Search
  • Avantia Threat Update

"CRIMEWARE" NOW SOLD ON THE DARK WEB....


You don't have to be an expert to become a Cyber Criminal........

This week, ‘Crimeware As A Service’ available for purchase on the Dark Web; Canadian Government employee is robbed of patient data, UK adoption service accidentally leaks sensitive information, and records in New Zealand are “blown away.”


This Week’s Top Dark Web Compromise Trends:

Top Source Hits: ID Theft Forums (99%) Top Compromise Type: Domains (99%) Top Industry: Medical and Healthcare Top Employee Count: 11 - 50 Employees


This Week’s Top Targeted Industries:

Information Technology Hits: 365 | Targets: Citrix Systems, Apple, Google, Microsoft, Sony Corp

Software Hits: 361 | Targets: Citrix Systems, Google, Kaspersky Lab, Microsoft, Cambridge Analytica

Software Hits: 239 | Targets: Citrix Systems, eBay Inc, Triton Corp., Imperva Inc, Rockstar Games

Finance Hits: 75 | Targets: Equifax Inc, PayPal, Banamex, Financial Institutions, JPMorgan Chase & Co.

Computer Hardware Hits: 67 | Targets: Apple, Microsoft


This Week’s Top Threat Actors:

Inj3ct0r Team Hits: 10 | Targets: WordPress, Joomla, Twitter, Apache HTTP Server, SCADA and ICS Products and Technologies

Lazarus Group Hits: 8 | Targets: Sony Corp, South Korea, Cryptocurrency, United States, Poland

Hezbollah Hits: 8 | Targets: Israel, Syria, Lebanon, Iran, United States

Holmium Hits: 7 | Targets: Saudi Arabia

Whitefly Hits: 4 | Targets: Singapore, Singapore Health Services, United Kingdom, Russia


This Week’s Top Malware Exploits:

SLUB Hits: 84

AZORult 3[.]2 Hits: 36

Stuxnet Hits: 34 | Targets: Iran, North Korea, Industrial Control Systems, SCADA and ICS Products and Technologies, United States

PirateMatryoshka Hits: 27 | Targets: The Pirate Bay, #PirateBay

UPATRE Hits: 20 | Targets: University of Florida, Personal Computers, Microsoft Windows, Microsoft Windows XP, Application Compatibility Database Installers.



In Other News:


“CRIMEWARE” NOW AVAILABLE TO A HACKER NEAR YOU.

It’s called Crimeware as a Service, or CaaS and its available for Criminals to purchase on the Dark Web right now. Many hackers are utilizing it over the more traditional hacking methods of the past as the traditional ‘direct attack’ method wasn’t deemed good enough, and as such, many are now leveraging crimeware — or paid malware and the like — to lure users who are a bit less tech-savvy and can’t tell the difference. Even though crimeware might look like legit software as it typically offers competitive pricing models and monthly subscriptions, legit couldn’t be further from the truth. Much of the CaaS models highlight quantity over quality, allowing for greater exploitations for companies and fewer vulnerabilities that typically come along with enforcing the malware. Hackers who use CaaS use ready-made exploit kits to do their dirty work. They don’t have to bother writing the malware, they don’t need to exploit insecure websites, and they don’t have to go through the work of selling stolen user data. They can simply use a kit to sell crimeware as a service on their behalf instead.

Cybercrime is now a multi-billion-dollar business. It’s expected to cause almost $2 trillion in company damages by 2019. Now that hackers have the advantage of specializing in CaaS, this threat is even greater. Meaning, tight cybersecurity and threat intelligence has never been more important for businesses — small, medium and large alike. Threat intelligence is critical in order to discover which cracks and vulnerabilities hackers are targeting, or could target. To add yet another layer to the threat, brokers who buy exploits from the hackers who find them have been identified and are aptly called exploit brokers. Those who buy them use them to propel CaaS. Other recent techniques cybercriminals have been using include hiring multiple people to perform cybersecurity breaches on their behalf and using botnets — or network-connected devices such as PCs and servers that are infected as a whole — to carry out attacks. These techniques and more have caused a great increase in businesses being targeted by CaaS attacks. Also commonly used by CaaS criminals is ‘weaponised documents.’ These are files that look just like everyday email attachments, such as Microsoft Word or PowerPoint files, and may even be sent from an email address that looks similar to a co-worker. They can be downloaded or may lead to a compromised website, which will inevitably lead to a successful CaaS attempt afterwards. Education and training of staff and users is essential to prevent these types of attacks. It’s been estimated that more than 400,000 pieces of malware are created every single day, and thousands of vulnerabilities are found every year. These insurmountable numbers are intimidating, requiring a smart and innovative tactic to overcome CaaS and other cybersecurity threats. Thankfully, there are only about two dozen ways for hackers to exploit software. The trick is finding an approach or a tool that can counteract those techniques hackers use.


