From Bozkurt to Buhtrap

Cyber threats affecting financial institutions in 1H 2016

1 Table of Contents

Executive Summary ...... 3 Hacktivism...... 4 OpIcarus...... 4 OpAfrica...... 5 Phineas Fisher...... 5 Cybercrime ...... 6 DDoS-based extortion activity...... 6 Data breaches...... 8 Business email compromise ...... 9 Malware campaigns...... 10 Targeted attacks...... 12 Mossack Fonseca...... 12 Attacks on the SWIFT network in 2016...... 12 Buhtrap / Ratopak...... 14 Forecasting the threat in Q3 2016...... 16 End notes...... 19

2 Executive summary

Despite recent activity surrounding the healthcare industry, organizations in the financial services industry continue to be faced with a wide variety of cyber threats. In order to stay ahead of these threats, organizations can develop situational awareness of them.

The first half of 2016 (1H) saw plenty of cyber threats targeted at, and relevant to, the financial services industry. This paper will look at activity we have detected across hacktivism, cybercrime and targeted attacks, between January and the end of June 2016. Looking back at what we observed during the first half of 2016 (1H), allows us to better understand the motivations and tactics, techniques and procedures (TTPs) of the threat actors targeting the financial services sector.

Armed with this intelligence of current trends, we are able to provide projections for activity we might see against the financial service industry in Q3 2016.

3 Hacktivism

The majority of hacktivism against financial institutions we have detected in 1H 2016 has occurred as part of the hacktivist operation known as OpIcarus. This has had a demonstrably low impact, despite the three claims of data leakage outlined in the following section. Additionally, we have detected further attacks conducted by the threat actor Phineas Fisher, who we assessed to be a hacktivist threat actor whose previous attacks have had a high impact to targeted organizations. Given this threat actor claimed to have stolen funds from an unnamed bank, their activity was included in this report. The most prominent hacktivist activity detected has been outlined in this section.

OpIcarus OpIcarus was launched by affiliates of the Anonymous collective on February 8, 2016, and initially started as a planned protest outside of the New York Stock Exchange in the United States and the Bank of England in the United Kingdom. At the time of writing, OpIcarus activity had continued and was in the so-called “third phase” for which the stated objective was the targeting of stock exchanges around the world. However, we have detected at least one instance where an insurance company was targeted.

Although we have detected some claims of data leakage as part of the hacktivist operation OpIcarus, none of them were confirmed and should they have been genuine the number of impacted individuals was assessed to be low. We had not detected any acknowledgement of the claimed data leakages by the implicated companies at the time of writing, therefore have not assessed the impact of the claims made in relation to their data.

Overall, hacktivist activity as part of OpIcarus was largely in relation to denial of service attacks at the time of writing and the threat level posed by the operation was assessed as low.

Graph showing number of claimed OpIcarus attacks by continent

Africa Asia Europe North America South America Oceania

4 Figure 1: Number of claimed OpIcarus attacks by continent OpAfrica On February 24, 2016 a Twitter user claiming affiliation to the Anonymous hacktivist collective claimed that threat actors had compromised the website of the Central Bank of Nigeria (cbn[.] gov[.]ng) and that they had leaked the data online both freely and publicly as part of the hacktivist operation OpAfrica.

The compromise was claimed to have been conducted as part of the hacktivist operation OpAfrica and motivated by anti-corruption and anti-human rights abuses. This operation was focused on the targeting of African government domains as well as companies and organizations which were perceived as perpetuating corruption within Africa, as well as organizations that were perceived as supporting or facilitating the use of child labor within Africa. The operation was initially established in early 2011 and its focus has shifted several times since then. A resurgence in OpAfrica activity was detected in late January and early February 2016, prior to the targeting of the Central Bank of Nigeria domain. It was assessed that the targeting of the Central Bank of Nigeria was consistent with the geographical focus of the operation, but the exact motives for it’s targeting were not known.

Included in the data were over 100 email addresses. The addresses were randomly sampled by Digital Shadows and those sampled were found to be genuine and publicly available. Within the data, there was reference to the target domain being vulnerable to a “Blind SQL injection”. Additionally, there was some indication that the threat actors had used the “DNSRecon” tool available for Kali Linux. The tool can allow users to enumerate general domain name system (DNS) Records for a given domain as well as other information. This evidence was through the statement “Performing General Enumeration of Domain: cbn[.]gov[.]ng” – consistent with a statement made by DNSRecon when one of its enumeration functions is executed.

