By Fadli Sidek and Jamie Rubbi-Clarke
Cybercriminals will continue to innovate through ransomware
The malware business is a business like any other: cyber threat groups compete and innovate, with the most successful growing and spreading rapidly. Given the success of ransomware in 2016, we will see a continuation of ransomware attacks – with new innovations emerging and propagating, according to whichever attracts most payment.
2016 saw real innovation in the ransomware market, with a particularly interesting recent variant called ‘Popcorn Time’ that allows the victim’s files to be decrypted for free if they can infect two other people.
Commoditized versions of ransomware will, however, be a less pervasive threat for large corporations, as they gradually improve the management of this threat and their ability to mitigate it. Rather, criminals will target high-value assets using more sophisticated and innovative ransomware variants, and will develop additional functionality to seek out more lucrative individual targets within organisations, to enhance the chance of victims paying ransoms. Criminals will extort victims not only by threatening to deny access to data, but also by threatening to publish sensitive data.
Website defacements will be old school – website ransoms will be the new tactic
One specific kind of attack we expect to grow is website ransomware, where the contents of websites are targeted. This trend started emerging in Asia last year:
- In November, several websites were found to be compromised and their web contents encrypted by a ransomware variant called JapanLocker. Control Risks’ research into this variant reveals that it was developed by a hacker known as Shor7cut, a member of the Indonesian Defacer Tersakiti group. This group is well known in the Indonesian hacking community and has more than 22,000 members.
- In October, several Pakistani government websites were compromised and their contents encrypted by the CTB-Locker ransomware. The hackers, believed to be from the Indian group known as Hell Shield Hackers, used this method to retaliate after Pakistani hackers breached nearly 7,000 Indian websites.
- In March, a ransomware variant known as KimcilWare was spotted targeting websites running the Magento eCommerce platform. This variant is thought to have been developed in Indonesia.
- Also in March, Kaspersky Lab detected more than 70 servers, located in ten countries, compromised by the CTB-Locker ransomware. Most of the victims were from the US; this shows how threat actors in Asia Pacific are taking successful tools from other regions, adapting them, and applying them in their own region.
Such attack techniques will continue to emerge and evolve in 2017. We foresee further ransomware variants of this kind being developed by threat actors in Asia Pacific, and used for cyber activist and cybercriminal activities in the region.
DDoS attacks will present a threat to Singapore’s Smart Nation
In October, StarHub, a Singapore telecoms company and internet service provider, was hit by a distributed denial of service (DDoS) attack. According to StarHub, the cause of the attack was a botnet of vulnerable internet-connected devices. These devices came with default credentials that were not changed upon installation on the customers’ premises, allowing remote attackers to gain access to and control of the devices.
Two months after the StarHub incident, thousands of customers of Singtel’s internet broadband services were unable to access the internet for 24 hours. While Singtel ruled out a DDoS attack, the incident raised questions among the security community about the length of the outage, and about the potential impact on such services as Singapore develops its ‘Smart Nation’ initiative. A key challenge in 2017 will be to ensure that internet of things (IoT) devices can operate in the event of further such incidents, and are not themselves hijacked to form further botnets.
Closed groups on social media will be the main platform for organizing cyber campaigns
Control Risks monitors cyber activists and criminals from the US, Europe and Russia who use forums on the deep web and dark web, as well as internet relay chat (IRC) channels, to organize cyber campaigns. In Asia Pacific, things are different: threat actors increasingly favor social media platforms – particularly Facebook – rather than the dark web to organize, recruit and gain members to participate in their campaigns.
During Operation Myanmar (#OpMyanmar) in November, Indonesian hackers distributed a poster on Facebook encouraging other hacker groups to participate in attacks against Myanmar-based websites. Bangladeshi hackers meanwhile created a Facebook group that attracted more than 12,000 members to participate in DDoS attacks against selected Myanmar-based websites. The campaign was organised in protest against the alleged mistreatment of the Rohingyas, a Muslim minority in Myanmar’s Rakhine state.
In December, after Thailand’s National Legislative Assembly approved an amendment to the country’s Computer Crime Act that will allow the government to read private messages and block websites without the need for a court order, several Facebook pages were created and the Operation Single Gateway (#OpSingleGateway) campaign was organised. The campaign has seen multiple Thai government websites come under DDoS attack, and the databases of several Thai government agencies leaked to the public and posted in these pages.
Besides organizing cyber campaigns, hacker groups are increasingly using Facebook to recruit members. Groups from Malaysia, the Philippines and Bangladesh post requirements on their pages for sympathizers who wish to demonstrate their hacking abilities and take part in such groups. 2017 will see many cyber campaigns organised through this platform, as well as new hacker groups created using social media tools.
