Every week, numerous media outlets report that another company has been breached. We tend to accept it, shrug our shoulders and continue on. As long as it isn’t our company, we’re good.
It’s a thought that might ease you for a short period of time, but it’s far from reality. Everyone has information that is useful, but it takes only one criminal mind to figure that out and start planning his attack.
Understanding the attacker’s motivation and the tools used is key to determine the threats we must face nowadays. Traditionally, adversaries would use their tools to test your defenses, determining what activities will cause an alarm and which activities will go below the radar. The time of noisy port-scans are over, and more precise fingerprinting and preparation is used in the reconnaissance phase of an attack. Noise is still made, but nowadays for different reasons: to distract or disguise.
Let me give you a few examples.
In the first quarter of 2016, many hospitals around the world were attacked by a specific family of ransomware. The ransomware paralyzed several departments and, in some cases, the hospitals had to transfer patients and postpone surgeries. You would say this is a classic form of ‘ransomware’, right? The ransomware demanded a certain monetary amount for getting the encrypted files back and, in return for payment, the criminals handed over the decryption key to the victims.
In some of these cases, however, the ransomware was used as a distraction. The few thousands of dollars made was an extra bonus. While the whole incident response team was working and focused on the ransomware outbreak, the criminals gained accessed to the network and silently copied the patients-database and other information that could be sold in underground markets. We have seen similar cases where the victim was hit with a major Denial-of-Service attack on the front-end systems and at the same time were breached.
Too often the appetite for answers following a major campaign leads to the development of rapid conclusions. A great example was the recent Wannacry attack. Within a short amount of time, multiple organizations in more than 90 countries were hit. From a technical analysis perspective, this was a classic example of a ransomware attack, but spread using a new vector. Was it really that successful? No, the revenue raised was not that significant compared to those campaigns where millions were made in a short amount of time. But what would have driven the adversaries behind this campaign?
If the motive was to cause a widespread disruption, well, that succeeded. At the same time victims who decided to pay were in need of Bitcoins. Was the attack meant to increase the value of BTC since there was a higher demand? An owner with a large stash of BTC would benefit and see their profit increase.
Is the motivation behind a Denial of Service attack or ransomware attack always extortion?
Not necessarily. Disrupting the continuity of business can be used for competitive (economic, financial) purposes. In the always online society, with people in a hurry, we want to be served fast. If your competitor is down, customers will go to the next supplier that is available and with his back-end up and running.
Attackers nowadays have an arsenal of tools they can use. They don’t have to be very skilled, they just need to bring a few hundred dollars to the table to buy a Ransomware-as-a-Service or a Denial-of-Service attack. After transferring the bitcoins, the attackers have access, fill out a few options and launch the attack.
Still too complex? No worries, plenty hackers-for-hire that will do the job for you, custom and unique written ransomware for only $700. The ransomware sample is the tool, distraction and obfuscation are the tactics, fraud and extortion the techniques.
In the current wave of attacks, where technology is used as a distraction, it’s not about understanding what tools are used, but why they are used and who benefits from it.
When a system is infected with malware, the normal procedure is to clean it and go on. In certain cases, the detection name might indicate the type of malware and, if you are lucky to have seasoned security analysts on your team, they might even know a little about the characteristics of the malware.
What if the malware has screen-capture capabilities and a criminal at the other side of the world is virtually watching over the shoulder of your capital desk employee? By watching the trading, the criminal could anticipate and determine his stock trading strategy to get the most profit out of it. Instead of building a botnet, the criminal bought access to an exclusive botnet where he could pick the targets he wants to virtually shoulder surf.
Between 2010 and 2014, a Ukrainian hacker-ring collected more than $100 million USD in illegal profits by trading in Contracts for Difference (CFD). The leaders of this ring were able to gain access to key organizations and obtain relevant corporate earnings information often days and or hours before their official publication. This data would next be funneled to their network of traders who would use this information. With a nice profit model, everyone in the ring received their share.
Every company has useful and valuable information. It is key to understand who would benefit from gaining your information and what would their objectives be. The attackers’ strategies and techniques have changed. Do not assume that all of your organizational departments are under the same scope of attackers. Understand when technology is used as a distraction, which departments are responding and which departments could be vulnerable when monitoring is limited.