Phineas Fisher Phineas Fisher is a threat actor who claimed responsibility for widely reported intrusions and subsequent data leaks affecting both the Italian technical surveillance company Hacking Team in July 2015, and Anglo-German spyware company Gamma International UK Ltd in August 2014. The actor is assessed to be ideologically motivated, largely by anti-surveillance sentiment and has conducted at least one attack in response to perceived human rights abuses. However, it was considered possible the actor would target any company, including in the financial sector, perceived as acting unethically. The actor has demonstrated a medium level of capability and their narrow targeting has led us to assess they present a medium threat level. Although the actor is considered a hacktivist, the use of more sophisticated TTPs and the significant impacts they have had against their targets leads us to assess they are a higher threat than most known hacktivist threat actors.

Phineas Fisher claimed to have conducted network intrusions against both Hacking Team in July 2015 and Gamma Group UK Ltd. in August 2014. In addition to this, the threat actor leaked data relating to police officers at the Catalan Police Union in response to alleged human rights abuses. In this instance, the threat actor uploaded a video demonstrating the use of an SQL Injection in

5 order to acquire the data. Furthermore, the threat actor claimed to have donated funds allegedly stolen from an unnamed financial institution to Kurdish anticapitalists in Rojava, Northern Syria. Phineas Fisher’s activity has suggested that the threat actor will target companies perceived as acting unethically, as well as on the basis of perceived human rights abuses and for pro-privacy reasons.

The actor has provided significant details regarding tools used, tactics, techniques and procedures.1 Phineas Fisher has claimed some high profile victims since August 2014 and continues to be active into 2016. The impact of these incidents has been high for the affected organizations. The capability associated with this actor is assessed as medium, as the tools and techniques used are often freely available tools. Despite a claim to have used a zero-day exploit, this was not confirmed. The actor has also claimed to have written some of their own scripts. The intent of the actor, however, is assessed as high, given the prolonged activity and the targeting of specific entities rather than opportunistic attacks. Overall, however, given the very narrow targeting of the actor, the assessed threat level has been assessed as medium. Cybercrime Cybercriminal activity affecting financial institutions in 2016 has included distributed denial of service extortion, data breaches, business email compromise (also known as CEO or whaling fraud) and targeted malware campaigns, including the delivery of the CryptoWall ransomware variant via highly targeted spear phishing emails. Cybercriminal activity in 1H has had a varying level of impact and has demonstrably resulted in financial losses for the companies and individuals affected.

DDoS-based extortion activity Armada Collective Armada Collective is a threat actor associated with distributed denial of service (DDoS) based extortion attacks that have affected financial institutions and hosting companies, amongst others. Typical attacks included the threat of a DDoS attack if a ransom was not paid in Bitcoin before a specified deadline. Since March 2016, we have detected a number of reports of threat actors using the Armada Collective moniker in attempts to extort financial services companies – as evidenced by a report published by the Swiss Governmental Computer Emergency Response Team.2 The activity since March 2016 was assessed as likely to have been conducted by copycat threat actors given that we detected no public reporting of threats being followed up by DDoS attacks. This was corroborated by reporting from the DDoS protection company CloudFlare on April 25, 2016, who reported that no DDoS attacks had been associated with Armada Collective activity since March 2016.3

This activity followed a lapse of known Armada Collective activity between December 2015 and

6 March 2016. Prior to December 2015, at least one known successful extortion had been carried out by Armada Collective against the email service provider ProtonMail, who were subjected to a denial of service attack and paid a ransom of 15 Bitcoin. Given the absence of known DDoS attacks associated with Armada Collective since March 2016, we have assessed Armada Collective to represent a low threat level. Despite this, some companies have demonstrably paid the ransom since March 2016 – given that $100,000 USD was present in a Bitcoin address associated with the copycat Armada Collective activity.

