn’t on the device itself. Instead, the softest target comes in the form of insecure back-ups stored on a traditional desktop or laptop.

Palo Alto Networks’ Unit 42 research team calls the technique “BackStab.” In a report out today by researchers with the team, they explain that this indirect route can nab attackers text messages, photos, geo-location data and just about anything else that’s been stored on a mobile device.

“While the technique is well-known, few are aware of the fact that malicious attackers and data collectors have been using malware to execute BackStab in attacks around the world for years,” writes report author Claud Xiao. “iOS devices have been the primary target, as default backup settings in iTunes® have left many user backups unencrypted and easily identified, but other mobile platforms are also at risk.”

According to the report, Unit 42 has found over 700 recent flavors of Trojans, adware and other hacking tools designed to target Windows and Mac systems containing user data from backup files from iOS and BlackBerry devices.  Several of the malware families discovered by the researchers have been around for at least five years. They explain that there are tons of public articles and video tutorials detailing how to carry out a BackStab attack. And unlike a lot of mobile device attacks, the attack doesn’t require for a targeted user to have a jailbroken device.

In the case of iOS attacks, often BackStab is made possible due to default settings on iTunes that don’t encrypt backed up data.

The report today detailed some of the most common tools that employ BackStab, including a dropped portable executable file often used in concert with the DarkComet remote access Trojan called USBStler. Interestingly, they also showed how RelevantKnowledge, a tool developed by Internet research firm comScore, leans on BackStab techniques to spy on consumers.

“We found that many RelevantKnowledge samples contain code to collect users’ iPhone and BlackBerry data through these mobile devices’ backup archives,” Xiao wrote. “During their execution, these samples will search for files under the Windows iTunes backup directory, collect information, compress it into a file and upload it to (comScore’s) web server.” 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/backstab-attack-takes-indirect-route-to-mobile-data/d/d-id/1323455?_mc=RSS_DR_EDT

Whether it be via DDoS, doxing threats, or ransomware, attackers extorting victims for cash via electronic means is growing, and Bitcoin may be partly to blame for the increase, according to researchers at Recorded Future. 

“Bitcoin attracted more miscreants to the space,” says Tyler Bradshaw, solutions engineer for Recorded Future. Because it’s a relatively new, the unregulated currency allows extortionists to accept payments anonymously.

While ransomware operators are generally indiscriminate about targets, go after individuals, and request small ransoms of 1 to 2 BTC (currently approximately $349 to $698), DDoS extortionists take the opposite approach.

Last year, the threat group DD4BC (short for “DDoS for Bitcoin”) first emerged. DD4BC’s modus operandi was to threaten a company with a major distributed denial of service — on the magnitude of 400-500 Gbps — prove it could compromise the network by carrying out a low-level warning attack of roughly 10-20 Gbps, and demand a payment to prevent a large-scale DDoS. According to Recorded Future, DD4BC has attacked over 140 companies in this way.

According to a report by researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) released in September, the group first targeted online gaming and online currency exchanges — which would be reluctant to request help from law enforcement. They then shifted attention to financial services companies, tweaking the attack to include a threat of publicly embarrasing the company by revealing, via social media, the company had been DDoSed. 

DD4BC’s ransom demands ranged from 10 BTC to as much as 200 BTC (currently $3,940 to $78,788), often starting low and increasing the price the longer the victim failed to pay up.

DD4BC did not actually seem to be capable of carrying out the 400-500 Gbps-scale attack they threatened. The worst Akamai detected was 56 Gbps. Yet, the threats and warning attacks were enough to convince targets to pay the ransom.

As Akamai PLXsert wrote in its September report:

PLXsert believes copycats will enter the game, increasing these types of attacks. In fact,
copycats may already be sending their own ransom letters, piggybacking on the reputation
of dd4bc.

That’s precisely what has happened, according to Recorded Future.

In the wake of Akamai’s report, DD4BC’s own activity sharply decreased, but a new group called Armada Collective showed up on the scene, using the same model DD4BC had used.

One of Armada Collective’s victims was ProtonMail, an encrypted email service provider. Yet even after ProtonMail paid the extortion fee, the attacks increased and became more sophisticated. According to the Recorded Future report:

ProtonMail claimed this second attack was a “coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes.” In fact, ProtonMail has stated that the second attack appears to be nation-state sponsored.

The Armada Collective vehemently denied involvement in this second attack, despite their own warnings of a larger attack. They even refunded bitcoins to ProtonMail in order to send messages such as:

“Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!” and “WE DO NOT HAVE THAT POWER! NOT EVEN CLOSE.”

Then last week, news broke that three Greek banks were hit with DDoS attacks, claiming to be committed by the Armada Collective. However, the extortion amount requested was a whopping 20,000 BTC, or $7.85 million at current value, from each bank.

“That’s why it was a red flag for me,” says Bradshaw, “that this might not be the Armada Collective,” either. The size of the ransom was too high for the original Armada Collective, which also tended to go for targets that were unlikely to involve law enforcement.

A bank official told the Financial Times last month, “No bank responded to this extortion, so the same hackers tried again at the weekend and today. But we had strengthened our defence in the meantime, so no disruptions took place.”

Why would an attack group hijack another’s handle? “They may be using the name because it’s easier to ride those coattails without doing any work first,” says Bradshaw, explaining that threats from an established threat actor may be taken more seriously by targets. Plus, it gives law enforcement a false trail to follow. “If something goes down, the eyes are not pointed at them,” he says.

Although cyber-extortion is increasing, the success of each attack campaign depends upon combining the right technological capabilities with the right price point. Last week, not only did the Greek banks not pay Armada Collective the $7.85 million request, but three banks in the United Arab Emirates refused to pay an attacker called Hacker Buba a $3 million payout. In response, Hacker Buba publicly dumped personal information, full credit card data, and transaction histories on tens of thousands of the banks’ customers.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/cyber-extortion-ddos-for-bitcoin-campaigns-rise--/d/d-id/1323448?_mc=RSS_DR_EDT