In Q3 2016, cybercrime reached new heights.

In the near future, the level of cyber crime will not decrease. In Q3, cyber criminals became even more inventive, using innovative technologies and new tools to spread their “creations”.

The PandaLabs anti-virus laboratory of Panda Security intercepted more than 18 million new malware samples in the past quarter (an average of over 200,000 per day): the alarming problems of cyber-threats have been relevant in recent months too.

In this quarter, Trojans are again leading among malicious programs, and together with cryptographers, they constitute the overwhelming majority.

In Q3, the number of attacks with cryptographers increased, bringing criminals millions of dollars. PoS-terminals in hotels, restaurants and other public places are becoming an increasingly desirable goal for hackers.
')
Information that we have collected over the past 3 months, tracking the behavior of malicious programs and the creation of new threats, showed a series of massive DDoS-attacks (Distributed Denial of Service) , which in many cases were associated with botnets not based on PCs, but on smart devices like IP cameras.

We will look at recent attacks related to the Internet of Things (IoT), for example, hacking Internet-connected machines from reputable brands like Jeep and Tesla. Recently, one of the Tesla models fell victim to an investigation that showed how it can be remotely monitored without physical access.

As for mobile phones, we will analyze the various situations associated with attacks on Android devices, and see how the waves of cryptographers target iOS devices.

Ciphers

Cipher operators are a business that promises high profits for cyber criminals. Since this direction is developing and becoming more sophisticated, and incomes are also growing. In July, the creators of the encryptors Petya and Mischa began developing malware and related payment platforms, leaving the issues of distribution to other people. This new model is known as Ransomware as a Service (RaaS) .

With RaaS, developers create cryptographers, and distributors are responsible for infecting victims. As with distribution in a legitimate business: they can get higher profits by increasing their activity. The more victims are infected and the more money they paid, the higher the income of distributors. Their earnings usually start at 25%, but a potential distributor can increase his share to 85% if he can pump out more than 125 bitcoins (approximately $ 75,000) per week from the victims .

At PandaLabs, we are closely following the evolution of the cryptographer and tell you about the latest developments in this area. We analyzed how hackers use and abuse PowerShell — a program that comes with Windows 10 by default — to attack ciphers without needing to download files from the Internet or from a Word document with macros sent via e-mail. These attacks are a nightmare for developers of computer security solutions, because first of all, they offer protection of the device perimeter, especially since in this case the encrypter is never present on the computer.

We have seen very vivid examples of the Locky family , which is being implemented in an “offline” mode, which allows the malware to encrypt files even if security solutions did not allow him to contact the server providing the encryption password.

In addition to the traditional techniques of infection through exploits and spam,
There are some other very effective technology, specifically aimed at enterprises.

We saw it in September when a group of hackers successfully installed the Crysis coder on a server of a French company.



After investigating the incident, it was determined that the Remote Desktop Protocol service was connected to the Internet. Hackers tried to penetrate the server, sorting out possible password options for four months. As a result, having carried out over 100,000 attempts, they were able to pick up the registration data.

Cybercrime

It is very difficult to assess the level of cybercrime. Information security specialists, who daily struggle with these threats, understand its mass character and know that this sphere continues to grow and develop.

But is it all dangerous?
Some might think that big security companies like Panda are very interested in showing an increase in cyber crime, because these problems bring us additional profits. However, the data speak for themselves. More and more independent organizations are providing statistics to help us assess the current situation.

The UK National Criminal Agency has published a report showing that cybercrime currently accounts for over 50% of all crimes in the country.

One of the largest Bitcoin robberies in history happened on August 2. An amount of 60 million dollars in bitcoins was stolen from Bitfinex, a company that sells and exchanges cryptocurrency. This money belonged to customers who kept them on deposits in this “bank”. There is still no evidence of who committed this attack, and Bitfinex has not provided information about how it could happen. Currently, law enforcement agencies are investigating.

