Holiday Shopping Increases Threat Actor Activity in 2018 – Be Vigilant and Jolly

<h2>Overview</h2><p>As the weather grows colder and holiday shopping seasons encroaches, so too, increases the opportunities for data and monetary theft for a threat actor. Every year it seems as if companies are moving their “deals” earlier and earlier than the well-known Black Friday and Cyber Monday shopping days, as well as post-Christmas sales. These types of sales expectedly continue after these “shopping holidays,” leading up to gift-giving holidays such as Christmas, Hanukkah, and Kwanzaa. Threat actors enjoy the holiday season as much as anyone, however, their preferred gifts are the financial data, funds, and Personally Identifiable Information (PII) stolen from unsuspecting shoppers and companies that store such valuable information. The holiday season presents multiple attack vectors that threat actors can target to conduct malicious activity. Some of the various risks and threats present during the holidays include the following:</p><ul><li>Shoppers<ul><li>Data theft</li><li>Holiday-themed scams</li><li>Phishing</li><li>Malvertising</li><li>Malicious/fake applications</li><li>Malicious websites</li><li>Vulnerabilities</li></ul></li><li>Companies<ul><li>Bring Your Own Device (BYOD)</li><li>Distributed Denial-of-Service (DDoS)</li><li>Router vulnerabilities</li><li>Machine/OS vulnerabilities</li><li>Website defacement/infection</li></ul></li></ul><h2>Operating Systems</h2><p>The use of a variety of Internet-of-Things (IoT) devices and machines with different operating systems gives threat actors different avenues to target with various malwares. One target that threat actors can attempt to exploit is a vulnerable Operating System (OS). Primarily the Android and Windows operating systems because of their wide global-usage presents seemingly limitless targets. In addition, any of the vulnerabilities that have associated proof-of-concept code increases the probability that they will be exploited by threat actors on all levels of sophistication.</p><h3>Android</h3><p>In the first week of December 2018, Android released its monthly security bulletin to address 53 vulnerabilities. These vulnerabilities affect multiple Android operating systems including “Nougat” version 7.0 to “Pie” version 9.0.[<a href="https://nakedsecurity.sophos.com/2018/12/06/patch-now-if-you-can-latest-android-update-fixes-clutch-of-rce-flaws/" target="_blank">1</a>] 21 of the vulnerabilities had registered CVE’s associated to them, and 11 out of the 53 were rated as “critical” because could allow for Remote Code Execution (REC), and one was marked as “high.”[<a href="https://source.android.com/security/bulletin/2018-12-01" target="_blank">2</a>] Four of the vulnerabilities were identified to reside in Android’s “Media Framework” and two more in the “core system” that could be exploited to “[e]nable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”[<a href="https://source.android.com/security/bulletin/2018-12-01" target="_blank">3</a>] While Google has stated that, as of December 5, 2018, it had not observed these vulnerabilities being exploited in the wild, the RCE aspect of 11 vulnerabilities requires immediate mitigation to avoid potential malicious activity. Some of these patches will not be available for some Android OS versions until January 2019 which shows the importance of properly maintaining software integrity as soon as security patches become available.</p><h3>Malware</h3><p>One of the most notorious malware in the past couple years that targets financial, and other forms of data, is the Trickbot trojan which was first discovered in October 2016. During the month of its discovery, researchers found that the malware was being distributed via malvertising campaigns that would drop the Rig Exploit Kit (EK).[<a href="https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/" target="_blank">4</a>] The malicious power of Trickbot resides within its modules that were observed to be dynamically fetched from a Command and Control (C2) system.[<a href="https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/" target="_blank">5</a>] Trickbot was also found to be capable of conducting web-injection attacks at this time up until October 2018, depending on the module used which demonstrates the flexibility and tenacious nature of the malware. Modules that were observed to be associated with Trickbot as of October 2018 consist of the following:</p><ul><li>Data-theft</li><li>Evasion techniques</li><li>Lateral movement</li><li>System reconnaissance[<a href="https://blog.barkly.com/trickbot-trojan-2018-campaigns" target="_blank">6</a>]</li></ul><p>In addition, Trickbot was also found to be primarily distributed via malspam campaigns, and this trend continued into November 2018.[<a href="https://blog.malwarebytes.com/101/2018/11/trickbot-takes-top-business-threat/" target="_blank">7</a>] To note, Trickbot was being distributed via malspam emails prior to October 2018, but as of that time it was observed to be the primary distribution method instead of malvertising as previously observed. The prolific nature of Trickbot and is wide usage amongst threat actors prompted the UK National Cyber Security Centre (NCSC) to issue an advisory report in September 2018 warning individuals, and small and medium businesses in the UK and around the world about the dangers of Trickbot as well as mitigations to assist in defending against it.