Cybercrime Evolution - HGK

Cybercrime Evolution

Yves Le Roux Co-Chair, (ISC)² EMEA Advisory Council

(EAC)

[email protected]

Who I am?Graduated from Paris University in 1970Worked in the Rothschild Group where, among others tasks, I was in charge of the network security and other security related issues.In 1981, joined the French Ministry of Industry where I was in charge of the Open Systems Standardization programs.In 1986, European Information Security Manager at Digital Equipment. Then, I joined the security research and development team.In 1999, I went to Entrust Technologies, PKI software editor.In 2003, I joined Computer Associates Int. as a Technology Strategist.In 2017, I retired from CA Technologies

2

Agenda» IT Evolution In organisations

• Big Data• Internet of Things• SAAS• Containers• Blockchain• AI/Machine learning

» Cybercrime Tactics & Attacks» Malwares

• Banking Trojans• Cryptojacking• Ransomware• RAT• Sextortion• IoT

» Threat Horizon 2019 by Information Security Forum

IT Evolution in organisation 1/3

» Big Data

• Continue to flood

» Internet of Things (IoT)

• Data from 451 Research found that nearly three quarters (71%) of enterprises are already gathering data for IoT initiatives

Internet of Things (IoT)

5

IT Evolution in organisation 2/3» SaaS

• continues to spawn concerns over sensitive data stored outside

» Containers• nearly one-quarter (24%) are using containers in

production environments• 451 Research predicts that containers will have a

compounded annual growth rate of 40%, reaching $2.7 billion by 2020.

IT Evolution in organisation 3/3» Blockchain

• becoming more widely used for commercial transactions outside the highly established payment settlement systems

» AI/Machine learning

Blockchain

8

Regardless of their specific design, all blockchains represent a cryptographic triple play:

1. Each transaction in the blockchain is digitally signed by the originator.2. Each transaction—singly or in blocks—is chained to the prior via a digital hash.3. Validated transactions are replicated across all machines using a consensus algorithm.

The result is a cryptographic ledger of immutable records that makes it very difficult, if not almost impossible to change past transactions or maliciouslycontrol future ones.

9

10

Blockchain risks and challenges

11

12

Blockchain Applications» Supply Chain» Transactional data throughout the supply chain can be

recorded through the blockchain and an immutable record of provenance (i.e. origin) can be created, offering the potential for full traceability of products from source to store. A key challenge with blockchain is ensuring that industrialized systems based on the technology are robust and secure enough to handle the volume of transactions that occur in large supply chains.

13

Blockchain Applications» Financial Products and Services

Blockchain technology may be best known as the underpinning of virtual currencies such as Bitcoin. But blockchains can help to efficiently address the need for multiple, cost-effective financial products and services that can comply with relatively exacting financial regulation.

More broadly, blockchain can be viewed as moving the financial services industry away from process-oriented approaches, and towards data-based workstreams.

15

Blockchain Applications» Financial Products and Services

In March 2018, the Society for Worldwide Interbank Financial Telecommunication(SWIFT) tested the use of blockchain technology to reconcile payments among accounts spread across 34 banks; the test showed that the technology has made significant progress in terms of security and governance, though it was not yet ready to support large-scale, mission-critical global infrastructures, according to SWIFT.

16

Cybercrime tactics and techniques

17

Email Attacks» Email remains the top vector for malware distribution and phishing. » Banking Trojans, downloaders and credential stealers made up 94%

of malicious payloads.» Ransomware dropped to less than 1% of all email-borne payloads,

while remote access Trojans (RATs) doubled their presence from Q2, making up 4% of all malicious payloads in email.

» The pendulum of malware delivery mechanisms in email continued to swing towards URLs; malicious URLs outnumbered attachments like macro-laden documents by over 370%.

» However, many of these malicious URLs led to macro documents themselves

Web-based Attacks» Web-based threats have shifted almost entirely away

from exploit kits to social engineering schemes, with fake antivirus and bogus plugins appearing more than twice as often as in Q2 and over 20 times as often as in Q1.

» The total incidence of Coinhive-based cryptojackingheld steady between Q2 and Q3, with the number of detected events in both quarters roughly six times that of Q1.

19

Banking Trojans

A Banking Trojan is a type of Trojan specifically created to harvest credentials and other sensitive financial and personal information stored and processed through online banking systems.

Banking Trojans made up 46% of all malicious payloads; of those, 90% were Emotet and Panda Banker.