Start-ups and e-commerce sites involving financial transactions will be highly targeted
Our research in the cybercriminal underground reveals that actors from Asia Pacific are highly active in carding activities (the trafficking of credit card and bank account details). The tactics, techniques and procedures (TTPs) involved in carding are being shared both in closed groups on Facebook and in deep web forums. Hackers from Bangladesh, Pakistan, India, the Philippines and Indonesia are observed to be the most active in this regard.
Typically with carding, attackers find sites that are vulnerable to Structured Query Language injection (SQLi). These websites are collected using ‘Google dorking’ (using advanced search techniques to uncover information that website administrators do not necessarily want to share) and are then compromised using the resulting vulnerabilities. This then allows the attackers to gain access to databases of customers, and to extract credit card information. These details can then be used to open Amazon or PayPal accounts, and to make purchases or transfer funds accordingly. Details of purchases made though carding are then posted in these closed Facebook groups, attracting members interested in purchasing the carded items.
Given the success that has resulted from carding activities so far, we see no reason for such attacks to slow down in 2017.
Organizations will seek a strategic focus on threat actors and their capabilities
The definition of cyber threat intelligence in Asia Pacific has tended to be tactical and technical, focusing on hashes, signatures and indicators of compromises (IoCs). However, consumer demand is now leading a shift towards threat intelligence that will increasingly focus on better understanding threat actors and their TTPs, and on providing a more comprehensive and strategic perspective on cyber threats.
A number of organizations in the critical infrastructure industries now have in-house threat intelligence teams focusing on the technical, operational and strategic aspects of threat intelligence, and working together with threat intelligence providers. At the national level, the Cyber Security Agency of Singapore (CSA), set up in April 2015, also analyses threat intelligence at the strategic level as part of its efforts to oversee cyber security across the country.
2017 will see many critical organisations working more closely with providers of strategic-level intelligence, in addition to technical intelligence.
Advanced persistent threats will become advanced phishing threats
2016 saw a long list of major data breaches; most of this data was either leaked or sold in underground forums. Credentials of various well-known companies with many Asia Pacific users – such as Yahoo, LinkedIn, Dropbox, DailyMotion and AdultFriendFinder – will be used by cybercriminals to conduct phishing attacks. Scam emails from a Nigerian prince wanting to send money are old-fashioned; instead, these leaked credentials will be used to understand the potential victim in detail and to make subsequent phishing emails more realistic.
By visiting these compromised accounts, such as LinkedIn profile pages, and cross-referencing them to other social media profiles, cybercriminals will have the ability to choose their targets and craft emails that could entice potential victims into clicking. These well-crafted emails will then be loaded with malicious attachments to gain access to the target’s systems – either by installing a Trojan to monitor and steal information such as banking details and personal information, or by using ransomware to force victims to pay.
Companies will continue to seek clarity on the implications of China’s new cyber security laws
The Chinese Cyber Security Law (CSL) was approved in September 2016, and will come in effect in June 2017. Although the majority of the legislation is targeted at ‘Critical Information Infrastructure Operators’ and providers of ‘Critical Network Equipment Products’, it will also apply to ‘Network Operators’. This is a broad term, but it is likely that most, if not all, foreign companies operating in China will fall into this ambit.
The cyber security law will increase Beijing’s control over information flows and complement existing efforts to build a ‘secure and controllable’ domestic infrastructure. The law follows the introduction of the national security law in July 2015 and the anti-terrorism law in January. As with these legislations, it remains to be seen whether the cybersecurity law is written clearly enough for companies to comply with and for regulators to enforce, allowing it to be evenly applied across the country.
Foreign firms in China are likely to face increased operational challenges with regard to sharing information with their counterparts overseas. The new law is set to implement stricter controls over cross-border data flows in an effort to minimize leaks of sensitive information involving mainland Chinese citizens. This means that foreign companies will have to keep China-generated data locally, and any information transfers will have to undergo a local security audit to gain government approval.
Foreign technology companies will likely face more rigorous government inspections before their products can be used or sold in China. Beijing will likely encourage foreign technology providers to manufacture, conduct research and partner with local companies as part of broader efforts to improve China’s technological capabilities. While the localisation of activities can likely help foreign firms avoid intrusive security reviews, product infringements remain rampant and foreign companies face significant intellectual property threats.
Fadli Sidek is an Analyst on the Cyber Threat Intelligence team and Jamie Rubbi-Clarke is an Associate Director for Cyber Consulting at Control Risks, the word's leading international risk consultancy.