[<a href="https://www.ncsc.gov.uk/alerts/trickbot-banking-trojan" target="_blank">8</a>] While Trickbot is one of the larger threats posed to individuals and companies during the holiday, and post-holiday shopping bonanza, there are other malware families that people should be aware of going forward with their holiday plans.</p><p>One such malware to be aware of is the “Emotet” banking trojan that was first discovered in 2014.[<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/" target="_blank">9</a>] By 2017 and leading up to November 2018, the actors behind Emotet began reviving the old malware by creating new modules, particularly a spam module for large-scale distribution.[<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/." target="_blank">10</a>] Trend Micro researchers discovered that, based off the data they analyzed from June to September 2018, 45% of Emotet’s infrastructure was hosted in the US.[<a href="https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/" target="_blank">11</a>] Emotet attacks targets all over the world, but the US and Europe were the most targeted during this timeframe, which somewhat aligns with where the majority of the trojan’s infrastructure is located, that is, the US, Mexico, and Canada.[<a href="https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/" target="_blank">12</a>] Emotet is primarily distributed via malspam emails that contain attachments with malicious macros, and malicious links. The malspam uses typical themes such as invoices, purchase receipts, or shipping details. Emotet can pose a significant risk because of its worm functionality for propagation and its polymorphic nature that makes it difficult to prevent with a signature-based detection in combination with its ability to download other trojans. Furthermore, the United States Computer Emergency Readiness Team (US-CERT) published an alert in July 2018, discussing the functionalities of the malware in which they stated that Emotet costs State, Local, Tribal, and Territorial (SLTT) “up to $1 million per incident to remediate.”[<a href="https://www.us-cert.gov/ncas/alerts/TA18-201A" target="_blank">13</a>]</p><h2>Threat actors:</h2><p>A variety of threat groups are financially-motivated and will likely be, or currently are, active during this year’s holiday season. Financially-motivated threat groups present a substantial risk to organizations and individuals alike because unlike other groups motivated by data theft, financial groups may not care about hiding their malicious actions. Instead, they are solely motivated by illicit profit and perhaps may not care about causing any damage or being noticed. In contrast, a sophisticated financially-motivated may desire to remain undetected on a network or system to steal as much financial data as possible. Some of the more well-known and active financially-motivated threat groups are “Carbanak,” “Cobalt Group,” “FIN6,” and “FIN7.” Some researchers suggest that Carbanak, Cobalt Group, and FIN7 are all the same group, however, it is more likely that Carbanak and FIN7 are separate groups that both utilize the “Carbanak” malware and namesake of the group. Aliases are often disputed amongst security researchers, as is also sometimes case with Carbanak and the Cobalt Group, but again this is likely due to the groups using the same malware families in Carbanak and “Cobalt.”</p><h3>Carbanak</h3><p>Carbanak is a sophisticated threat group that is often referred to as an Advanced Persistent Threat (APT) because of the significant amount of money the group has stolen from financial institutions around the world. Carbanak was first discovered in 2013, is primarily focused on attacking banks and companies in, and related to, the retail industry. Initially, the group focused only on attacking Russian banks, but later in August 2015, expanded their target scope to banks, hospitality, manufacturers of Point-of-Sale (PoS) systems, retailers, and restaurant industries worldwide. They are a sophisticated group that will compromise vendors employed by the primary target to use the vendor’s legitimate emails in spear phishing campaigns.</p><p>The Carbanak group typically attempts to obtain a foothold in an organization via spear phishing emails that are distributed using stolen email credentials. The credentials used to make the phishing emails appear authentic, usually belonging to coworkers or third parties trusted by the targeted organizations. The observed infection vectors in emails have been Microsoft Word documents with known vulnerabilities, RTF documents with embedded OLE objects containing VBScript, and Control Panel items (CPL files). To increase the chances of success, they will even register similar looking domains, known as typosquatting, and clone the legitimate websites of the spoofed vendor to serve the malware. In some cases, the initial infection has been from Null, RedKit, or Neutrino Exploit Kits via a drive-by-download attack. It has also been reported that the Carbanak group has hired other botnet owners to deliver the malware onto already infected machines. Furthermore, the group uses legitimate Remote Administration Tools (RATs) to maintain persistence in addition to making the traffic appear more authentic. It has also been discovered that Carbanak uses Google Apps Script, Google Sheets, and Google Forms service for Command and Control (C2) for communication. The group’s primary targets include:</p><ul><li>Banks</li><li>Hospitality industry</li><li>Oracle (Oracle MICROS)</li><li>POS manufacturers</li><li>Restaurant industry</li><li>Retail industry</li><li>Verifone</li></ul><h3>Cobalt Group</h3><p>The Cobalt Group, similar to Carbanak, also targets financial institutions in a variety of countries, however, the group primarily focuses on banks in Central and Southeast Asia and Eastern Europe.