Group-IB presented latest cybercrime and nation-state hacking trends in Asia
17.11.2018 securityaffairs CyberCrime
According to Group-IB’s report findings, Asia is one of the most actively attacked regions in the world, the company presented latest cybercrime trends.
Hong Kong, 16.11.2018 – Group-IB, an international company that specializes in preventing cyber attacks, presented the findings of its latest Hi-Tech Crime Trends 2018 report at the FinTech Security Conference in Hong Kong organized by Binary Solutions Limited in partnership with Group-IB.
According to Group-IB’s report findings, Asia is one of the most actively attacked regions in the world. Over the past year, 21 state-sponsored groups were detected in the area, which is more than in Europe and the US combined. Hong Kong, Singapore, Seoul, and Shanghai, and many other financial powerhouses in Asia are likely to become primary targets of financially motivated hacker groups in the near future.
“Cyber trends and threats that we identified in the world are likely to occur in Asia. Asia’s rapid economic growth has ramped up the interest of financially motivated hackers and state-sponsored hacker groups. Local banks have already been attacked by advanced hacker groups several times; we expect this trend to increase,” – comments Dmitry Volkov, Group-IB CTO.
The threats that are notable for the Asian region are represented by a significant number of attacks aimed at manufacturing of chips, microprocessors and system control boards of different IT vendors, whose principal manufacturing operations are located in Asia. The attackers’ research vector is now shifting from software vulnerabilities to those located at the hardware and firmware level. To exploit certain hardware vulnerabilities, hackers can simply run a JavaScript code, as in the case of Glitch vulnerability. It is very difficult, if not impossible to eliminate these vulnerabilities with software updates and as such they create new opportunities for cybercriminals. It is likely that in the space of a few years they will seriously affect the cyber security market.”
Since the beginning of 2018, Group-IB experts detected that cybercriminals were seeking to get access to the user databases of Hong Kong state Internet portals responsible for taxes, trade, procurement, logistics, innovations and hi-tech infrastructure.
Espionage as one of the main APT groups’ goals
The threat landscape for critical infrastructures is growing more complex, provoked by the activity of state-sponsored threat actors, who are seeking to establish a sustained presence within critical infrastructure networks for long-term espionage or sabotage. These groups target companies in energy, financial, aviation, water sectors etc. Banks are considered to be an integral part of critical infrastructure. Which is why the availability of tools and experience in disrupting bank systems are now priorities for attackers. Such tools are actively used by two groups in particular: BlackEnergy and Lazarus.
To infiltrate critical infrastructure networks hackers will continue to use phishing as one of their main tools, but the focus of attacks might shift to vulnerable network equipment connecting the network to the Internet. APT groups will keep investing heavily in the development and acquisition of zero-day exploits, according to Group-IB’s forecasts. Another trend Group-IB experts identified is networks compromise through key personnel’s home networks and personal devices. Increasingly often, state-sponsored hackers are focusing on vulnerabilities in home routers. This allows them to not only spy on users without infecting their devices, but also maintain a more extensive and dynamic infrastructure and remain unnoticed.
Group-IB’s new report features the activity of roughly 40 state-sponsored groups around the world, 21 one of which were most active in Asia-Pacific, including the Infamous North-Korean Lazarus group. For some of the hacker groups detected, the country of origin is yet to be established. The attribution is sometimes complicated by the fact that some groups may imitate other groups’ unique features to throw researchers off track.
Attacks on Crypto
In 2017-2018 hackers’ interest in cryptocurrency exchanges ramped up. Thirteen exchanges were hacked in 2017 and in the first three quarters of 2018, amounting to a total loss of $877 million. Thus, 60% of the total amount was stolen from Coincheck, a Japanese cryptocurrency exchange. Silence, MoneyTaker and Cobalt are likely to conduct new attacks on crypto exchanges.
A relatively new method of fraud on the ICO market was stealing a White Paper of ICO project and presenting an identical idea under a new brand name. Spear phishing remains the major vector of attack: approximately 56% of all money siphoned off from ICO were stolen using phishing.
In 2018 Group-IB detected five successful “51% attacks”, when attackers take control over at least 51% of mining power. Having 51% of computing power, the attackers create a stealthy alternative blockchain to confirm their own transactions. In 2018 the direct financial losses from these attacks amounted to almost $20 million.
Attacks on banks and their clients
Advanced hacker groups that Group-IB identifies as most dangerous to banking sector all over the world are Lazarus, MoneyTaker, Cobalt and Silence. The three latter are led by Russian-speaking hackers. All these groups are able to not only penetrate a bank’s network and access isolated financial systems, but also withdraw money via SWIFT, card processing systems, and ATMs. The Lazarus group will continue to attack banks and steal funds via SWIFT. They will likely experiment with attacks on card processing, primarily focusing on Asia and the Pacific. New cybercrime groups are also expected to start operations in Asia and Latin America.
The number of attacks via SWIFT increased dramatically over the reviewed period. In the previous period, three such attacks were tracked – in Hong Kong, Ukraine, and Turkey. In this period, however, 9 successful attacks have already taken place in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. Only two hacker groups target the SWIFT interbank transfer system: Lazarus and Cobalt. The average volume of theft attempt via SWIFT is estimated at $26 million.
Group-IB marked six new PC Trojans that appeared internationally: IcedID, BackSwap, DanaBot, MnuBot, Osiris и Xbot. Web phishing, which is another popular attack vector, has grown globally. The financial phishing is, predictably, mainly targeting US-based companies. The corresponding share of financial phishing webpages is 26%. France and Germany are second and third, respectively, in this ranking. Among all phishing resources, 73% can be divided into the following categories: cloud storages (28%), financial platforms (26%), and online services (19%).
During the last year, Group-IB Threat Intelligence detected 27 million cards uploaded to card shops. The company’s records indicate that dumps account for 62% of data sold, which means that POS Trojans are the main method of compromising plastic cards. Unlike dumps, text data is sold much cheaper in card shops: its total value amounted to $95.6 million, accounting for only 17% of the overall market value, compared to 19.9 million dumps, which cost as much as $567.8 million.
Group-IB in Asia
Group-IB is not a stranger to the region. It has recently announced the opening of the Global HQ in Singapore by the end of 2018, where Group-IB will manage and keep developing its global threat-hunting infrastructure aimed at adversary-centric detection and proactive threat hunting. Group-IB’s portfolio of clients in Asia includes banks, financial and government organizations in Singapore, Thailand and other countries. Southeast Asia accounts for more than 30% of the company’s international revenue.