Some of the most profitable movies ever made include sequels, for example two Twilight movies, two from the Pirates of the Caribbean series, both Avengers movies and four Harry Potter films. Why? The base of fans is established, the formula works and typically there are efficiencies in replication rather than starting from scratch. In other words, the risk/reward ratio is attractive.
Threat actors think much the same way. Why not bring back a “good” idea that was previously profitable?
The re-opening of the xDedic marketplace is the most recent example of a malicious “sequel.” xDedic closed down on June 16, 2016 following the release of a report on its activity by Kaspersky Lab. The marketplace reportedly offered compromised servers for sale and when it closed down had more than 70,000 available for purchase. References to the new domain are emerging in threads on criminal forums, although it is still too early to assess the site’s current traffic volume. Given, however, that the previous site was attracting 30,000 users a month at the time it closed down, it is likely that awareness and use of the new site will increase in the coming weeks and months.
Another example is the Armada Collective, a bad actor that used the threat of DDoS attacks in an attempt to extort Bitcoin (BTC) payments from targeted companies, individuals and organizations. Armada Collective was first reported in September 2015 and continued until December 2015, targeting financial services firms, hosting providers, email providers and casinos with ransom demands of between 10 and 200 BTC (at the time, approximately $4,500 to $90,000). In March 2016, reporting of Armada Collective activity re-emerged with campaigns launched against a number of financial institutions in Switzerland. Slight differences in the emails sent in this new round of attacks indicate that this is likely a copycat actor seeking to capitalize on the previous successes of Armada Collective. The absence of an actual attack or any proof of capability reinforces this theory.
And finally, the dark web criminal forum Hell, where hackers and criminals share stolen data and hacking tips, came back online in January 2016 after a six-month hiatus. The site was discovered to be unavailable in July 2015, coinciding with the arrest of PING, a prominent forum member and administrator. Hell achieved notoriety when it was revealed that the personal information and sexual preferences of approximately four million users of Adult Friend Finder had been posted on the site. The new version of the site uses the same logo and tag line but it has been re-designed and incorporates tighter security measures, likely in an attempt to thwart law enforcement operations targeting such forums. Analysis reveals that Hell seems to have lost a portion of its user base, probably due to suspicions among some users that the site is being operated by law enforcement and used as a honeypot.
In each of these instances, news of a shutdown typically causes security professionals and organizations to breathe a collective sigh of relief. Another cybercriminal has been defeated. But as history has shown, when a criminal operation has been profitable defenders need to remain alert.
The nature of cybercrime is naturally very volatile so maintaining a keen awareness of this naturally changing landscape is key for organizations. This is where cyber situational awareness can help. When done right it can provide the understanding required to stay ahead of emerging threats, monitoring millions of unique sources in multiple languages across the visible, dark and deep Internet using advanced natural language and machine learning technologies. But this volume of information can be overwhelming so it must be tailored to your organization, so you only see the intelligence that is relevant to you. Understanding the most active actors and campaigns that you should concern yourself with, the level of threat they pose, a timeline of their activity and links to other actors and campaigns will allow you to connect the dots to discover threats that have re-emerged—those you thought you no longer had to worry about.
As recent events have shown, you shouldn’t let your guard down because a threat actor or operation appears to have been shut down. When there is money involved, the same or other criminals will find a way to bring back a sequel. With cyber situational awareness you can remain vigilant – always on the lookout for the next iteration of a threat or campaign.