Home / Robin's Newsletter

Robins Newsletter #102

 Vol. 3  Iss. 22  31/05/2020, last updated 07/06/2020   Robin Oldham  ~7 Minutes

This week

Cybercrime is (often) boring

New research from the University of Cambridge’s Cybercrime Centre this week that takes a look at the workings behind the cybercrime economy. Far from the ‘romanticised’ notions of rockstar hackers and zero-day exploits, they argue that with the rise of cybercrime-as-a-service business models, cybercrime is a volume business “with boring, tedious maintenance and infrastructure jobs outsourced to lowly paid contractors.”

That would fit with some of the statical evidence, for example, last week’s DBIR report (vol. 3, iss. 21) showing the not only are 86% of cybersecurity breaches financially motivated but that 4/5 are simply trying to replay common or stolen credentials.

And the prices for stolen data continue to drop: Trend Micro reporting being picked up by The Register showing botnets dropping in price from $200 to $5 per day, credit cards from $20 a pop to $1 each over the last five years.

As opposed to understandings of crime as being born of boredom, (which put a focus on individual, low-level crime), we find that as cybercrime has developed into industrialised illicit economies, so too have a range of tedious supportive forms of labour proliferated, much as in mainstream industrialised economies.

The Cambridge University authors propose policy changes that promote interventions resulting in the transfer of low-level cyber-criminals into legitimate employment, “you could be paid really good money for doing the same things in a proper job.”

Early interventions have been successful before and, coincidentally, the UK’s National Crime Agency started a campaign aimed at those seeking ‘stresser’ DDOS tools to boot players from online gaming competitions.

The NCA has taken out adverts on search engines highlighting the criminal nature and linking to articles that promote alternative career pathways, for example participating in the UK’s Cybersecurity Challenge. A previous campaign in 2017 and 2018 cost the NCA less than £10,000 and demonstrably flattened demand for DDOS services for six months.

The trial of Fedir Hladyr of FIN7 brought to light that the group uses and has administrators running standard software engineering tools like HipChat and JIRA (vol. 2, iss. 37). The Marcus Hutchins cover story in WIRED (vol. 3, iss. 20) shows the ‘escalation’ that may occur when faced with boredom. It also highlighted how he felt disconnected from the consequences of his actions: he wasn’t stealing login details, just building the tools that other’s used.

Revealing the realities of cybercrime and showing the connection between action and consequence may be an effective way to promote these early interventions. For others, as the paper notes, “finding all these bored people appropriate jobs in the legitimate economy may be as much about providing basic training as about parachuting superstars into key positions.

cam.ac.uk (PDF), theregister.co.uk, krebsonsecurity.com

Interesting stats

52% of employees believe they can get away with ‘riskier behaviour’ when working from home, according to Tessian zdnet.com

630% increase in remote attacks against cloud services between January and April this year, according to McAfee zdnet.com

Other newsy bits

Ruling rejects notion that Capital One’s incident response report is legally privileged

A significant ruling from a federal judge in the class-action suit being brought against Capital One, where personal information of 100 million U.S. and 6 million Canadian citizens was allegedly stolen by Paige Thompson (vol. 2, iss. 31).

”Capital One has not presented sufficient evidence to show that the incident response service performed by Mandiant would not have been done in substantially similar form even if there was no prospect of litigation” — Judge John F. Anderson, U.S. District Court for the Eastern District of Virginia.

Incident response firms, like Mandient, often conduct work in partnership with law firms and establish three-way contracts so that their work product is considered legally privileged documents. The reports often contain information on what exactly happened and where the company may have failed to adequately secure personal information. The legal privilege cover (see Fireeye link) is intended to make them exempt from legal discovery or having to hand them over in the event of a lawsuit, such as that being faced by Capital One.