Emotet a banking Trojan

21

CryptominingCryptocurrency owners keep their money in virtual “wallets,” which are securely encrypted with private keys. In a transaction, the transfer of funds between the owners of two digital wallets requires that a record of this exchange be entered into the decentralized public digital ledger. Special computers collect data from the latest Bitcoin or other cryptocurrency transactions about every 10 minutes and turn them into a mathematical puzzle. There, the transaction-within-a-puzzle awaits confirmation.

Confirmation only happens when members of another category of participants, called miners, independently solve the complex mathematical puzzles that prove the transaction’s legitimacy, thereby completing the transaction from the owner of one wallet to another.

22

CryptominingTypically, an army of miners toils away on the puzzle simultaneously in a race to be the first with the puzzle proof that authenticates the transaction. The miner who first solves the encrypted problem receives a reward, usually some amount of new cryptocoins

Because the complexity of the puzzle calculations has steadily increased over time (and particularly for Bitcoin), miners found that even high-end PCs with a powerful processor could not mine profitably enough to cover the costs involved.

Serious cryptocurrency players invest big money into a high-stakes battle against other miners in order to solve the puzzle first and claim their reward.

Before China shut down cryptocurrency farms in that country, monthly electrical bills reportedly reached $80,000.

23

CryptojackingCryptojacking (also called malicious cryptomining) is an emerging online threat that hides on a computer or mobile device and uses the machine’s resources to “mine” forms of online money known as cryptocurrencies.Like most other malicious attacks on the computing public, the motive is profit, but unlike many threats, it’s designed to stay completely hidden from the user. Cryptojacking is relatively new, but it’s already one of the most common online threats.

24

Cryptojacking IncidentsThe cryptojackers continue to up their game, invading increasingly powerful hardware.

One example is an incident where criminals cryptojacked the operational technology network of a European water utility’s control system, degrading the operators’ ability to manage the utility plant.

In another instance from the same report, a group of Russian scientists allegedly used the supercomputer at their research and nuclear warhead facility to mine Bitcoin.

25

26

Ransomware» A category of malware that holds files or systems

hostage for ransom

» Typically, users will receive a notification (ransom note) that a threat actor has taken control of the system or the files. The note usually explains how to pay the ransom, how much it’s for, and how long users have to pay before their files are deleted.

27

Q3 2018 39 Ransomware families

28

Ransomware» The major trend is the rise of the targeted ransomware

cyberattack – malware designed for a specific victim that steals data and asks the victim to pay a price to get the data back.

» Human attackers aiming to get money out of specific entities can stake out their victims, think laterally, troubleshoot and get past hindrances or other roadblocks to delivering the ransomware, and then wipe out the backups to force victims to pay the ransom for a lucrative windfall for the attackers.

29

Remote Access Trojans (RATs)

RATs are often called the Swiss-Army knife of malware, as they can carry out a variety of attacks with relative ease.

RATs have been around since the dawn of the Internet,

and they aren’t going away any time soon. Old RATs will continue to be repurposed for many years, as well as the continual development of new RATs and tools to fit the ever-changing needs of malicious attackers.

30

Sextortion

In early July, an extortion scam campaign attracted attention due to its large scale and unique twist.

Unlike traditional sex-based extortion scams, this email

campaign came with a user’s password as a sign that the sender had “hacked” the victim. These credentials came from a variety of past high-profile breaches, most likely drawn from one of several omnibus collections of leaks over the past four years.

31

Internet of Things (IoT)Manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions.This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage Internet traffic, others shoot video footage, still others control domestic devices (for example, air conditioning).

32


In March 2017, several major vulnerabilities were detected in the software of GoAhead devices, and a month after information about it was published, there appeared new versions of the Gafgyt and Persirai Trojans exploiting these vulnerabilities. Just one week after these malicious programs were actively distributed, the number of infected devices climbed to 57,000.

33


The primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users. Such attacks are still deployed by Trojans from the Mirai family and its clones, in particular, Hajime.

34

Internet of Things (IoT)The VPNFilter Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.), and sending it to the cybercriminals’ server.The very first VPNFilter report spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably.