[<a href="https://attack.mitre.org/groups/G0080/" target="_blank">14</a>] One of the group’s alleged leaders was arrested in Spain in early 2018, and even with that arrest the group is still active.[<a href="https://attack.mitre.org/groups/G0080" target="_blank">15</a>] In late September 2018, Cobalt was found to be targeting financial institutions with the “SpicyOmelette” remote access tool via phishing emails.[<a href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank">16</a>] In mid-December 2018, Cobalt group was reported to have made updates to the “ThreadKit” exploit kit.[<a href="https://www.fidelissecurity.com/sites/default/files/CobaltGroup_nov2018.pdf" target="_blank">17</a>] ThreadKit is a document exploit-builder that can be purchased on various underground forums. Cobalt was observed using ThreadKit to deliver Microsoft documents that contain exploits with the objective of delivering “CobInt” downloader on to the recipient’s machine. Cobalt is a significant threat to financial institutions around the world having stolen approximately $1.2 billion USD through their malicious activities. The group primary uses emails as its initial infection vector with the objective, typically, of delivering a “Cobalt Strike” beacon or a JavaScript-based backdoor.[<a href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank">18</a>] Cobalt Group targets consist of the following:</p><ul><li>ATM systems</li><li>Card processing</li><li>Payment systems</li><li>Society for Worldwide Interbank Financial Telecommunication (SWIFT) systems[<a href="https://attack.mitre.org/groups/G0080/" target="_blank">19</a>]</li><li>Supply chain companies</li></ul><h3>Magecart</h3><p>The non-collective threat group name, “MageCart,” first emerged in 2015, according to RiskIQ and Flashpoint researchers. The umbrella term, MageCart, refers to groups that target online commercial websites and injects payment skimming scripts to illicitly obtain credit card credentials.[<a href="https://cdn.riskiq.com/wp-content/uploads/2018/11/RiskIQ-Flashpoint-Inside-MageCart-Report.pdf?_ga=2.97588895.1871284311.1542273938-1172729395.1542273938" target="_blank">20</a>] The group is suspected to be several groups under the umbrella of MageCart, the name given to keep track of these financially-motivated groups and their malicious activity. RiskIQ and Flashpoint suggest that there are approximately six to seven groups with each group acting slightly different in their targeting, skimmer functionality, and infrastructure.[<a href="https://cdn.riskiq.com/wp-content/uploads/2018/11/RiskIQ-Flashpoint-Inside-MageCart-Report.pdf?_ga=2.97588895.1871284311.1542273938-1172729395.1542273938" target="_blank">21</a>]</p><p>The believed subgroups are as follows:</p><ul><li>Group 1 and 2 - Indiscriminate targeting and utilizes reshipping scam to get bystanders to deliver goods purchased with stolen card credentials</li><li>Group 3 - Targets as many people and sites as possible, injected skimmer unique</li><li>Group 4 - Highly sophisticated compared to the other groups and employs several anti-detection tactics.</li><li>Group 5 - Partakes in supply-chain compromises to target third-party service providers and expand potential target pool</li><li>Group 6 - Targets well-known and large traffic-receiving sites to get the highest payout with minimal effort.</li><li>Group 7 - Targets mid-tier sites and utilizes the compromised sites as proxies for the stolen information</li></ul><p>Magcart represents the most significant threat to online shoppers this holiday season and have already been attributed to multiple high-profile incidents in 2018 including: British Airways, Kitronik, Newegg, and Sotheby’s, among others. The groups objective in these attacks, as well as a campaign discovered by Anomali researchers target multiple websites in November 2018, is to steal debit and credit card information. In addition, researchers found that the reinfection rate for websites compromised by Magecart is approximately 20% with the average amount of time a website is compromised and data being skimmed at approximately 13 days.[<a href="https://gwillem.gitlab.io/2018/11/12/merchants-struggle-with-magecart-reinfections/" target="_blank">22</a>]</p><h2>Conclusion</h2><p>The final few months of every year consists of threat actors attempting to capitalize on the online shopping that seems to break the previous year’s record every year. Website administrators need to be vigilant at all times to prevent groups like Magecart from compromising their website and stealing their customers’ financial and Personally Identifiable Information (PII). The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Patch application protocols are paramount, and complex passwords for administrators, and all business and personal accounts, are needed to prevent groups like Magecart from stealing sensitive information. Shoppers should be aware of threat groups mentioned above, among others, to recognize potential malicious activity such as phishing emails, malvertising, and typosquatted domains. Furthermore, individuals could use identity theft services to assist in preventing fraudulent activity from taking place since so many large breach’s, such as Equifax in 2017, exposed millions of US citizen’s PII, and <a href="https://www.anomali.com/blog/is-magecart-checking-out-your-secure-online-transactions" target="_blank">Magecart</a> activity stealing thousands of individuals’ credit card information.</p>