GOOGLE CHROME: NOW IS THE TIME TO UPDATE YOUR BROWSER.

It’s not often that we hear about a critical vulnerability in Google Chrome, and perhaps it’s even more rare when Google’s own engineers are urging users to patch. There are several good reasons why you need to take this new Chrome zero-day exploit seriously. For starters, we are talking about a full exploitation that escapes the sandbox and leads to remote code execution. This in itself is not an easy feat, and is usually observed only sporadically. But this time, Google is saying that this vulnerability is actively being used in the wild. According to Clément Lecigne, the person from Google’s Threat Analysis Group who discovered the attack, there is another zero-day exploit that exists in Microsoft Windows (yet to be patched), suggesting the two could be chained up for even greater damage. If you are running Google Chrome and its version is below 72.0.3626.121, your computer could be exploited without your knowledge. While it’s true that Chrome features an automatic update component, in order for the patch to be installed you must restart your browser.

This may not seem like a big deal but it is. Another Google engineer explains why this matters a lot, in comparison to past exploits: This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but restart is a usually a manual action. Considering how many users keep Chrome and all their tabs opened for days or even weeks without ever restarting the browser, the security impact is real. Some might see a bit of irony with this latest zero-day considering Google’s move to ban third-party software injections. Many security programs, including Malwarebytes, need to hook into processes, such as the browser and common Office applications, in order to detect and block exploits from happening. However, we cannot say for sure whether or not this could prevent the vulnerability from being exploited, since few details have been shared yet. In the meantime, if you haven’t done so yet, you should update and relaunch Chrome; and don’t worry about your tabs, they will come right back. (A Zero Day vulnerability is a software, hardware or firmware flaw unknown to the manufacturer. When hackers leverage that flaw to conduct a cyberattack, it's called a zero day exploit. The term “zero day” comes from the fact that the vulnerability has yet to be fixed by security professionals)


HUNDREDS OF POPULAR CARS WITH KEYLESS ENTRY AT RISK:

Consumer group ’Which’ based in the UK found the Ford Fiesta, Volkswagen Golf, Nissan Qashqai and Ford Focus were all at risk. Thieves are increasingly thought to be using technology to bypass entry systems on keyless cars. ‘Which’ analysed data on keyless - or "relay" - attacks from the General German Automobile Club (ADAC), a roadside recovery organisation. ADAC tested 237 keyless cars and found that all but three were susceptible. The latest models of the Discovery and Range Rover, and the 2018 Jaguar i-Pace, all made by Jaguar Land Rover, were found to be secure. Of the top-selling cars in the UK, only the Vauxhall Corsa was deemed safe because it is not available with keyless entry and ignition. "Thieves have been using keyless theft for several years, but manufacturers continue to make new models that can be stolen in this way, meaning there is an ever-larger pool of vehicles for thieves to target," Which said in a statement. Harry Rose, editor of ‘Which’ Magazine, said manufacturers needed "to up their game". A growing number of new cars are made with keyless entry systems, allowing owners to open them with the brush of a hand, as long as their actual key is nearby - for instance in their pocket. Thieves can fool these systems with special devices, allowing them to enter the vehicle and drive away. In the year to March 2018, more than 106,000 offences of theft of or unauthorised taking of a motor vehicle were reported to police in England and Wales - the highest annual total since 2009. Mike Hawes, head of the SMMT, said: "Industry takes vehicle crime extremely seriously and any claims otherwise are categorically untrue. "New cars are more secure than ever, and the latest technology has helped bring down theft dramatically with, on average, less than 0.3% of the cars on our roads stolen. "Criminals will always look for new ways to steal cars; it's an ongoing battle and why manufacturers continue to invest billions in ever more sophisticated security features - ahead of any regulation. "However, technology can only do so much and we continue to call for action to stop the open sale of equipment with no legal purpose that helps criminals steal cars." he said.


FOUR STEPS TO TAKE TO MANAGE DIGITAL RISK:

Step 1: Identify Key Assets to Protect: This first step is taking stock of the critical assets you wish to protect and how this data could appeal to adversaries. Start with people (e.g. customers, employees, partners, service providers); organizations (e.g. service departments, common infrastructure), and the systems and critical applications that support them (e.g. websites, portals, databases, payment processing systems, Enterprise Resource Planning (ERP) applications). Consider how these assets relate to the organization’s vital business and economic functions, those that may generate profit, provide competitive advantage, or on which intangible properties such as trust, reputation and goodwill rely. The exposure of intellectual property - product designs, proprietary code, and patent information – often impacts competitive advantage. Exposed customer data may result in violations of compliance and privacy regulations. Employee credentials, private keys, or exposed security assessments could fall into threat actors’ hands, enabling reconnaissance efforts. Once these most important pieces are identified, organizations can begin to understand which actors are most likely to target this data.