35

36

Threat horizon 2019 from ISF 1/3

1 – DISRUPTION: from an over reliance on fragile connectivity

1.1 Premeditated internet outages bring trade to its knees

1.2 Ransomware hijacks the Internet of Things

1.3 Privileged insiders coerced into giving up their crown jewels

37

1.1 Premeditated internet outages bring trade to its knees

» Engage with internal and external stakeholders to agree to alternative methods of communication

» Develop relationships with regional bodies (e.g., governments, competitors, industry forums) to create new, standardized contingency plans for when internet communications fail

» Assess communications providers' contingency plans; insist that they align with standardized or organizational plans , while partnering to ensure gaps are addressed

» Plan for alternative supply chain models for critical systems and services

38

1.2 Ransomware hijacks the Internet of Things

» Apply pressure on manufacturers (e.g., via industry bodies) to build comprehensive security features into devices.

» Engage with industry bodies to lobby for (and influence) regulation ensuring minimum security standards for IoT devices.

» Raise the profile of the ransomware threat across your organization and mandate minimum security requirements for procurement of IoT devices.

» Incorporate IoT-related ransomware scenarios into your business continuity planning and run regular simulations.

» Collaborate with manufacturers and customers to gather threat intelligence about the IoT devices you use.

39

1.3 Privileged insiders coerced into giving up their crown jewels

» Identify your mission-critical information assets and the individuals who own and access them.

» Invest in special measures to protect individuals with privileged access (e.g., instruction in physical security precautions; exposure to social engineering methods).

» Implement mechanisms to protect your organization against the insider threat (e.g., screen prospective employees; embedding appropriate clauses in employment contracts).

» Adopt a trust-but-verify approach to privileged insiders (e.g., foster a culture of trust, while verifying and monitoring appropriate system access).

40

Threat horizon 2019 from ISF 2/32 – DISTORTION: as trust in the integrity of information is lost

2.1 Automated misinformation gains instant credibility

2.2 Falsified information compromises performance

2.3 Subverted blockchains shatter trust

41

2.1 Automated misinformation gains instant credibility» Build scenarios covering the spread of misinformation into your

overall incident management process.» Extend monitoring of social media before and after big

organizational announcements or events.» Combine forces with industry bodies to lobby governments and

regulators to investigate ways of identifying and prosecuting those spreading fake news and misinformation.

» Consider increasing existing social media output to proactively counter the spread of misinformation (e.g., encourage employees to spread legitimate news and report suspicious posts.

42

2.2 Falsified information compromises performance» Take steps to validate and maintain the integrity of key databases.» Incorporate scenarios of compromised information integrity into

business risk assessments; involve appropriate stakeholders across the organization gauge business impact.

» Collaborate with peers to share intelligence about attacks on information integrity.

» Consult with legal professionals before making public any information that provides factual evidence to counter false claims.

» Monitor access and changes made to sensitive information using tools like Federated Identity and Access Management (FIAM) systems and Content Management Systems (CMS).

43

2.3 Subverted blockchains shatter trust» Appoint a sponsor or steering committee to consult widely and take decisions

concerning the adoption and use of blockchains throughout your organization.» Train employees on how to use blockchains securely, and to detect suspicious

activity.» Assess the security controls of external parties using blockchains (e.g., audit the

strength of their security controls, such as cryptographic key management and access control measures).

» Engage with industry forums and experts to contribute to the development of good practice guidelines and standards for secure implementation.

» Consult legal to understand the contractual implications of using a blockchain.» Demand that information security requirements are incorporated during the

design, implementation and operation of a blockchain-based application.» Consider the implications of decentralized blockchain systems on existing

governance and change management processes

44


3 – DETERIORATION: when controls are eroded by regulations and technology

3.1 Surveillance laws expose corporate secrets

3.2 Privacy regulations impede the monitoring of insider threats

3.3 A headlong rush to deploy AI leads to unexpected outcomes.

45

3.1 Surveillance laws expose corporatesecrets

» Obtain advice on the metadata that communications providers must legally store, in every jurisdiction in which you operate.

» Collaborate across your organization and conduct a risk assessment to understand the impact of metadata lost by a communications provider.

» Engage with communications providers to agree to responsibilities and set minimum requirements for the secure storage of metadata.

» Establish if, how and when communications providers will notify you of a breach and work together to minimize impact.

46

3.2 Privacy regulations impede the monitoring of insider threats» Take legal advice on restrictions regarding user profiling in

every jurisdiction in which your organization operates.» Establish a rigorous program (tied to the disciplinary

process) that is transparent about any employee monitoring activity.

» Make employees aware of insider risk and train them to identify suspicious behavior.

