July 29th 2016

Weekly Briefing

NOT PROTECTIVELY MARKED

Investigation Update

� Operation CYTON

Current Threats

� Dridex Update

� Delilah

Incident Reports - South West

� DDoS – Taunton

Miscellaneous

� Nomoreransom.org

� CiSP – Cyber Crime Threats Shared

NOT PROTECTIVELY MARKED

OPERATION CYTON

� The South West Regional Cyber Crime Unit has completed an investigation into a series of

Distributed Denial of Service (DDoS) attacks against organisations in the South West.

� A DDoS attack is an attempt to make a website or internet connection unavailable usually by

flooding it with data from a range of sources.

� As part of this investigation, police recovered a database which provided details of ‘users’

who had paid to use a stressor service called netspoof; this is a criminal tool used to commit

DDoS attacks. This database recorded details of users between the periods of November

2013 and June 2014, totalling 603,499 DDoS attacks on approximately 225,000 individual IP

addresses.

� Within the South West there were six individuals who were identified from the database as

having committing attacks. All were interviewed under caution, admitted the offences with

appropriate action being taken depending on the individual circumstances.

NOT PROTECTIVELY MARKED

OPERATION CYTON

Advice

To reduce the chances of becoming a victim of this type of offence please consider the

following:-

� Keep a record of all web/ server logs before, during and after the attack.

� Prevention measures, such as a DDoS mitigation plan, will increase protection – many

companies use cloud based DDoS protection services to limit the chance of becoming the

next victim.

� Be aware that an incident such as a DDoS attack could be a smokescreen for a secondary

attack. As a result of this ensure that Intrusion Detection Systems (IDS) are actively

monitored.

� If contact is made by the attacker, keep a record of any communication. This is generally via

email.

� Should a demand for payment be made, it is not recommended that any payment is sent

because it is not guaranteed that further attacks will not be committed. You will be

contributing towards further attacks against either you or others victims.

� If you suspect that you have been a victim of similar offences then please report to Action

Fraud.

NOT PROTECTIVELY MARKED

Dridex Update

� It has been a while since the SWRCCU has seen any reports relating to the known malware

Dridex. However, according to threat intelligence, it is back.

� Reports of the malware, which is known to exploit macros in Microsoft Office programs to

infect computer systems and capture financial payment data, decreased significantly earlier

this year. However recent Dridex campaigns would suggest a resurgence.

� Instead of the previous fake invoice or notification spam, Dridex has now been seen

imbedded within attachments in “account compromised” emails.

� This type of attack vector plays on individual fears that their account has been compromised

and advises recipients to click on an attachment for more details (this will then download the

malware).

� Researchers at Trent Micro have also noted that the malware can now use the command line

program Certutil, which allows Dridex to pass itself off as a legitimate certificate. This

enables the email to look legitimate, enticing more victims.

� It is not clear whether this malware has been passed onto a new threat actor group to control

or a code leak has enabled threat actor groups to distribute but expect to see a rise in spam

emails containing this malware.

NOT PROTECTIVELY MARKED

Dridex Update

In order to reduce the chances of becoming a victim of the Dridex banking malware please consider:

� Have anti-virus installed and up-to-date.

� Keep operating systems up-to-date and patched.

� Ensure software is up-to-date, for example internet browsers, Java and Adobe.

� Restrict the type of websites staff/ you can access.

� Prevent employees from using their own devices at work e.g USB devices

� Remove any banking Smartcard from the reader when you are not conducting a transaction,

logging on or making amendments as a system administrator.

� Log out from online banking when finished with banking tasks.

� Look out for unusual prompts at login.

� Change passwords often.

� Think about not storing payment card details within online accounts.

� Ideally organisations should utilise a stand alone machine for all online banking kept

separate from their email platform.

� If macros are not commonly used on the computer then disabling them will greatly reduce

the chance of infection or chose “enable with notifications”. This should prompt you before

macros are utilised.

NOT PROTECTIVELY MARKED

New Extortion Ransomware “Delilah”

� A newly-detected piece of ransomware nicknamed “Delilah” has been detected in the wild by

Israeli intelligence outfit Diskin Advanced Technologies. The malware’s goal is to extort

victims into stealing insider information. The tool was found on underground crime forums

and relies on a combination of social engineering, extortion and ransomware. Delilah is

exclusive and cannot be found on crime ware forums, thus prolonging its lifetime by avoiding

analysis and having detection methods created.