Figure 2: Three typical stages of DDoS extortion

Kadyrovtsy “Kadyrovtsy” is a DDoS-based extortion threat actor who was known to have been active from at least April 22, 2016 to June 2016. The threat actor has reportedly targeted UK, Polish and Dutch financial services institutions, a German online marketing company and multiple German companies operating in unknown sectors. The actor used the threat of denial of service (DoS) attack to extort Bitcoins from a targeted company or organization. The actor has reportedly sent emails demanding a payment be made in Bitcoins to a specified address and threatened that a DoS attack would be launched if payment was not made within 24 hours. These emails were reportedly accompanied by DoS attacks to demonstrate capability. The last known activity from this threat actor was reported on June 2, 2016.4

Reporting on extortion activity associated with Kadyrovtsy indicated that this actor has demonstrated the capability to consistently launch DoS attacks ranging between 50Gbps and 90Gbps at peak volume. According to Akamai’s Q1 2016 state of the Internet report, the median peak volume of recorded attacks was 1.3Gbps and 80% of attacks peaked at between three and 10Gbps. Only 19 attacks exceeding 100Gbps were recorded by Akamai in 2016.5 Furthermore, the highest volume DoS attack ever linked with DD4BC, a formerly prominent DDoS extortionist who became inactive in late 2015, was 60Gbps. It was therefore assessed that Kadyrovtsy possesses a relatively high degree of capability in launching DoS attacks, although the means by which this capability was obtained was unknown at the time of writing. Given the number of reported attacks conducted by the actor, this has led us to assess that this actor posed a high threat level at the time of writing.

7 Data breaches Bozkurt Hackers

Although not a typical cybercrime group, an actor calling themselves Bozkurt Hackers released numerous data breaches in 1H. This began with the claim of hack against Qatar National Bank on April 25, 2016. On May 6, 2015 a Twitter account associated with this group threat actor posted a URL to approximately 10GB data alleged to have been compromised from Invest Bank in Sharjah, United Arab Emirates. The data included in the 10GB file featured some overlap with the data that had been released previously by a threat actor who had called themselves “Hacker Buba” in December 2015. Over the next few weeks, Bozkurt Hackers leaked data claiming to pertain to six more banks, including five banks in Nepal and Bangladesh and the Commercial Bank of Ceylon. Despite claims of further leaks imminent, no activity has been detected since May 2016.

The motivations of the Bozkurt Hackers remain unclear. A Twitter account affiliated with Bozkurt Hackers (@bozkurthackers) provided a screenshot of a private conversation on Twitter with a user called “Maz”. In this conversation, the Twitter account @bozkurthackers claimed they had targeted the QNB as “Al Thani do everything to harm our economy” - possibly referring to the Al Thani royal family in Qatar. The imagery used by the threat actor on their Twitter accounts shows some affiliation with the ideology of the Turkish Nationalist group called Ülkü Ocakları (Grey Wolves). Ülkü Ocakları seek to promote Turkish nationalism over Arab nationalism, and although the attribution of the “Bozkurt Hackers” to the compromise of the Qatar National Bank is highly questionable, this ideology does provide some possible explanation for their claims regarding that data leakage.

Figure 3: Post made by user affiliated with Bozkurt Hackers on a carding forum

Of course, the links between Bozkurt Hackers and the user that posted some Invest Bank data to the carding forum in March 2016 suggest it to be possible that the threat actor motivations include financial gain. Although their method of releasing data freely and publicly may appear contrary

8 to these aims, older data that has already been used may be of limited value for fraud; therefore it is possible that this has been used to gain notoriety and kudos. Given that the threat actor has demonstrably contacted media outlets and journalists, it is likely that a significant facet of their motivation is also to gain publicity for their activity in this instance.

Business email compromise Business Email Compromise (BEC) (AKA Whaling Fraud / CEO Fraud) is a type of scam in which attackers spoof company executives’ email addresses or compromise legitimate business email accounts (via social engineering or computer intrusion) with the ultimate goal of conducting an unauthorized transfer of funds. Most frequently, businesses working with foreign suppliers or those that regularly perform wire transfer payments are targeted.6

Within 1H 2016, we detected reporting that a United States-based investment company, Pomeroy

Investment Corp., had been subjected to a business email compromise attack that had resulted in the loss of $495,000 USD.7 On April 18, 2016, the company reportedly informed local law enforcement that an employee had received an email from another employee requesting that they transfer $495,000 to a bank account registered with an unspecified Hong Kong bank. It reportedly took eight days after the email was sent and the transaction completed for the company to realize that the email requesting the transfer had not been legitimate. Local law enforcement reported that it was later established that the email account that sent the transfer request had been compromised by an unknown threat actor, who used the account to request the transfer.

