CyberWire Daily - The unique culture of the Middle Eastern and North African underground. [Research Saturday]
Episode Date: December 16, 2017Online underground markets thrive across the globe, with the Middle East and North Africa being no exception. Researchers at Trend Micro recently too a look inside these digital souks, and while much ...of what they discovered matches similar online marketplaces, there are unique cultural elements that set these regional trading posts apart. Jon Clay is a cyber security expert from Trend Micro, and he takes us through their research paper, "Digital Souks: A Glimpse into the Middle East and North African Underground." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Trend Micro has been researching and investigating a number of criminal undergrounds over the past several years.
That's John Clay. He's one of the cybersecurity experts from Trend Micro.
The research paper we're discussing today is called Digital Souks, a glimpse into the Middle Eastern and North African underground. So we've done China, we've done Russia, we've done Brazil, North America, French, Japan, Japanese. And so it made sense for us to
move into the Middle East and look at the Middle East area and North Africa.
We had recently done some reporting with Interpol around the West Africa actors. So Middle East and North Africa
was just a natural progression of the different underground communities that we see out there.
So why don't you set the stage for us here when we're talking about a culture in relation to
cybersecurity, what are we dealing with in the Middle East and North Africa?
Yeah, and it's very interesting because as we've done a lot of these different regions,
the undergrounds tend to follow very similar traits of the people who are from those regions.
So in the case of the Middle East and North Africa, some of the interesting things we found,
one of the real interesting points was that the actors inside of here are very willing to share for free a lot of the tools and tactics that they use to perpetrate cybercrime.
And so that's a little different from what you see in the other markets where it's more free market type driven, where you have a service and you offer it for a price.
Now, these are in the Middle East.
The prices are definitely there. But if somebody is willing to ask for, say, a new piece of malware
that's for sale and they don't have the ability to pay for it, in a lot of cases, you'll see that
the criminals will just give away their tools or their malware pieces to the other people within the
underground. Yeah, and there seems to be a sort of, I guess, maybe a way to describe it as sort of a
gentlemanly interaction between folks on these forums. Yeah, for sure. I mean, you have to have
a presence there. You have to have a reputation inside a lot of these undergrounds, otherwise you don't get access. So as you build your reputation,
as you build your online personality, so to speak, within these criminal
undergrounds, you are then welcomed into them. And in the Middle East, a lot of it
is driven around by religion, which is not really surprising, based on being in
the Middle East. Their religion drives
a lot of their interactions and how they do things. So, for example, right, the religion of
peace, they want to be peaceful to their fellow members. So which means I'll trade you for free
my tools, if you, you know, give me information back, you know, can end up being kind of a barter system in some cases. But certainly,
there is an element of free market where they will sell the services, they will sell the tools
to other members. The other area that we see in this region, which has some cases in certain
other regions, but not in all of them, where the actors inside the Middle East and North Africa region will not target people inside their region.
So they won't perpetrate crimes against fellow Middle Easterners or fellow North Africans.
Most of their attacks, they will target Western victims in this case.
Now, I've heard of that when it comes to the Russians,
that that's something that they also will not do.
And I've heard that that may be because they don't want to draw the attention of local law enforcement.
Do you think that's at play here as well?
I think it does play into it.
The Middle Eastern law enforcement areas and North Africa law enforcement may not be as sophisticated
as others, but I think more it goes back to they don't want to target their own people,
so to speak, right? They just want to target people that they may not agree with,
whether it's religiously, whether it's monetarily, whether it's economically.
They just don't want to target the either it's a,
you know, people inside their inside their region or even organizations inside the region.
In fact, what we saw when Aramco got targeted recently, a couple of years ago,
there was a kind of a backlash inside the community because supposedly it came from that people inside that region targeting that regional business.
And the actors inside the underground really took the task, some of the people associated with that.
So they really criticized when any actors went after either a business or a person inside the same region.
So that seems to be the norm in this underground community, not to attack your own people, your own businesses.
Focus your attacks on outside the region.
Can you give us a rundown of who generally is represented here and the types of businesses that they're up to?
Our focus when we looked at the underground community here was really on cyber criminals.
So those actors who were looking to profit from their
attacks. And certainly then if you look at the victims that they were targeting, it's usually
businesses and people to extort them for money or steal their data that then they could sell in
their underground community to others for profit. So it was really more profit-oriented actors that we looked at.
There's certainly other types of actors, whether it's hacktivists, nation states.
We didn't really get into those types of actors in this particular research.
They certainly are there, but we didn't focus that in that area.
It was mainly on the cyber criminals.
Those are the actors that tend to target our customers the
most. So one of the benefits of this research is really to understand the tools, the tactics,
and the procedures that are used by these cyber criminals targeting victims out there,
which tend to be our customers. And so that gives us a benefit to be able to build or develop technologies to combat them.
And so what kinds of offerings did you see available from these groups?
Yeah, by far the most is malware for sale.
So a lot of malware development is done by the actors inside the community.
But that's not to say we also saw denial of service services,
denial of service attack services there.
We saw infrastructure for hire. So if you wanted to build a command and control infrastructure,
you could find that there. Encryption technologies, encryption capabilities.
So it's all, it kind of all runs into the same area with cybercrime. So whether it's
from the malware all the way to the infrastructure,
even to lists of organizations or lists of victims that you would want to target,
you could buy in the underground as well.
I saw one of the things you listed in the report were cash-out services.
Can you describe that for us?