» Undertake more regular and stringent audits of access privileges for insiders, assuring appropriate role-based access.

47

3.3 A headlong rush to deploy AI leads to unexpected outcomes.» Collaborate across the organization to establish which areas

will benefit from deployment of AI, and when» Recruit, develop and retain talent with the skills to

understand and manage AI systems» Collaborate with industry peers and academic bodies to

develop best practice for deploying AI systems» Update governance structures to manage AI effectively

(e.g., incorporate security in design, provide oversight of decisions taken by the AI system, ensure the system can be manually shut down if a serious incident occurs)

48


THEME 1: CONFLICT LOOMS

1.1 Cyber and physical attacks combine to shatter business resilience

1.2 Satellites cause chaos on the ground

1.3 Weaponised appliances leave organisationspowerless

49

Recommendations

» Update crisis management plans to cater for a wider range of extreme eventualities.

» Conduct scenario planning and training exercises.

» Conduct a full risk assessment to profile how satellite communications are used in the organization

» Ensure that Internet of Things (IoT) appliances within the organisation’s control cannot be used as part of an attack.

50

Threat horizon 2020 from ISF 2/3THEME 2: TECHNOLOGY OUTPACES CONTROLS

2.1 Quantum arms race undermines the digital economy

2.2 Artificially intelligent malware amplifies attackers’ capabilities

2.3 Attacks on connected vehicles put the brakes on operations

51

Recommendations» Invest in, and be prepared to move quickly to,

encryption methods that cannot be broken by quantum computing.

» Invest in people with technical expertise in AI, particularly machine learning, malware analysis and reverse engineering.

» Undertake a thorough risk assessment of supply chains to understand whether vehicles are safe and secure.

52


THEME 3: PRESSURE SKEWS JUDGEMENT 3.1 Biometrics offer a false sense of security

3.2 New regulations increase the risk and compliance burden

3.3 Trusted professionals divulge organisationalweak points

.

53

Recommendations» Conduct risk assessments to evaluate which combinations

of roles and levels of data criticality can be used with which authentication methods.

» Communicate the intricacies of balancing compliance needs with business risk to board members and other senior stakeholders.

» Identify every individual and external party with access to critical or sensitive information and verify – and then regularly reassess – whether that access is necessary.

54

[email protected]

Backup slides blockchain

Data Breaches

58

Verification of a blockchain transaction

» Proof of work (PoW)Each block is verified through a process called “mining” before information is stored. The data contained in each block is verified using algorithms that attach a unique hash to each block based on the information stored in it. Users continuously verify the hashes of transactions through the mining process in order to update the current status of the blockchain assets.Pros: It has been proven to work.Cons: Criticisms about it requiring a lot of energy and it not scaling well with enormous issues in transaction confirmation have been raised a lot.Coins: Ethereum Classic (ETC), ZCash (ZEC), Monero Original (XMO)

59


» Proof of stake (PoS)PoS simplifies the mining process. Instead of mining, users can validate and make changes to the blockchain on the basis of their existing share (“stake”) in the currency.

Pros: Energy efficient, more decentralized.

Cons: The nothing-at-stake problem.

Coins: Dash (DASH), Neo (NEO), PivX (PIVX)

60


» Delegated Proof of Stake (DPoS)Token holders don’t vote to validate blocks but instead vote to elect delegates who in turn would validate on their behalf. The way DPoS differs from PoW and PoS is that here miners work collaboratively instead of competing with each other to make blocks. It leads to quicker block times at the expense of partial centralization. Pros: Highly Scalable, cheaper transactions.Cons: Partial Centralization could lead to problems.Coins: Lisk (LSK), Ark (ARK), Rise (RISE)

61


» Proof of Stake Time (PoST)It introduces a nonlinear proof function that defines a fraction of time active and idle, at a given block. Idle-time is defined as the fraction of age that no longer supports the distribution of consensus and Instead begins to degrade it. Pros: Addresses the nothing-at-stake problem of PoS.Distributed threats are discouraged and heavily penalized.

Cons: None at the time of writing.

Coins: VeriCoin (VRC)

62


» Proof of CapacityThis algorithm introduced, the concept of ‘plots’ which you store on your hard drive prior to the start of a mining session. These are nothing but data sets in the form of, for example, hard-to-pebble graphs which are used in a variation known as Proof-of-Space. The mining algorithm is quite complicated and the block times, so short, that the solutions must be saved on the hard drive ahead of time. Pros: environment-friendly to a high extentCons: prone to nothing-at-stake attacksPopular Coins: Burstcoin (BURST), Chia, SpaceMi

63


» Proof of ActivityProof of Activity is a mix of two of the most popular consensus mechanisms – Proof of Work and Proof of Stake.