This ruling shows that isn’t sufficient by itself if the response work would have been carried out in substantially the same form anyway, regardless of litigation, and also notes that the retainer with Mandient was considered a business, not a legal, expense. bankinfosecurity.com, fireeye.com (typical legal arrangement)

Octopus Scanner targets software developers to slip itself alongside legitimate code

This is a new type of vector for malware to spread through long and complex software supply chains. Twenty-six projects on GitHub were found to have been infected with a new malware dubbed Octopus Scanner. When run, the malware installed a remote access trojan used to control victims computers, so-far-so-normal, the novel bit is how the malware spreads. It spreads by looking for Netbeans development environment, if it finds one then it copies itself into the code and build files of those other projects. That means every time that these legitimate software projects are compiled, the malware is slipped in alongside for users of that project to get infected too. The developer likely won’t realise that the new code now also contains malware. And so the process repeats. Developers may contribute to many different projects, especially within the open-source community. github.com, darkreading.com

EasyJet subject of £18Bn GLO ‘class action’ over data breach

A ‘group litigation order’ (akin to a U.S. class-action lawsuit) has been filed by law firm PGMBM against EasyJet in an attempt to claim £2,000 compensation for each of the 9 million customers affected by its data breach earlier this year (vol. 3, iss. 21). Part of the claim stems from the four-month delay between notifying the Information Commissioner’s Office and their customers. The no-win-no-fee outfit will claim up to 30% as their fee, or £5.4 billion, should they succeed in getting the full amount per customer. PGMBM is also behind a similar case aimed at British Airways. zdnet.com, theregister.co.uk

In brief

Attacks, incidents & breaches

  • 621 customers of NTT Communications cloud services may have had data compromised after the outsourcer revealed an ‘insecure migration’ hallowed attackers to compromise an Active Directory server theregister.co.uk
  • Minted disclose data breach after database of 5 million users goes up for sale for $2,500 bleepingcomputer.com
  • Kentucky the ‘sixth state’ to disclose leak of Coronavirus unemployment claims scmagazine.com
  • Undisclosed number of Amtrak Guest Rewards accounts compromised bleepingcomputer.com

Threat intel

  • Russian Sandworm group exploiting bug in Exim mail servers, says NSA theregister.co.uk, wired.com
  • Sticking with Russia, Turla group has updated ComRAT malware to steal AV logs to look for detection and run C2 via Gmail zdnet.com
  • FedEx, UPS and DHL emails spoofed to distribute Dried malware cyberscoop.com
  • New ‘nworm’ TrickBot module encrypts downloads, runs in memory bleepingcomputer.com
  • Microsoft IIS servers being attacked by ‘Blue Mockingbird’ group to mine Monero cryptocurrency bleepingcomputer.com

Security engineering

  • OpenSSH to retire SHA-1 as chosen-prefix collisions now cost less than USD$50K theregister.co.uk

Internet of Things

  • “Synchronized and organised attack” on Israeli water facilities ‘thwarted’ last month cyberscoop.com
  • ‘Unconventional’ attack using steganography targeting industrial companies arstechnica.com

Privacy

  • @EinsteinsAttic tweets on UK Test and Trace personal data being kept for 20 years twitter.com
  • eBay is port scanning users to identify those with remote access services running (that may be an indication the computer being used for fraudulent purposes) theregister.co.uk, but they are far from the only ones using services like Threat Metrix to risk profile customers bleepingcomputer.com

Law enforcement

  • Denys Iarmak arrested in connection to FIN7 cybercrime group vice.com

Mergers, acquisitions and investments

  • Funding of cyber companies surged to USD $1.5 billion in Q1 2020, 80% being seed or early stage raises scmagazine.com

And finally

Security training provider SANS deleted their tweet that claimed cybercrime cost $2.9Bn per minute, or more than ten-times the entire world’s GDP, so instead…

Some interesting password research against FTSE100 companies

Passlo has done some research into the passwords available for email addresses matching the domains of the UK’S FTSE100 companies. It’s some interesting reading and sleuthing. I’ll leave you to work out the employer for the 19th most popular password Unilever123, and instead jump to 3sYqo15hiL. Apparently a commonly used password for a spam network being run from @sc.com addresses. Turns out before banking giant Standard Chartered owned the domain, it was owned by a company that did allow email signups. Lastly, there are some interesting examples of couples that share passwords, including the cute HubbyWifey4ever!. passlo.com