In September, well-known information security journalist Brian Krebs revealed vDOS, a “business” that offers DDoS attack services. Shortly after that, vDOS hackers were arrested (they could launch 150,000 attacks and earn $ 618,000 in two years). Immediately after their arrest, the Krebs website was subjected to a massive DDOS attack, which led to its failure for a week. In the end, Google intervened and defended its website through Project Shield, after which the site began to work again. Krebs spoke about the possible consequences of these attacks in his article entitled The Democratization of Censorship.



Blizzard's Battle.net servers were attacked by a group called PoodleCorp, which hacked three games (World of Warcraft, Overwatch, Diablo 3). There were many similar attacks throughout the quarter. We will talk more about them in the “Internet of Things” section, since most of them were launched using botnets based on smart devices such as IP cameras, routers, etc.

Over the past three months, there have been many cases of data theft that has affected millions of people around the world. In July, the Ubuntu forums were hacked, where users discuss all aspects of this open source GNU / Linux-based operating system, which resulted in email addresses, logins and IP addresses belonging to 2 million people being stolen. Black Hats also turned to the forums related to the popular mobile game Clash of Kings, seeing that they could hack them in the same way. In this case, hackers stole the personal data of 1.6 million users .

Valve's Dota 2 users also fell victim to the attack this quarter. Their forum was hacked, where 1.9 million users' personal information was stolen (registration data, mail addresses, etc.). These same hackers stole 9 million game codes after hacking the DLH.net website.

Hackers "got rich" when they started hacking gaming sites.

Add more: data theft from 200,000 GTAGaming.com users; an attack on www.minecraftworldmap.com , after which hackers published information on 71,000 users.

Another controversial attack on the pornography site Brazzers , which resulted in the stolen data of 800,000 users . Another outstanding attack occurred with the instant messaging service QIP.ru, where the data of 33 million users were stolen.

Even Dropbox could not avoid problems. A well-known file sharing service recently discovered that in 2012 was subject to attack. The result: loss of data owned by 68 million users. But there is one robbery, about which it is impossible to forget - this is the case with Yahoo . Although this happened in 2014, but this has not been known until now. A total of 500 million accounts were hacked , which was made by her biggest theft in history.

POS terminals are another area of ​​interest for cyber criminals these days.

PandaLabs has discovered an attack that has affected 200 US institutions, most of which are restaurants. As a result, bank card data was stolen using the PunkeyPOS malware.


Wendy's, a popular chain of fast-food restaurants, fell victim to a similar attack: with the help of another version of PunkeyPOS, payment terminals were infected in more than 1,000 of its outlets.

Our laboratory discovered another similar attack, and again the restaurants in the USA were the victims, but in this case 3,00 POS terminals were infected with the help of the PosCardStealer malware .

Another critical area is hotels.

A number of HEI Hotels were attacked this quarter. The fraudsters used a malicious program to steal bank card data in their PoS terminals. Among the affected hotels were Sheraton, Westin, Hyatt and Marriot hotels.

But cyber criminals took a look at something more ambitious than payment terminals. In July, ATMs of First Bank (Taiwan) were robbed. This crime was committed in an organized manner. Hackers were located next to each ATM, withdrawing a total of over $ 2 million. We know that they installed malware on these ATMs (of course, after breaking into the internal network of the bank), and then they extracted money without physical contact with them using remote commands, which is confirmed by recordings from surveillance cameras.

A successful attack on a financial institution can generate millions of dollars.

In August, SWIFT issued a statement about a series of attacks, similar to the case of the Bangladesh bank. True, they did not report the number of banks attacked and the amounts stolen. However, it is mentioned that these banks did not take sufficient security measures.

Reward programs for those who find vulnerabilities.

Technology giant Apple is one of the largest companies in the world who offers a rewards program. The company offers up to $ 200,000 to those who can find vulnerabilities in Apple products. Surprisingly, Apple has not had such a program for a long time, while other technology giants have already offered rewards for finding vulnerabilities.