Pros: more secure than both the algorithms that make up the mechanism

Cons: inherits the downside for both Proof of work and Proof of Stake in terms of high resources used and malicious validators

Popular Coins: Decred (DCR), Espers (ESP).

64

Emotet a banking Trojan Emotet is a banking Trojan family notorious for its modular architecture, persistence techniques, and worm-like self-propagation.It is distributed through spam campaigns employing a variety ofseemingly legitimate guises for their malicious attachments. TheTrojan is often used as a downloader or dropper for potentially more-damaging, secondary payloads. Due to its high destructive potential,Emotet was the subject of a US-CERT security notice(https://www.us-cert.gov/ncas/alerts/TA18-201A) in July 2018.

65

Emotet a banking Trojan The compromise scenario in this November 2018 campaign starts with the victim opening a malicious Word or PDF file attached to a spam email seemingly coming from a legitimate and familiar organization.Following the instructions in the document, the victim enables macros in Word or clicks on the link in the PDF. The Emotet payload is subsequently installed and launched, establishes persistence on the computer and reports the successful compromise to its C&C server. In turn, it receives instructions on which attack modules and secondary payloads to download.The modules extend the initial payload’s functionality with one or more of credential-stealing, network propagation, sensitive information harvesting, port forwarding, and other capabilities. As for the secondary payloads, this campaign has seen Emotetdropping TrickBot and IcedId on compromised machines.The email subjects used in the campaign suggest a targeting of English and German-speaking users.

66

Emotet a banking Trojan

67

Osiris Banking Trojan New Face of Kronos

» is written in the C++ programming language

» is a banking Trojan horse

» uses the TOR anonymizing network

» has keylogger functionality

» has form grabbing functionality

» uses Zeus-formatted webinjects

68

Banking Trojan Looking Ahead

The addition of new banking Trojan families to the scene also demonstrates the continued success of these malware and the attackers’ desire to design more efficient systems.

This is why we expect to see more banking Trojans and with more robust functionality in quarters to come.

69

Cryptojacking

Cryptojackers have more than one way to enslave your computer. One method works like classic malware.

You click on a malicious link in an email and it loads cryptomining code directly onto your computer. Once your computer is infected, the cryptojacker starts working around the clock to mine cryptocurrency while staying hidden in the background. Because it resides on your PC, it’s local—a persistent threat that has infected the computer itself.

70

CryptojackingAn alternative cryptojacking approach is sometimes called drive-by cryptomining. Similar to malicious advertising exploits, the scheme involves embedding a piece of JavaScript code into a Web page. After that, it performs cryptocurrency mining on user machines that visit the page.

Drive-by cryptomining can even infect your Android mobile device. It works with the same methods that target desktops. Some attacks occur through a Trojan hidden in a downloaded app. Or users’ phones can be redirected to an infected site that leaves a persistent pop-under. There’s even a Trojan out there that invades Android phones with an installer so nefarious, that it can tax the processor to the point that the phone overheats, makes the battery bulge, and essentially leaves your Android for dead.

71

Gandcrab Ransomware

GandCrab was first discovered on January 26, 2018, and has been an ongoing threat ever since. GandCrab v4 was first seen in the beginning of July, and there have been multiple updates to the malware since then, including the release of GandCrab v5

72

Gandcrab Ransomware

GandCrab originally set itself apart from other popular

ransomware families by accepting the cryptocurrency

DASH instead of Bitcoin. Since then, the ransomware

creators have opened the door to Bitcoin as well. The

ransom requested by attackers ranges from $800

to over $1,000, and the ransom doubles after a set

amount of days have passed without payment.

73

Gandcrab RansomwareVersion 4 of GandCrab switched from using an RSA-2048 encryption algorithm for encrypting files to Salsa20, the same encryption algorithm used with the Petya ransomware. This method of encryption is more robust than RSA-2048, meaning files can be encrypted faster.Another new feature of GandCrab is the ability to encrypt network shares if they are remembered by the victim system. GandCrab can now encrypt files without an Internet connection

74

Magniber Ransomware

75

Documents

Cybercrime Evolution - HGK