In the instance affecting Pomeroy Investment Corp, it was assessed as possible the threat actors who compromised the email account had possessed a greater degree of technical capability as those who have used social engineering in order to conduct similar attacks. Although the compromise of legitimate business accounts is a known tactic for conducting business email compromise attacks, threat actors can also use typo-squatted domains (domains registered to appear as if they are genuine company domains) in order to conduct similar attacks. Overall, BEC has been used to steal information, effect wire transfers and deliver malware. Reporting from the Federal Bureau of Investigation’s Internet Crime Center (IC3) suggested that total losses resulting from BEC exceed $740 million USD, not including companies outside of the United States. We assess that business email compromise represents a high threat level, given its demonstrable success and its widespread use.

9 Malware campaigns Retefe banking trojan

On June 22, 2016 it was reported that a Retefe banking trojan campaign was targeting UK customers. The report claimed that this most recent Retefe campaign utilized spam emails containing a malicious JavaScript file that installed a malicious root certificate and changed the operating system’s proxy auto-configuration settings to link to a website on Tor. Although users were asked to approve the installation of a root certificate, the trojan dropped a PowerShell script, which simulated a user clicking “Yes” to the certification warning message that was displayed. The root certificate and the proxy settings allowed threat actors to hijack the traffic through their own server and detect when a user attempted to access a banking portal. When infected users visited an online banking site, they were sent directly to a fake HTTPS login site that required login credentials and/or additional personal data. When users entered their credentials on the fake site, a time counter appeared asking users to wait on the page. Nine financial services organizations in the UK were listed in the reports.

CryptoWall

On April 5, 2016 a new report that stated that a financially motivated threat actor dubbed “TA530” had targeted executives and other management employees via spear-phishing emails in order to infect their machines with malware. The campaign by TA530 was reported to have been observed since the start of January 2016. Emails distributed by TA530 reportedly included reference to the recipient’s name, job title, phone number and their employee company name in the email body, subject line and attachments. The emails included Microsoft Office attachments that had embedded malicious macros. If the macros were enabled, malware would be delivered to the recipient machine. Some of the payloads detected by included the ransomware variant CryptoWall, and the company reported that financial services had been the mostly prominently targeted, including those operating in the United States, United Kingdom and Australia.

Although the delivery of malware via spear-phishing is often reported as a tactic used by threat actors, the delivery of ransomware via this vector had not previously been detected by us. Ransomware, such as CryptoWall, was commonly distributed via spam phishing emails or through the use of exploit kits, and the reporting was assessed as confirmation of the use of targeted attacks in the delivery of ransomware, affecting multiple sectors. Due to the number of affected sectors and the unprecedented reporting on CryptoWall we had assessed the severity of this incident to be high.

10 Trojans targeting banking customers

In early 2016, we observed a trend in reporting of malware targeting banking customers. Four trojans were reported on during this period:

1. Rovnix. Having recently been identified targeting European bank customers, the Rovnix banking trojan is now reported to be targeting customers of unspecified Japanese banks. The malware was propagated via spam emails containing a malicious attachment and encompasses web injections that harvest customer credentials. In some cases, users are tricked into downloading an Android application that hijacks SMS messages to listen for transaction authorization codes. The targeting of Japanese banking customers is likely to continue in the foreseeable future due to a specific configuration file and emails sent in Japanese.8 2. BlackMoon. The BlackMoon banking trojan was initially analyzed in Q1 2014 and has since had developments to its delivery infrastructure and obfuscation, yet it remains targeting banking

customers located in South Korea. BlackMoon differs from other prominent banking trojans in that it uses a technique known as ‘pharming’ in order to get victims to visit an IP address controlled by the attacker and for the subsequent entry of banking credentials onto a fake banking website.9 3. URLZone. After a period of low levels of activity, the banking trojan known as URLZone (AKA Shiotob, Bebloh) has reportedly started targeting the customers of 14 unspecified Japanese banks. Previously, URLZone had targeted customers in Europe. URLZone is the third banking Trojan to have recently been detected targeting Japanese customers, after Shifu and Rovnix.10 4. Tinba. A new variant of the Tinba banking trojan was discovered targeting customers of financial institutions in the Asia-Pacific region - this is reportedly a new target geography for the malware. The changes in the reported variant and the newly added target geography demonstrate Tinba’s continued development. We assess it as likely that the use of this trojan will continue in the foreseeable future and that the targeting is likely to encompass financial institution customers in the Americas, Europe and Asia-Pacific regions.11