� Once installed the hidden bot gathers large amounts of personal information from the victim

so that the individual can be manipulated or extorted. This data is not limited to family and

current employment. In addition a plug-in is also available which enables the hacker to

remotely switch on the victim’s webcam and record them.

� This malware will add to the volume of insider threats as corporate secrets may be sold as a

result of blackmail. Delilah is being loaded onto victim machines from a number of gaming

and adult sites. It is reportedly difficult to use, utilising noticeable quantities of resources and

creating message boxes asking for permission prior to webcam activation.

NOT PROTECTIVELY MARKED

New Extortion Ransomware “Delilah” continued..

� Research from Kaspersky Lab in November 2015 claimed that nearly three in four firms have

suffered an insider threat incident, with employees (42%) the largest single cause of data

loss.

The Babcock MSS ASOC recommends:

� Ensure employees are familiar with your acceptable usage policies to avoid users browsing

inappropriate websites.

� Consider blacklisting social media websites so personal information cannot be gathered in

the event of an infection.

� Perform regular anti-virus scans on all systems to ensure no malicious software is present.

� Keep up to date with vendor patches which fix the latest vulnerabilities that malware attempts

to exploit.

For more information please see:

http://www.theregister.co.uk/2016/07/18/first_insider_theft_extortion_trojan_found/

NOT PROTECTIVELY MARKED

DDoS Attack – Taunton

� Report received of a DDoS attack targeting a company based in Taunton over a 6 day period. Minimal disruption caused.

Advice

To reduce the chances of becoming a victim of this type of offence please consider the following:-

� Keep a record of all web/ server logs before, during and after the attack.

� Prevention measures, such as a DDoS mitigation plan, will increase protection – many companies use cloud based DDoS protection services to limit the chance of becoming the next victim.

� Be aware that an incident such as a DDoS attack could be a smokescreen for a secondary attack. As a result of this ensure that Intrusion Detection Systems (IDS) are actively monitored.

� If contact is made by the attacker, keep a record of any communication. This is generally via email.

� Should a demand for payment be made, it is not recommended that payment be made because recovery of all files is not guaranteed. This could result in a financial loss as well a repeat attacks from other groups.

� If you suspect that you have been a victim of similar offences then please report to Action Fraud.

NOT PROTECTIVELY MARKED

nomoreransome.org

� A new tool contain 160,000+ keys has launched which will help victims to retrieve their data.

� Setup by the Dutch National Police, Europol, Intel Security and Kaspersky Lab, a website

has been launched called www.nomoreransom.org. This website acts as an online portal

aimed at informing the public about the dangers of ransomware and helping victims to

recover their data without having to pay the ransom to the cybercriminals.

� The project provides users with tools that may help them recover their data once it has been

locked by criminals.

� In its initial stage, the portal contains four decryption tools for different types of malware, the

latest developed in June 2016 for the “Shade” variant.

� This website is a good resource in relation to ransomware and may hold the key to your data

should you become a victim.

www.nomoreransom.org

NOT PROTECTIVELY MARKED

CiSP - Cyber Crime Threats Shared

The Cyber Security Information Sharing Partnership (CiSP), which is run by CERT-UK, is an

information sharing platform used to share and publish cyber crime threat information.

The aim of the platform is to allow members to take remedial action and modify their

organisations to prevent cyber attacks.

If you would like to join the CiSP then please sign up at www.cert.gov.uk/cisp and contact us as

we can sponsor you.

Our South West Regional node has now been launched and we welcome you to join our group.

This is a place for all businesses and individuals based in the South West to share threat

intelligence and updates surrounding cyber security.

NOT PROTECTIVELY MARKED

This document has been given the protective marking of NOT PROTECTIVELY MARKEDand may be disseminated outside law enforcement with no restriction.

If you know anyone else who would like to receive this, please send us their e-mail address

and we will add them to the distribution list.

If you would like to be removed from the list please send an email to the address below to let

us know.

Any comments or queries please email South West Regional Cyber Crime Unit at:

swrccu@avonandsomerset.pnn.police.uk

w w w. s w C y b e r C r i m e U n i t . c o . u k

NOT PROTECTIVELY MARKED