Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/28/2018
03:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Middle East, North Africa Cybercrime Ups Its Game

Ransomware, DDoS extortion, and encrypted communications abound as cybercriminals in the region refine their tradecraft.

Ransomware infections increased by 233% this past year in the Middle East and North Africa as part of a shift toward more savvy and aggressive cybercrime operations in a region where criminals just last year mostly were sharing malware tools, phony documents, and services for free or on the cheap.

Researchers at Trend Micro found that cybercrime in the region has matured rapidly in the past year, with hackers employing the Telegram messaging app for encrypted communications and money-laundering services to replace rudimentary cash-out transaction methods that in many cases converted stolen physical items into cash. "The increase in money-laundering services also shows the demand for monetizing ill-gotten gains has increased over time," says Jon Clay, global threat communications director at Trend Micro. "This all shows an increase in money-motivated cybercrimes within this region."

The shift from email, Skype, and Facebook Messenger to Telegram as well as WhatsApp for encrypted communications and money-laundering schemes is about flying under the radar as the cybercrime gangs in the region have evolved into more experienced and lucrative operations. They now offer so-called broker services or "contracts" for moving money, using European banks, PayPal, Western Union, and banks in the region. They offer commissions between 10% to upward of 50% to convert stolen funds into a different currency, preferring to cash out in stronger currencies, such as the US dollar via US banks.

SQL injection tools, keyloggers, port numbers for Internet-connected SCADA equipment, and hacking instruction manuals all had been offered for free in the region's underground in 2017, according to previous Trend Micro research. The WannaCry ransomware sample was sold for $50. Freely shared tools still exist there today, according to Clay, but the criminals are moving to more stealthy and secure infrastructures to hide their activities.

One of the biggest changes Trend Micro saw was the move from a tool that was "open source (and likely insecure) to a private communications tool," he says. "This tool encrypts all communications between the members and can ensure law enforcement cannot access. This has provided the underground community with a much more secure and private means of communications."

Aside from ransomware, distributed denial-of-service (DDoS) attacks and website defacements remain a popular attack by hackers in the region. What was once the domain of hacktivists has become yet another money-making opportunity for cybercriminals to extort their victims with destructive attacks on their websites, for example.

The oil and gas industry remains one of the biggest targets in the region – half of all cyberattacks  hit that sector – due to its pervasiveness and financially lucrative status. These organizations can't afford a ransomware or DDoS attack to disrupt sensitive operations. "These factors make it more likely that a compromised victim may pay an extortion or ransom fee," Clay says.

Law enforcement, too, has matured in its fight against cybercrime, which, in turn, has forced attackers to better hide their tracks. So far, Trend Micro hasn't detected any links between the cybercrime world there and nation-state operations. "In our analysis of the actors themselves, we're seeing predominately young males with either a high school or college education. As such, they are likely very good with technology, aggressive in their work, but still need more time to build their skillsets," Clay says.

Going Global
All of this means yet another international cybercrime region is emerging as a threat to nations such as the US. "This is a region that is increasing in their cybercriminal operations and will likely target organizations within the US," Clay says. "With an increase in the US oil and gas industry, these actors are learning what works within their own region and can take that knowledge and apply it into attacks within the US region."  

They already are selling tools in both Arabic and English-speaking underground forums, notes Mayra Rosario Fuentes, senior threat researcher at Trend Micro. "They are no longer just targeting their own region."

The Middle East and North Africa will become a bigger player in global cybercrime. "This should be a call for the regional law enforcement and government to improve their laws and ability to arrest and convict these criminals," Clay says. "It is also a call for organizations to recognize this region as a threat to their operations and improve their security capabilities to thwart attacks from this region."

Related Content: 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
12/14/2018 | 1:23:22 AM
The same faces
Why are these areas always the focus when the topic of cybercrime is being discussed? The same culprits are just there improving their techniques whilst we are out here falling victims to their clever scamming. More users need to be educated about what to expect and to prevent themselves from being new or repeated victims. This is the only way for us to reduce the number of victims if we are not yet able to eradicate the problem fully.
ChristopherJames
50%
50%
ChristopherJames,
User Rank: Strategist
12/18/2018 | 4:57:04 AM
Surely there'll be exploitation
As technology evolves, so does crime. If there's money to be made and people to be exploited, are you truly surprised that someone there is some criminal trying to get his fingers into all the pies so that he doesn't have to work hard for it on his own? It's no surprise to me at all!
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...