So, how do attackers collect information about their targets? Cybercriminals can employ five types of intelligence to obtain and analyze information about their targets. They are:
OSINT is a hacking technique used to gather and evaluate publicly available information about organizations and their employees.
OSINT technologies can help threat actors learn about their target's IT and security infrastructure, exploitable assets including open ports and email addresses, IP addresses, vulnerabilities in websites, servers, and IoT (Internet of Things) devices, leaked or stolen passwords, and more. Attackers use this information to conduct social engineering assaults.
Although SOCMINT is a subset of OSINT, it is worth mentioning. Most people freely provide personal and professional information about themselves on major social networking sites, including their headshot, interests and hobbies, family, friends, and connections, where they live and work, current job positions, and a variety of other characteristics.
Attackers can use SOCINT software like Social Analyzer, Whatsmyname, and NameCheckup.com to filter social media activity and information about individuals to create tailored social engineering frauds.
Assume you download a free chess app for your phone. A tiny section of the app displays location-based adverts from sponsors and event organizers, informing users about local players, events, and chess meetups.
When this ad is displayed, the app sends certain information about the user to the advertising exchange service, such as IP addresses, the operating system in use (iOS or Android), the name of the mobile phone carrier, the user's screen resolution, GPS coordinates, etc.
Ad exchanges typically keep and process this information to serve appropriate adverts depending on user interests, behavior, and geography. Ad exchanges also sell this vital information.
The Dark Web is a billion-dollar illegal marketplace that trades corporate espionage services, DIY ransomware kits, drugs and weapons, human trafficking, and so on. The Dark Web sells billions of stolen records, including personally identifiable information, healthcare records, financial and transaction data, corporate data, and compromised credentials.
Threat actors can buy off-the-shelf data and use it for social engineering campaigns. They can even hire professionals to socially engineer people on their behalf or identify hidden vulnerabilities in target businesses. In addition, there are hidden internet forums and instant messaging services (such as Telegram) where people can learn more about possible targets.
In addition to the five basic disciplines, some analysts refer to AI as the sixth intelligence discipline. With recent breakthroughs in generative AI technologies, such as Google Gemini and ChatGPT, it's easy to envisage fraudsters using AI tools to collect, ingest, process, and filter information about their targets.
Threat researchers have already reported the appearance of dangerous AI-based tools on Dark Web forums such as FraudGPT and WormGPT. Such technologies can greatly reduce social engineers' research time while also providing actionable information to help them carry out social engineering projects.
All social engineering assaults are rooted in information and its negligent treatment. Businesses and employees who can limit their information exposure will significantly lessen their vulnerability to social engineering attacks. Here's how.
Monthly training: Use phishing simulators and classroom training to teach employees not to disclose sensitive or personal information about themselves, their families, coworkers, or the organization.
Draft AI-use policies: Make it plain to employees what constitutes acceptable and unacceptable online activity. For example, it is unacceptable to prompt ChatGPT with a line of code or private data, as well as to respond to strange or questionable queries without sufficient verification.
Utilize the same tools that hackers use: Use the same intelligence sources mentioned above to proactively determine how much information about your firm, its people, and its infrastructure is available online. Create a continuous procedure to decrease this exposure.
Good cybersecurity hygiene begins with addressing the fundamental issues. Social engineering and poor decision-making are to blame for 80% to 90% of all cyberattacks. Organizations must prioritize two objectives: limiting information exposure and managing human behavior through training exercises and education. Organizations can dramatically lower their threat exposure and its possible downstream impact by focusing on these two areas.
In a recent cyber attack, the Cactus ransomware group claims to have infiltrated Schneider Electric's Sustainability Business division, stealing a substantial 1.5 terabytes of data. The breach, which occurred on January 17th, has raised concerns as the gang now threatens to expose the stolen information if a ransom is not paid.
The ransomware group has already leaked 25MB of allegedly pilfered data on its dark web leak site, showcasing American citizens' passports and scans of non-disclosure agreement documents. Schneider Electric, a French multinational specialising in energy management and automation, is being coerced by the hackers to meet their ransom demand to prevent further leaks.
While the specific nature of the stolen data remains unknown, Schneider Electric's Sustainability Business division provides services related to renewable energy and regulatory compliance for major global companies such as Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart. This implies that the compromised data might include sensitive information about customers' industrial control and automation systems and details regarding environmental and energy regulations compliance.
Cactus ransomware, a relatively new player in the cybercrime landscape, emerged in March 2023, employing double-extortion attacks. The group gains access to corporate networks through various means, including purchased credentials, partnerships with malware distributors, phishing attacks, or exploiting security vulnerabilities.
Once inside a target's network, the hackers navigate through the compromised system, stealing sensitive data to use as leverage in ransom negotiations. Since its inception, Cactus ransomware has targeted over 100 companies, leaking data online or threatening to do so while still engaging in ransom negotiations.