Step 2: Understand the Threat: Understanding threat is a key part of calculating risk. A recent shift towards a strategic focus on attacker behaviour provides a common language into how defences can be aligned to real-world vulnerabilities. However, behaviour’s are just one part of understanding threats. Organizations must also understand the circumstances cyber criminals most often exploit and reduce their opportunities. In mid-sized businesses frameworks provide a way to describe attacker behaviour through observed tactics, techniques, and procedures. By combining this behavioural information with threat modelling, organizations can then consider why a particular type of cyber-criminal would target the organization, what they would hope to gain, and what their goals would be. By understanding the range of cyber-criminal activities and protecting against the exposure of data that could enable them, organizations can decisively reduce their risk profile.

Step 3: Monitor for Exposure: Detecting exposed assets across the open, deep, and dark web can be a daunting task. The typical exposure of a mid-sized organization includes 290 spoofed domains or social media accounts, 180 certificate issues, 84 exploitable vulnerabilities, 360 open ports and 100 exposed business documents. There are plenty of tools to help. Consider making use of services used by marketing and brand management teams to monitor social media. This can provide a useful insight into what is being discussed about an organization online.

Step 4: Mitigation Strategies: Detecting exposure and understanding threats is important, but taking action to resolve and mitigate risks is critical. Mitigation strategies include immediate, tactical responses; operational responses that can be done on an ongoing basis; and strategic responses that may involve investment or directional influence. For example, an organization that has identified large numbers of exposed credentials may look at password monitoring services and/or implementing Multi Factor Authentication (MFA). Similarly, providing more effective storage solutions may be advised if employees are backing up work on home computers.


While no single solution or approach can reduce digital risk, by understanding where assets are exposed, their value to attackers, and how attackers target this data, organizations can make better decisions about their defences and improve them over time.


THREAT FOCUS: St Francis Physician Services – USA

Exploit: Unauthorized access of electronic health record system SFPS: Health system based in South Carolina

Customers Impacted: To be disclosed Risk to Small Business: 1.888 = Severe: On January 4th, it was discovered that an unauthorized individual gained access to systems of Milestone Family Medicine, a medical practice in Greenville. The SFPS health system previously employed the physicians that worked at Milestone Family Medicine, leading the larger organization to launch an investigation. While there is currently no indication of information misuse, letters have been sent to patients alerting them of the breach.

Individual Risk: 2.142 = Severe: Patient health information including names, dates of birth, social security numbers, addresses, health insurance company details, and more were exposed. The company is offering credit monitoring and identity protection services to those whose social security numbers were included in the breach.

Effect On Customers: In this scenario, SFPS was obligated to disclose the data breach even though Milestone Family Medicine was no longer a part of its network. Small businesses should be educated on data breach notification requirements that are becoming increasingly stringent. To avoid similar situations from arising, companies must shield themselves from third party or employee-related breaches.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS: Samsung - CANADA

Exploit: Third-party employee breach Samsung Canada: Canadian arm of the Samsung Electronics company Customers Impacted: To be determined

Risk to Small Business: 1.777 = Severe: On November 29th, 2018, an intruder gained account credentials for a Glentel employee and was able to view personal details of shoppers on the Samsung Canada online store. Glentel is the independent wireless retailer that operates the Samsung website, and was able to address the vulnerability within the same day. The company was forced to disclose the breach to its customers but has offered assurances that no financial information was exposed.

Individual Risk: 2.428 = Severe: Names, addresses, emails, phone numbers, and product purchase details were compromised. However, only customers that were making purchases during the time of exposure would have been affected.

Effect On Customers: Disguising or diminishing the consequences of a data breach can be detrimental for any organization. A customer openly spoke out against the data breach notification on Twitter, sarcastically noting that “only my address, phone number, email was accessed... Thanks Samsung Canada”. In the event of a breach, it is important to communicate effectively with customers in order to restore trust and get back to business.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS: NWT Department Of Health & Social Services – CANADA

Exploit: Theft of government employee laptop NWT Department of Health & Social Services: Health department for the Northwest Territories of Canada

Customers Impacted: 40,000 Canadian residents

Risk to Small Business: 1.666 = Severe: On May 9th, 2018, an intruder broke into a car and stole a government employee’s laptop, resulting in a severe privacy breach. It is estimated that the device contained information on up to 40,000 Canadian citizens, and included sensitive health information. Officials are citing inadequate privacy training as the core issue, since managers are instructed to delete sensitive data immediately after using them. The department will now be required to conduct a list of privacy initiatives by 2020, resulting in expensive investments measured in time and money.

