The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 27 April 2016
Qatar National Bank: Database Leak Gives Data on Al Jazeera Journalists and British ‘Spies’
From The Media
Internal files and sensitive data purporting to be from the Qatar National Bank (QNB) were leaked online. The 1.4 GB of data allegedly contains hundreds of thousands of customer transaction logs, credit card data and folders containing information on Al Jazeera journalists and potentially the Al-Thani Qatar Royal Family. Furthermore, a file titled “SPY, Intelligence” was included, which allegedly contained information on an M16 agent and files on Qatar’s State Security Bureau.
Read the Story: International Business Times
iSIGHT Partners Analyst Comment
The data dump appears to correspond with open-source information about real individuals residing in Qatar and therefore likely contains authentic information. The veracity of the alleged personal information on various individuals accused of working for various nations’ intelligence organizations is unconfirmed. Although the method of intrusion into QNB is unclear at this time, we believe that the actors responsible used the sqlmap tool to exfiltrate the data.
Related iSIGHT Partners Reports
16-00005280 (AntiQNB Leaked Data from Qatar National Bank), 23 April 2016
Intel-459855 (Saudi, Qatari and Emirati Financial Institutions Targeted by Possibly Politically Motivated DDoS Attacks), 20 Sept. 2011
16-00005512 (Middle East: Regional Profile), 26 April 2016
Empty DDoS Threats: Cybercriminal Group is All Bark and No Bite
From The Media
A new group calling itself the Armada Collective is extorting organizations by claiming they will target them with DDoS attacks if ransom demands are not paid. The group has so far extorted more than $100,000 USD but has never carried out an attack. This group does not follow the same method of operation as the longer-known Armada Collective, which has launched DDoS attacks prior to presenting victims with a ransom notice.
Read the Story: Security Week
iSIGHT Partners Analyst Comment
iSIGHT Partners has previously assessed that the individuals recently claiming to be Armada Collective are different from those who operated under the same name in late 2015. Due to the low cost of this type of operation, copycat actors who mimic the extortion demands of DD4BC and other more-reputable DDoS extortion groups, but lack their DDoS capability, will likely continue to appear.
Related iSIGHT Partners Reports
16-00003354 (Ongoing Extortion Attempts Attributed to ‘Armada Collective’ Unlikely to Be Linked to 2015 Attacks), 14 March 2016
15-00014556 (Group Profile: Armada Collective), 6 Jan. 2016
16-00003744 (Distributed Denial-of-Service Threats: An Area of Persistent Growth), 26 April 2016
Pro-ISIS Hackers Post ‘Kill’ List of State Department Employees
From The Media
About a dozen US personnel were recently mentioned in an alleged “kill” list distributed on the app Telegram by the pro-ISIS group United Cyber Caliphate. The list contains 43 names of individuals linked to the U.S. State Department. Much of the information, such as the phone numbers, appears to be general, publicly available information.
Read the Story: Vocativ
iSIGHT Partners Analyst Comment
This incident appears to be the Islamic Cyber Army (ICA) (aka Caliphate Cyber Army, United Cyber Caliphate) following through with its March 2013 threat to target the U.S. Dept. of State. We observed no evidence in the purportedly leaked data to support the attackers’ claim that they compromised state.gov. Instead, we surmise the ICA compiled the information based on open-source searches. In some cases, we found the ICA had listed incomplete or incorrect information, indicating that the group may have compiled the data by hand.
Related iSIGHT Partners Reports
16-00004524 (Islamic Cyber Army (ICA) Announces New Name, United Cyber Caliphate), 7 April 2016
16-00003384 (Group Profile: Islamic Cyber Army), 18 March 2016
16-00004130 (Caliphate Cyber Army Falsely Claims Compromise, Shutdown of Denmark Airport Surveillance Systems), 31 March 2016
Hackers Expose a Million People Belonging to a Website Only for the ‘Beautiful’
From The Media
Personal information of 1.1 million users of the online dating website BeautifulPeople.com has been leaked. Among other information, the breach included members’ encrypted passwords, e-mail addresses, and about 15 million private messages.
Read the Story: Washington Post
iSIGHT Partners Analyst Comment
While BeautifulPeople.com admits the existence of a breach, they maintain the affected resource was a test server. If the affected server contained real user data—as is purportedly on sale in an underground forum—including messages, income levels, phone numbers, e-mail addresses and passwords, then the information could be used for a variety of malicious activities, including phishing, identity fraud and blackmail.
Related iSIGHT Partners Reports
15-00006858 (Cyber Criminal Theft and Exploitation of Databases: Targeted Data, Targeted Industries and Malicious Uses), 11 Aug. 2015
15-00007120 (‘Impact Team’ Leaks Sample Data from Cheating Website Ashley Madison; Future Releases of Sensitive Data Highly Likely), 20 July 2015
93% of Compromises Take Less Than an Hour
From The Media
Verizon recently detailed in their Data Breach Investigation report that hackers take less than one hour to compromise systems in 93 percent of cases. The report looked at 2,260 confirmed breaches and over 100,000 security incidents. Verizon’s report further detailed that in 83 percent of cases it took at least several weeks for organizations to identify the breach.
Read the Story: Info Security Magazine
iSIGHT Partners Analyst Comment
For opportunistic and financially motivated adversaries, the time and labor required to compromise a target represents an investment that needs to be justified by the value of stolen information post-compromise. As a result, actors are rewarded for using techniques that minimize time to compromise, such as spear phishing and malware infection via malicious links. It is also worth noting that the time to compromise does not include any preliminary reconnaissance or tool development an adversary may take time to perform.
Related iSIGHT Partners Reports
16-00005254 (Operational Net Assessment of Cyber Crime Threats – January to April 2016), 22 April 2016
16-00004530 (Operational Net Assessment of Threats to Enterprises – January to March 2016), 20 April 2016
The post ThreatScape Media Highlights Update – Week Of April 27th appeared first on iSIGHT Partners.
