5 recent cybersecurity investigations you may have missed
Welcome to Threat Intel’s #WednesdayWisdom column, a weekly read to help improve your cybersecurity knowledge and keep you informed on important developments.
Symantec Security Response researchers always aim to bring the wider public the latest intelligence from the world of IT security.
Our research can be used to assist with takedowns of criminal gangs by law enforcement, as well as to reveal the trends coming down the track for cybersecurity.
We carried out a broad range of investigations in the course of 2016. Below is a round-up of some of the major work we covered in the last quarter of 2016.
1. Bayrob: Symantec assists in long-running FBI investigation
Symantec’s assistance paved the way for a long-running FBI investigation into a gang that may have stolen as much as US$35 million from victims. Three Romanian men were arrested in relation to it and extradited to the US, where they now face multiple charges relating to fraud, identity theft, money laundering, and trafficking in counterfeit goods or services.
The arrests were the culmination of an eight-year law enforcement investigation that was assisted by Symantec. Bayrob first came to Symantec’s attention in 2007, and in the intervening years Symantec succeeded in exposing the gang’s operations, gaining insight into its key players, tactics, malware, and the potential impact and criminal activity undertaken.
2. Avalanche: Symantec plays part in takedown of malware-hosting network
The Avalanche takedown was a combined effort by multiple international law enforcement agencies, public prosecutors, and security and IT organizations, including Symantec. It resulted in the seizure of 39 servers and several hundred thousand domains that were being used by the criminal organization behind the Avalanche network.
Symantec was involved in the investigation since 2012. It culminated in November this year and resulted in the takedown of infrastructure providing support for at least 17 different malware families, as well as the arrests of multiple individuals.
3. Odinaff: Trojan used in high-level financial attacks
A Symantec investigation into a Trojan called Odinaff found it had been targeting a number of financial organizations worldwide since January of this year. It was a sophisticated campaign that required a lot of hands-on involvement, with methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest. Odinaff was used to perform the initial compromise, while other tools were used to complete the attack.
Some of the tools and infrastructure used in this attack displayed similarities with methods used by Carbanak, a group that has plagued the financial industry for some years.
Odinaff also underlined that banks are an increasing target for sophisticated hacking groups seeking big rewards.
4. Gatak: Mysterious threat group takes aim at healthcare organizations
Victims of the Gatak Trojan were infected through websites offering product key generators or “keygens” for pirated software. The malware was bundled with the product key and, if the victim was tricked into downloading and opening one of these files, the malware was surreptitiously installed on their computer.
Symantec’s investigation found that healthcare was the sector most affected by this malware, but whether this is as a result of targeting or because healthcare is more susceptible to attacks such as this we could not definitively say.
Gatak has been around since 2011, however, little is known about those who are behind it, other than that their motives would appear to be cybercriminal in nature.
5. Shamoon: Malware makes a dramatic return
In November, the aggressive disk-wiping malware Shamoon was observed being used to hit targets in Saudi Arabia.
Shamoon was first observed targeting the energy sector in Saudi Arabia in 2012, and the version of it that was used in November appeared to be largely similar to the version used fours years previously.
We do not know why Shamoon returned, but we do know this attack was highly planned. Those involved used stolen credentials and attacked at the end of Saudi Arabia’s working week, probably with the aim of inflicting as much damage as possible before the attack was discovered.
What 2017 will bring, only time will tell, but we are sure there will be plenty happening to keep the infosecurity community busy! Happy New Year!
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.