Individual Risk: 2.428 = Severe: Although less than half of those affected were only identified by health card numbers, the remaining 53% could be at risk since their names, dates of birth, health card numbers, and diagnoses were stored on the exposed laptop. Such sensitive data can be sold on the Dark Web to the highest bidder or leveraged for harmful identity theft.

Effect On Customers: Employees are identified as agents, or extensions, of the company they work for. When news breaks that an employee is responsible for a data compromise, the entire organization is put under a microscope. Businesses must ensure that their workforce acts as custodians of customer data, and this can be accomplished through privacy training and proper vetting.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS: Kent County Council – UNITED KINGDOM

Exploit: Human error Kent County Council: Adoption service for the British county of Kent

Customers Impacted: Approximately 300

Risk to Small Business: 1.888 = Severe: Contact details for hundreds of adoptive parents was disclosed in an accidental council email. A member of staff copied a mailing list into the carbon copy (CC) section instead of the blind carbon copy (BCC) area, exposing the sensitive information. The council is currently investigating if the breach needs to be reported to the ICO, and if any fines will surface.

Individual Risk: 2.714 = Moderate: The exposure of personal information for adoptive parents and support workers has serious implications, with the potential to affect birth families and vulnerable children.

Effect On Customers: Even innocent breaches come with significant repercussions. An honest mistake can spawn expensive fines and customer churn, and businesses should pay attention. By installing thresholds that protect employees from compromising sensitive data, security teams can save a company’s reputation and customer base.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS: University Of Madras - INDIA

Exploit: Ransomware attack University of Madras: Public university in Chennai

Customers Impacted: None

Risk to Small Business: 1.777 = Severe: Last week, the university database faced a ransomware attack in which a hacker encrypted all information and demanded a ransom of 1.8M Rupees (~25K USD). However, the university was able to sidestep the attack entirely by having back-up data stored on a system that was outside of its network. Nevertheless, the institution will do a security audit and augment their existing measures.

Individual Risk: 2.522 = Moderate: Since the server was not hacked directly and only compromised by malware, none of the data was copied and is still completely secure.

Effect On Customers: Such an incident is a perfect example of best practice in the event of a ransomware attack. When an organization is able to store backup data on a server that is outside of its network’s scope, it can quickly avert a hacker’s malware attack. Along with leaving a hacker powerless and less likely to attack again, such an event engenders trust between a business and its customers.

Risk Levels

1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS: West Coast District Health Board – NEW ZEALAND

Exploit: Exposure of printed records West Coast District Health Board: Health board based in New Zealand Customers Impacted: Up to 300

Risk to Small Business: 2.111 = Severe: An employee is under investigation after misplacing hundreds of patient records printed on pages, which were reportedly “blown away in a gust of wind”. Only 40 pages were lost, but 300 individuals may have been affected. Although the situation has been mostly contained, journalists from around the world are citing the incident as an example of safeguarding offline data.

Individual Risk: 2.428 = Severe: Of the 40 pages that were lost, 6 have been recovered. However, the remaining records, which could amount to as many as 300, contained both names and health card numbers. Overall risk for patients is relatively low, but such data could become harmful if placed in the wrong hands.

Effect On Customers: Once offline data is compromised, it can be difficult to understand how or when it is being used. Without a digital trace, internal security teams are left wondering whether or not a breach will occur. However, employing a detection tool that constantly monitors leaked customer data can give peace of mind to employees and customers.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


POSTSCRIPT:


UK consumers most likely to jump ship on breached businesses

According to a recent study from PCI Pal, 41% of British consumers said that they would stop spending with a business or brand forever in the event of a breach. This compares to just 21% in the US.

The divergence in attitudes continues in their views of small businesses vs national companies. Over half of UK respondents felt that they could trust a local store with their data more than a national chain. On the other hand, only 47% in the US felt that they could trust a local business more than a national company, citing adherence to security protocols (28%) and cybersecurity investments (25%) as main reasons.

Public perceptions carry significant influence on the business landscape, and companies must build a reputation for security in order to win their customers’ hearts. As the world becomes increasingly cyber vigilant, consumers will start to think twice before placing their data in the wrong hands.




* Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide Cyber Breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

Subscribe below to receive our weekly Threat Updates straight to your inbox.

Call (07) 3010 9711 

info@avantiacorp.com.au

 

Avantia Corporate Services Pty Ltd,                    Level 7, 320 Adelaide Street

Brisbane, Queensland 4000

AUSTRALIA.

  • LinkedIn Social Icon
  • Facebook Social Icon

DISCLAIMER*: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach and cybersecurity information to us in real-time. Given their international focus and experience in the cyberspace arena, we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the content's accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services  PTY LTD - All Rights Reserved.

© 2020 by Avantia CORPORATE SERVICES . All Rights Reserved.