Interestingly, such rewards programs have different types of organizations. Although, as a rule, they pay them in money, but there are those who provide them in kind, for example, United Airlines. In August, the company awarded one of the security specialists one million miles, who found 20 security holes in their software. “White” hackers at Offensi.com were also awarded 1,000,000 miles, which they generously donated to three charitable foundations.

In July, five members of a money laundering gang were arrested in London. All of them were Russians, and the leaders of the gang were 30-year-old Aslan Abazov (received 7.5 years in prison) and 29-year-old Aslan Gergov (7 years and 3 months).

Edward Mayerchik pleaded guilty to stealing photos of celebrities, eventually received 9 months in prison (the prosecutor's office initially requested 5 years). Mayerchik admitted that he gained access to the accounts of his victims in iCloud as a result of the launch of a phishing attack, which allowed him to obtain their registration data.

For some people, hacking such famous people is considered a high achievement. For example, the 44-year-old Romanian Marcel Lechel Lazar was sentenced to 52 months in prison for hacking a number of influential people.

Among the roughly 100 of his victims were Hillary Clinton, George Bush (father and son), Colin Powell, Nicole Kidman and Robert Radford.

Mobile threats

Devices with Android are still "in the firing line". People continue to acquire smartphones, and cyber criminals continue to attack them. Since Android operating system has the largest market share and allows users to install software not only from the official store, this makes it an easy target for attackers, although, fortunately, Google enhances security. Various security measures (which follow from the latest version of the Linux kernel) will be activated in Nougat (Android version 7).

However, in most cases, these protective measures are not enough. Security solutions maker Checkpoint has found four security issues that could potentially compromise 900 Android models equipped with Qualcomm Snapdragon processors.

Gugi, a Trojan for Android, is able to overcome security barriers in Android 6: it can steal bank data and information from other applications installed on these devices.

How he does it? When users use a legitimate application, Gugi imposes another screen and asks for information that will be sent directly to the hackers without the knowledge of the victim.

Recently, a growing number of attacks encryptors on the iPhone and iPad. But unlike attacks under Windows, cyber-criminals do not use malicious programs to attack these devices. Instead, they use wit. To perform the attack, they use the victim's AppleID and their password (which they may receive as a result of phishing attacks or due to the fact that users use the same login information with other online services), and then activate Lost mode from the “Find my iPhone” application. ”And add a message telling the victim to pay a ransom in bitcoins instead of providing a password to unlock.

In August, Apple urgently published the iOS 9.3.5 version of its operating system for mobile devices. This version fixes three zero-day vulnerabilities that were used by the Pegasus spyware. Pegasus was developed by the Israeli company NSO Group, which offers hacker products similar to those offered by the Hacking Team.

Internet of things

During the DefCon conference held in August in Las Vegas (USA), researcher Andrew Tierney showed how to break the thermostat, which he himself modified. After he got control of him (by inserting an SD card into it), the temperature rose to 99 degrees Fahrenheit (about 37 degrees Celsius), which could only be canceled with a PIN code. A thermostat connected to the IRC channel requested bitcoin for receiving a PIN code. Although it was just a proof of concept, but the device still needed physical access, but we can understand that the attacks that we will face in the near future will be directly aimed at a huge number of home appliances connected to the Network.

Do not wait, because already millions of devices from the Internet of Things have been compromised. The LizardStressed botnet, created by the Lizard Squad group, launched a destructive DDoS attack against both the Playstation and the Xbox at the same time, while mostly it consisted of such devices.

According to Arbor Networks, most of these devices are IP cameras, and they can be hacked simply by going through username – password combinations. Since Since many users do not change the registration data set by the manufacturers by default, then accessing them is quite simple. Already launched attacks up to 400 Gbit / s. Another favorite device used for such attacks is routers, and they have been used for quite a long time.