11 Targeted attacks 1H 2016 has seen a considerable amount of reporting in relation to targeted attacks that have directly impacted financial institutions globally. Targeted attacks known to us include the Mossack Fonesca breach, the bank heists facilitated by the use of the SWIFT network, as well as attacks from threat groups such as Buhtrap (AKA Ratopak). These attacks were likely to have had a high impact on the affected financial institutions, given the financial loss associated with them.

Mossack Fonseca The Panama-based law firm called Mossack Fonseca was reported to have suffered a data breach on April 3, 2016. The breach resulted in the reported theft of 11.5 million files amounting to 2.6TB information dating from the 1970s to early 2016. The files were reportedly disclosed by an anonymous source to the German newspaper Süddeutsche Zeitung, who shared them with the International Consortium of Investigative Journalists (ICIJ). It was reported that some of the files were leaked to the media “over a year ago” as of April 2016, which suggested the files had started to be leaked in early 2015. Exactly when the data was exfiltrated from the Mossack Fonseca network was not known at the time of writing.

Regardless of the threat actor responsible, whether they were an external actor or an insider, their motives for conducting the compromise and how they did it, the breach of Mossack Fonseca was assessed as a potential example of how companies perceived as doing unethical business can become target for threat actors with high intent. A similar example was the compromise of Hacking Team in July 2015, after which a threat actor claiming responsibility claimed they did it due to the unethical business practice of Hacking Team.12

Attacks on the SWIFT network in 2016 Reporting emerged in 2016 of a series of frauds being perpetuated via the use of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system, which allows financial institutions to send and receive information about financial transactions. In March 2016 it was reported that $81 million had been stolen from the Bangladesh Bank, however further revelations emerged of other banks being affected. On May 13, 2016, SWIFT released some insight into the attacks,13 claiming that malicious insiders or external attackers had submitted SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network. In two of the cases, SWIFT claimed that the attackers’ procedures were as follows:

12 Attackers hide evidence by removing some of the traces of the fraudulent messages.

Figure 4: Procedures of attacks using SWIFT system

The following timeline demonstrates the reported date on which a theft was identified at banks affected by attacks using the SWIFT network. All of these attacks had reportedly occurred using similar tactics, techniques and procedures. Where the theft date was not known, the reporting date was used and has been highlighted in the timeline. At the time of writing, it had not been confirmed that the heist from the Ukrainian bank was related to previous attacks.

Symantec has reported that the tools used for targeting the bank in the Philippines had shared “code similarities” with malware used in historic attacks linked to a threat group dubbed “Lazarus Group”, who were reported to have been linked to the attack on Sony Pictures Entertainment in November 2014 and were linked to North Korea. Symantec reported that this threat group had also targeted Bangladesh Bank and Tien Phong Bank. At the time of writing, we did not have enough evidence to conduct an assessment on the attribution to Lazarus Group.14

The available reporting for the attacks on banks using the SWIFT network to conduct fraudulent transactions suggested it to be likely that it was a global series of attacks with an impact across multiple geographies and sectors. The reporting represented highly targeted attacks and impacts that have been experienced globally with very high losses attributed to the activity. The threat actor(s) responsible Figure 5: Timeline of attacks have demonstrated a very high capability and very high intent. using SWIFT network 13 Buhtrap / Ratopak Buhtrap is the name for a threat group (dubbed Buhtrap group) that have targeted both Russian and Ukrainian businesses and financial institutions, and had reportedly planned to target financial institutions in Europe and the United States. The name Buhtrap originally derived from “Operation Buhtrap” used to describe a campaign that used custom malware and the targeting of accounting departments. The name Buhtrap is now used to describe the malware and the group, as well as the previously mentioned operation. “Ratopak” is used as an alternative naming convention for the malware used by Buhtrap group.

