Global
| SecureWorks - On the Radar Newsletter - August 2008 | |
|---|---|
 |
|
Cybercrime Enterpreneurs
The Next Generation of Hackers
Security professionals worldwide agree: today's hackers are more sophisticated, specialized and lethal than ever before. With billions of dollars being pulled in by cybercrime every year, some of the most skilled and proficient technical minds – especially those living in poorer economic conditions – are turning to hacking instead of legitimate trades. In regions of the world where the risk of punishment is negligible, cybercrime operations are run like a business with a focus on profitability and staying ahead of competitors.
A few years ago, hackers were after notoriety and bragging rights. For example, whoever could commandeer the website of the "villain du jour" (typically a company or organization whose actions or methods were a subject of scorn in the hacking community) would gain instant "street cred" and respect. Not anymore. Today's hackers aren't concerned with showing off their skills. In fact, they want the opposite – to compromise machines and steal data without detection.
Fueled by funds gained through identity theft, extortion and spam schemes, today's hackers approach cybercrime as a business. Take the hackers behind 76Service.com, an online website that allowed its members to rent and manage a "virtual portfolio" of compromised machines. 76Service.com users treated their rented bots as investments, keeping those that yielded valuable credentials and trading out the ones that didn't.
Consider A-Z, a Russian hacker profiled by Don Jackson with our Counter Threat UnitSM. Creator of a popular hacking tool used by cybercriminals to hijack and control victim's computers, A-Z was selling his tool in early 2007 for $3,000 per customer -- enough money to for him to live comfortably without even having to get involved in the actual theft of data (although he was deeply involved in the theft of $6 million later that year). And to prevent competitors from ripping off his professional-level code, he threatened to release snippets of code to anti-virus vendors that would result in violators' copies of ZeuS being rendered useless.
Another example is the hackers responsible for the Coreflood botnet. According to research by Joe Stewart (another member of our CTU), Coreflood has become one of the oldest botnets in existence by being discreet while other more noticeable botnets took center stage. Since Coreflood first emerged more than 6 years ago, its purpose has shifted from executing Distributed Denial of Service (DDoS) attacks against IRC (Internet Relay Chat) users to selling anonymous proxy services to harvesting credentials for online banking – mirroring its owners' motivations as they shifted toward monetary gain. And as its purpose evolved, Coreflood's methods also became more sophisticated and lethal.
The latest iteration of Coreflood uses an advanced method not seen before. After infecting a host, it watches for Windows domain administrator credentials in addition to the other information it captures. When it finds domain administrator credentials, it uses them to propagate itself across thousands of computers within a single corporate network. All told, Coreflood has stolen more than 450,000 usernames and passwords for bank and credit union accounts, credit card accounts, email accounts, social networking accounts, online payment processor accounts, and others.
As the business of cybercrime continues to evolve and hackers become even more sophisticated in their attacks, it is clear that a single layer of defense is not sufficient protection. Organizations must employ defense-in-depth, using multiple layers of security controls as part of an integrated security program to prevent, detect and respond to attacks that would evade common standalone security technologies. Best practices for defense-in-depth include:
- Using Network Intrusion Prevention Systems (NIPS) at all network perimeters and between key network segments to block known exploit attempts and some forms of anomalous activity.
- Monitoring and analyzing of ingress (inbound) and egress (outbound) firewall traffic logs in real-time to detect abnormal activity that could signify a compromised host.
- Monitoring and analysis of host and application logs in real-time on critical systems and network devices to detect exploit attempts, password grinding and anomalous behavior by users and applications.
- Using host-based security software including Host IPS (HIPS), anti-virus and anti-spyware to provide added protection beyond native host capabilities.
- Using Security Information Management (SIM) to correlate numerous security events from across your network and detect more sophisticated attacks.
- Conducting regular vulnerability scans, assessments and remediation (such as patching, removing unnecessary services, etc.) to minimize exposure to exploits.
- Performing penetration tests to validate how well you defend against the latest hacking methods.
Security 101: Cyber-Warfare
The Internet has grown to become a significant component of national infrastructures, supporting government, commerce and the daily activities of billions of people worldwide. Unfortunately, the threat of one nation launching cyber attacks against another has also grown. Whether or not such attacks are officially sanctioned or conducted by a nation’s government, cyber-warfare is playing an increasingly prominent role in global conflicts – and the recent conflict in Georgia has thrown it into the spotlight.
Cyber-warfare is focused on compromising systems (cyber espionage) or disrupting the flow of information. The objective can be political, military or both. Most (if not all) industrialized nations have developed cyber warfare capabilities, but the approaches vary greatly from nation to nation. Some are focused on defending their own networks, while others take a more offensive stance, targeting other countries' networks and assets.
Cyber espionage leverages discreet malware, such as Trojans, to infiltrate the networks of military, government and corporate/industrial organizations. After a system is compromised, sensitive intelligence is collected and transmitted back to the attackers. Depending on the objectives, systems can also be sabotaged or information can be destroyed; however, these activities are more difficult to successfully accomplish. Examples of cyber espionage include several reports of Chinese efforts to spy on Western nations by compromising government and military IT systems. China also claims to have been hacked by other nations.
Attacks that disrupt the flow of information – thus disrupting operations that rely on that information – are also used in cyber warfare. Distributed Denial of Service (DDoS) is a common method used for this because of its relative simplicity, but any other attack method that disables communications or systems is effective as well. In the recent Georgia-Russia conflict over South Ossetia, Russian military activities commenced in tandem with cyber attacks that limited Georgia’s ability to quickly disseminate information through government websites.
Subsequent investigation into the attacks has implicated the Russian Business Network (RBN), which is a cybercrime organization notorious for operating botnets and hosting illegal businesses. The RBN is officially unaffiliated with the Russian government, but the coordination of attacks on Georgia, as well as other nationalistic attacks carried out by the RBN, and the fact that the RBN is allowed to continually exist in Russia given its clearly illegal activities has led to speculation of a coordinated relationship between the RBN and the Russian government.
Regardless of whether they are state-sponsored or not, a well executed cyber attack can have devastating effects on the IT systems and critical infrastructure supporting a nation’s government and industry. For this reason, most industrialized nations are developing their own capabilities and defenses. If recent events are any indication, cyber warfare will play an important role in both major and minor conflicts of the future.
Featured Threat Analysis: The Coreflood Report
This Threat Analysis by Joe Stewart, Director of Malware Research with our Counter Threat UnitSM, details Coreflood and its activities. Used by cybercriminals to collect login information for financial accounts, email, online retailers and social networking, the Coreflood Trojan has infected thousands of computers worldwide, most of which reside in the U.S.
Read the entire Coreflood Report
SecureFacts
463,582
The number of usernames and passwords stolen by the Coreflood Trojan.
Source: The Coreflood Report