In late September, the French hosting company OVH was faced with a massive DDoS attack, reaching 799 Gbit / s. And at the end of the attack traffic exceeded 1 Tbit / s. Looking at the data provided by OVS, the attack was launched from 152,000 devices, and most of them belonged to the Internet of Things category (IP cameras, DVRs, etc.).


As for the automotive industry, researchers from the University of Birmingham demonstrated how they were able to crack the door opening systems on any cars sold by the Volkswagen Group over the past 20 years . Through reverse engineering, they managed to do this with a cryptographic key used by all VW machines. Strangely enough, after receiving the key, they had to stand at a distance of 300 meters from the car being cracked in anticipation of a certain command on the radio device in order to intercept another key, unique for each car. After receiving this information, they were able to easily clone a remote control that opens and closes the car’s doors.

Researchers Charlie Miller and Chris Valashek , who last year showed how to remotely crack the Jeep Cherokee , went even further this year, showing how to intercept signals and disable the parking brake, turn off the steering wheel, or turn the steering wheel at any speed on command. In contrast to the previous situation, in order to gain control of the machine, they had to directly connect a computer to it. It is important that we pay special attention to these life-threatening hacks: your life may be in danger if hackers can manipulate the machine you are driving.

In September, Chinese scientists from Keen Security Labs showed how to remotely hack a Tesla car, whether it is parked or in motion. In their video you can see how you can control the car remotely without physical contact with it: you can open or close the doors, you can open the trunk when the car is moving, they even managed to remotely control the brakes. Scientists have sent information to manufacturers in advance so that they can fix the problems found in the latest version of their firmware.

Cyber ​​war

In the middle of the election campaign in the United States, an attack took place against the Democratic National Committee (DNC). During this cyber attack, all kinds of sensitive data were stolen and published. It is very difficult, and sometimes impossible, to determine who is behind the attacks, but in this case they immediately blamed the Russian hackers, behind whom stands the Government of Russia, trying to harm the success of the Democratic Party in the US presidential election. Apparently, there are two different groups of hackers behind the attack (both from Russia), and one of them published 20,000 emails on WikiLeaks .

In continuation of the election theme, the FBI warned that two election campaign sites had been hacked , and at least one of the foreign hackers was able to get information about voter registration.

Governments understand the importance of cyber security. US President B. Obama acknowledged that there is still a lot of work ahead, especially if we recall that the White House network has already been hacked in the past. In September, he named the first Chief Information Security Officer in US history .

In August, a group called The Shadow Brokers announced that they had hacked into the National Security Agency (NSA) . They told about some of the stolen types of cyber-weapons and promised to sell them at a high price. It is still unknown who was behind this attack, but there was an assumption that, most likely, as always, Russia was to blame. In any case, it seems that they used the same tools to launch their attack on the NSA.

In many cases, we discuss attacks that may be sponsored by governments of different countries, but as is the case with cyber criminals, it is almost impossible to identify the perpetrators. We were surprised to learn that Google notifies its users when they detect this type of attack, as stated by Diana Green. At the moment they send about 4,000 notifications every month.
South Korean prosecutors believe that the North Koreans were responsible for breaking into dozens of e-mail accounts owned by government officials.

Again, critical infrastructures became the main news topics after it became clear that Iran had removed malware from two petrochemical plants. It is well known that there were fires before these two plants , so now an investigation is underway, after which it will become clear whether the malware found has anything to do with them.

Conclusion

The end of 2016 is just around the corner, and we must continue to pay attention to the evolution of DDoS attacks. The combination of millions of hacked IoT devices and an ever-faster Internet connection at home can turn one of these attacks into one of the biggest Internet nightmares that can harm every Internet user, especially the companies targeted by these professional extortionists.

The number of cases of theft of data is growing, exceeding the level of the previous quarter. In Q3, data of 500 million Yahoo users were stolen. So nowadays it is very important to take appropriate protection measures: never forget about two-step authorization when you register in online services, because it will prevent hacking of your account, even if your registration data has been stolen.