The Buhtrap group was reported to have been active since late 2014, using both legitimate software and custom malware. The group was reported to have targeted individuals in accounting departments of Russian businesses as part of their attacks. As of 2015 the Buhtrap group reportedly shifted their scope to focus on the direct targeting of financial institutions as opposed to bank clients. The first attacks against financial institutions were detected in August 2015. Between August 2015 and February 2016, Buhtrap group has been attributed to 13 successful attacks resulting in a total loss of $25.7 million. The largest loss resulting from a successful attack by the Buhtrap group resulted in $8.8 million.

The group behind Buhtrap has reportedly consistently used spear-phishing as their main infection vector. Emails that purport to be invoices are distributed containing malicious Microsoft Office (specifically Microsoft Word) documents that exploit a number of vulnerabilities, these have included: _ CVE-2012-0158 15 _ CVE-2013-3906 16 _ CVE-2014-1761 17

On April 11, 2016, SC Magazine reported that unnamed Russian authorities had told them the threat actor Buhtrap group was planning new attacks, which “may affect some well-known EU and US banks”.18 The banks were not specified in the reporting. SC Magazine spoke to the Deputy Chairman of the Russian central bank, Xenia Yudaeva, who said that the group had most recently stolen around 600 million Rubles ($9 million) from Metallinvestbank, a bank in Russia. Yudaeva also said the group had carried out 13 successful cyberattacks in the last six months. Most of the attacks were stated to have taken place using phishing emails purportedly sent from the Russian central bank. The delivered malware allowed the Buhtrap group to find computers on the corporate network of targeted banks to which they would upload a remote access trojan. This would be used to create fraudulent money transfers.

14 The tactics, techniques and procedures reportedly used by Buhtrap group were assessed to be indicative of both a high capability and high intent. Furthermore, the losses attributed to the group were demonstrative of successful attacks against financial institutions with a high impact to those affected.

15 Forecasting the threat in Q3 Gaining an awareness of the threats that have faced the financial services industry in 1H is useful; of course, understanding threat actors motivations and TTPs allows organizations to make better security decisions. But what do these attacks mean going forward? Using our statistics for the number of incidents in each quarter, coupled with qualitative analysis based on our observations, we have attempted to forecast the threat posed by hacktivism and cybercrime in Q3 2016.

Hacktivism Since February 8, 2016, a majority of hacktivist activity in relation to the financial sector has derived from the operation called OpIcarus. This is demonstrated by the significant spike in hacktivist related incidents in Q2 2016 (Figure 4) a majority of which were claims of denial of service attacks as part of OpIcarus. Although this activity has continued into Q3 2016, we have observed relatively less frequent levels of activity as part of this operation in Q3 2016 and so assess it to be likely that fewer claims will be made in Q3 2016 overall. As such, we anticipate the threat from OpIcarus will remain Low, with the most likely scenario being a small number of threat actors conducting low impact denial of service attacks against financial institution websites. This is assuming that major revelations in relation to the financial sector do not encourage hacktivist activity based on perceptions of corruption or other factors that may encourage ideologically motivated attacks. While it is possible that hacktivist attacks will take place against financial institutions as part of other established operations, we have not detected any indication of any other established operations specifically targeting the financial sector.

Graph showing number of financial services hacktivist incidents per quarter

Figure 6: Graph showing number of hacktivist incidents against financial sector in 2016

16 Cybercrime Financially motivated cybercriminal activity affecting the financial sector in 2016 has largely encompassed the use of ransomware, exploit kits, banking trojans, DDoS based extortion and business email compromise. In addition to this, we have detected reporting on targeted attacks conducted by organized criminal groups that focused on the conduct of fraudulent transactions from targeted financial institutions (see Buhtrap / Ratopak). We have outlined a number of plausible scenarios in relation to this activity for Q3 2016.

For business email compromise specifically, it has been reported that financially motivated threat actors have used changes in company management in order to increase the likelihood of a successful business email compromise attempt. This was reported for Samson Resource Corporation, who had undergone a leadership change shortly prior to a successful business email compromise attempt. Considering the reporting that some financial services planned to move operations outside of the UK following the vote to leave the European Union,19 possibly resulting in a management change, it would be plausible that threat actors may seek to capitalize on such organizational shifts.