This incident is not the first time Schneider Electric has fallen victim to cyber threats. In the past, the company experienced data theft attacks orchestrated by the Clop ransomware, impacting over 2,700 other organisations. Schneider Electric, with a workforce exceeding 150,000 people globally, reported a substantial $28.5 billion in revenue in 2023.
Both companies and individuals need to stay alert to potential threats. Cybersecurity experts stress the significance of adopting strong security practices, regularly updating computer programs, and ensuring employees are well informed about potential risks. These measures are crucial for minimising the potential fallout from ransomware attacks, underlining the need for a proactive approach to safeguarding digital assets.
The Cactus ransomware attack on Schneider Electric is a stark reminder of the increasing sophistication and frequency of cyber threats in today's digital age. Businesses and individuals must prioritise cybersecurity to safeguard sensitive information and prevent financial and reputational damage.
The attack is being targeted to macOS Ventura and later, depending on the vulnerable applications repackaged as PKG files that include a trojan.
The attack was discovered by researchers at Kaspersky, following which they analyzed the stages of the infection chain.
While downloading an Application/folder, victims tend to follow installation instructions, unaware that they are actually executing the malware. Following this, they open the bogus Activator window that asks for the administrator password.
The malware uses the 'AuthorizationExecuteWithPrivileges' method to execute a 'tool' executable (Mach-O) after acquiring permission. If Python 3 is not already installed on the system, it installs it and appears to be "app patching."
The malware then contacts its C2 server, at a site named ‘apple-health[.]org,’ in order to obtain a base64- encoded Python script that is designed to run arbitrary commands on the targeted device.
Researchers discovered that the attacker employed a clever technique to reach the C2 server at the right URL: a third-level domain name consisting of a random string of five letters and words from two hardcoded lists.
This way, the hacker was able to conceal its activity in traffic and download the Python script payload disguised as TXT records from the DNS server, which seem like common requests.
Three TXT entries, each a base64-encoded portion of an AES-encrypted message containing the Python script, were included in the DNS server's response.
This first Python script served as a downloader for a second Python script that captures and sends information about the compromised system, including the CPU type, installed apps, directory listings, operating system version, and external IP address.
Kaspersky notes that during their analysis, the C2 provided upgraded copies of the backdoor script, indicating continuing development, but didn't see command execution, thus this might not have been deployed yet.
Additionally, two functions in the downloaded script search the compromised system for Bitcoin Core and Exodus wallets; if they are detected, they replace the original wallets with backdoored versions obtained from 'apple-analyzer[.]com.'
The code in the compromised wallets transmits to the attacker's C2 server the seed phrase, password, name, and balance.
Users usually do not get suspicious when their wallet app suddenly asks them to re-enter their wallet details, making them vulnerable to getting their wallets emptied.
As indicators of compromise, the cracked software used in this campaign is made public in the Kaspersky study. According to the researchers, these applications "are one of the easiest ways for malicious actors to get to users’ computers."
While using cracked programs to trick users into downloading malware is a popular attack vector, the campaign that Kaspersky examined demonstrates that threat actors are sufficiently crafty to devise novel ways of delivering the payload, such as concealing it in a DNS server's domain TXT record.
Based on dozens of cyberattacks and thefts this year, hackers stole over $2 billion in cryptocurrency, according to De.FI, the web3 security company that manages the REKT database.
The site ranks the worst-ever crypto hacks, ranging from the Ronin network breach in 2022—the largest event in history—where hackers took over $600 million in cryptocurrency—to this year's hack against Mixin Network, which brought in almost $200 million for the criminals.
DeFi, in its report, wrote, “This amount, though dispersed across various incidents, underscores the persistent vulnerabilities and challenges within the DeFi ecosystem[…]2023 stood as a testament to both the ongoing vulnerabilities and the strides made in addressing them, even as interest in the space was relatively muted by the ongoing bear market in the first half of the year.”
In an estimate, published by blockchain intelligence firm TRM, the total amount of cryptocurrency that hackers have stolen this year was also made public earlier in December. As of mid-December, the business reported that the total amounted to around $1.7 billion.
Among the other crypto thefts conducted this year, one of the worst ones was a hack against Euler Fianance, where threat actors stole $200 million. Other notable hacks include those against Multichain ($126 million), BonqDAO ($120 million), Poloniex ($114 million), and Atomic Wallet ($100 million), among hundreds of other targets.
Last year, blockchain monitoring firm Chainalysis reported that cybercriminals purloined a record-breaking $3.8 billion in cryptocurrency. Of those, the Lazarus Group, a group of North Korean government hackers who are among the most active in the cryptocurrency space, took $1.7 billion in an attempt to finance the regime's authorized nuclear weapons program.
In 2021, Chainalysis reported hacks that compromised crypto worth $3.3 billion.
It is rather not possible to predict what the figures will be in 2024, but given the failures witnessed in cyber security by several crypto and web3 initiatives, as well as the significant financial potential of both sectors—discussed at TechCrunch Disrupt earlier this year—we should anticipate that hackers will continue to target this expanding market.