In relation to ransomware, since January 1, 2016 we have detected a relatively large amount of reporting on the development of new variants and developments to existing variants. Ransomware will likely remain a threat to individuals and organizations in Q3 2016, and it is likely that new variants and new developments will continue to emerge. As part of this, we have detected a trend of ransomware including credential harvesting functionality, likely to create two possible revenue streams from the harvesting of data and extortion attempts. Example of these variants include CryptXXX, Crysis and RAA. It is possible that this trend of multi-functional ransomware will continue.

With the sudden drop in activity associated with the Angler exploit kit, there have been a number of other exploit kits that have seen rapid development and have become more prominent – including the Neutrino exploit kit and Sundown exploit kit, both of which had previously been less prominent than Angler. It is possible that cybercriminal threat actors will use this market volatility as an opportunity to fill the void and launch new products or update existing products to take the market share left behind by Angler.

This year has seen a number of reports pertaining to the sale and trading of historic data breaches, such as that of MySpace and LinkedIn. These had not affected the financial sector specifically, however it was assessed that the number of databases exposed to the public would likely increase

17 the intensity of threat actors using exposed credentials in the targeting of individuals in Q3 2016.

On July 22, 2016 it was reported that in 2015 the value of transactions made by UK citizens using mobile banking applications had increased by 54% in comparison to the previous year, making the total value of £347 million in 2015. We have detected a number of malware variants affecting Android devices such as “Godless” and “SpyLocker”, and assess it as likely cybercriminals will continue to develop new mobile banking trojan variants and target financial institution customers.

Graph showing number of financial services cybercrime incidents per quarter

Figure 7: Graph showing number of cybercrime incidents against financial sector in 2016

Author: Simon Tame

18 End Notes 1. http://pastebin.com/raw/0SNSvyjJ 2. http://twitter.com/1/statuses/708250912217829376 3. https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/ 4. http://www.btc-echo.de/bitcoin-ddos-kadyrovsky-deutsche-ziele/ 5. http://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/akamai-q1-2016- state-of-the-internet-security-report.pdf 6. htps://www.ic3.gov/media/2015/150827-1.aspx 7. http://detroitnews.com/story/news/local/oakland-county/2016/05/03/troy-investment-company- hacked/83879240 8. https://securityintelligence.com/konnichiwa-rovnix-aggressive-malware-hits-japanese-banks/ 9. http://blog.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan 10. https://securityintelligence.com/organized-cybercrime-big-in-japan-urlzone-now-on-the- scene/ 11. http://www.theregister.co.uk/2016/01/19/bite_size_thief_now_raiding_asia_pac_banks/?utm_ source=dlvr.it&utm_medium=linkedincompanies 12. http://motherboard.vice.com/read/the-vigilante-who-hacked-hacking-team-explains-how-he- did-it 13. https://www.swift.com/insights/press-releases/swift-customer-communication_customer- security-issues 14. http://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial- attacks 15. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-0158 16. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3906 17. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1761 18. http://www.scmagazineuk[.]com/russian-hacker-group-targetting-largest-eu-banks/ article/488781 19. http://www.independent.co.uk/news/uk/home-news/brexit-hsbc-economy-banks-eu- referendum-latest-jobs-single-market-effects-a7104351.html

19 About Digital Shadows

Digital Shadows provides cyber situational awareness that helps organizations protect against cyber attacks, loss of intellectual property, and loss of brand and reputational integrity.

Its flagship solution, Digital Shadows SearchLight™, is a scalable and easy-to-use data analysis platform that provides a view of an organization’s digital footprint and the profile of its attackers. It is complemented with intelligence operations analyst expertise to ensure extensive coverage, tailored intelligence and frictionless deployment. It continually monitors more than 100 million data sources in 27 languages across the visible, deep and dark web and other online sources to create an up-to-the minute view of an organization and the risks requiring mitigation. The company is jointly headquartered in London and San Francisco. digitalshadows.com

London San Francisco

Level 39, One Canada Square, London, E14 5AB 332 Pine Street, Suite 600 San Francisco, CA 94104

+44 (0) 203 393 7001 [email protected] +1 (888) 889 4143

20