Cash-out services is a service where if you perpetrate a crime
and you kind of need to money launder your profits,
you have the capability to utilize these services where they can take that money,
cash it out to you, and so you get returned in some form of monetary payment. It could be cash
itself. It could be gift cards. It could be merchandise that then you could sell and get
your returns that way. So these services tend to be found in all the different underground
communities because one of the number one concerns that these actors have is how can I actually
monetarily get access to the money after I perpetrate the crime that law enforcement can't
find, right? They can't track. So these cash out
services show up and allow these criminals a way to launder their money and obtain the profits of
their money without law enforcement getting access. Yeah, I thought it was interesting too,
for example, you noted that in Saudi Arabia that they require biometric fingerprinting for
buying things like SIM cards. And there were
some other things that required registration. So these markets were a way around those
requirements as well. Yeah, exactly. So, you know, again, the criminals are going to look
for ways to get around any kind of legitimate technologies that can identify them. So you see
popping up in all of these underground services, including the Middle East
and North Africa community, ways that I can, as a criminal, I can get around identification, right?
So if there's a biometric requirement, they'll figure out a way to get around that biometric
requirement. So that's typical, you see, and it's no different in this underground. You also noted how hacking as a service really follows the ideology of the region as well.
Yeah, hacking as a service is well represented in the Middle East.
Again, a lot of it comes back to they want to hack other Western businesses,
Western consumers out there to perpetrate their cybercrime against.
And the hacking as a service option gives a newbie person the ability to just go hire somebody to perpetrate that crime for them.
So I don't need to have malware development skills.
I don't need to have the ability to create the infrastructure.
These hacking as a service provide a full spectrum of tools and services available to anybody who is
within the underground community. Also, you know, certainly there's, there is that hacktivism we
talked about earlier. Those hacking services there, you know, for denial of service attacks,
if I want to denial of service an organization that I don't like or doesn't support my views, I could hire a hacking of service denial of service group to go out there and perform that against that organization's website or their servers.
You also noted that because of some of the geopolitical realities of the region, that things like passport scans and identity documents are a popular item for sale.
Yeah, we certainly see unrest in that region of the world.
And so there are a lot of people who are trying to get out of those countries to other countries.
So you definitely see passports.
You see visas for sale on these underground forums and underground places so that they can sell them to these people who want to get out and move away and get into other countries.
So that's free market working, right?
You have a need.
You have a lot of people who have a need for something, and it'll show up in the underground, whether that's visas, whether it's passports, whether it's, you know, weapons, whether it's drugs,
whether it's a cyber crime or cyber tools that are available. So all of those tend to show up
in these underground forums. And, you know, again, it's not just about cyber we're talking here.
You know, when we investigate these undergrounds, we find all sorts of different services and
offerings that are outside of just
the cyber area as well. And that's no different here. When you compare the pricing of some of the
items that were available, some of the services that were available in these markets,
how do they compare to some of the markets in other parts of the world?
Some stuff is less expensive, but some is very much higher expense than others so for example worms
are maybe a dollar to twelve dollars per worm if i were creating a cyber worm key loggers tend to
be anywhere from free to nineteen dollars these are u.s dollars i'm quoting here we did the
conversion ransomware for example is very expensive it's30 to $50 for a ransomware. Think about that. If I'm a ransomware actor and I go and put ransomware on a system, right now they're charging anywhere from $50 to $100 malware, I've got to recoup those costs.
And so it is a bit expensive there.
So obviously the ransom that these people would perpetrate is probably much higher than you would see in other regions of the world just because the cost of building the threat is a lot higher.
You also see like rats, for example, are around $100.
Certainly malware builders can be anywhere from up to $500 from free.
But again, all of these things are negotiable inside the underground.
And again, as I mentioned at the beginning, in a lot of cases, if I ask for it for free, it will be provided to me for free by the person who is providing that service because of that sharing nature that they have within this community.
Do you have any sense for how they choose their targets?
Are there regional areas that they like to focus on?
Basically, western region.
Any organization or consumers in the west are a prime target for this region of the world.
And it just seems to follow some of the economic and socioeconomic things that go on in this region.
So that tends to be the biggest cover.
So you're talking the United States, North America, South America, Europe.
Those are going to be the primary target of these criminals.
And do you have any sense for how many of the people participating are individuals versus, you know, gangs of organized crime versus state-sponsored groups?
Yeah, we didn't really get into that piece.
We were looking at more at the tools and the tactics that they utilized.
So we didn't get really into the individual identification of the actors inside.
Certainly all of those are represented in the underground and are going to be conversing and communing within those undergrounds. It ranged from an individual into a loosely group of individuals to the syndicates, right?
The syndicates who perpetrated and have the resources to buy a lot of this.
They may even be providing a lot of these services within the underground as well.
And is your sense that these markets are growing quickly or have they reached sort of an equilibrium?
What's your sense there yeah
that's a good question i think in the in the case of the middle east and north africa we're seeing
a definitely an increase um i don't i'm not sure it's significant increase but it's definitely an
increase you're seeing new members joining all the time especially in the north africa because
again if you think about the actors here in the regions of the world that
they live in, to live a decent life doesn't take a lot of money. And if I can perpetrate a cyber
crime where maybe I do a ransomware attack and I get, you know, over the course of a year, I could
generate $25,000, $100,000 US dollars in profit. That's a lot of money in a lot of those regions of the world,
especially in North Africa.
So you think about the ability and why you see cybercrime picking up
in a lot of the third world and emerging areas of the regions of the world.
It's because there's a lot of money to be made, unfortunately, in cybercrime.
Was there anything in particular in your research
that you found surprising or unexpected? I think going back to the ability to sell stuff for free,
just to give it away, the community sharing kind of program that they have, you know, even to the
point where they're offering educational tools to newbie cyber criminals to give them tutorials on how to become a cyber criminal or how to launch an attack.
Those types of information is available for free to within this underground.
So they are definitely looking to recruit new people on a regular basis.
And they do that through the offering free offerings out there.
The other thing that was interesting is like on the weapons side, you don't see a lot of weapons being sold in this region
not a lot of drugs sold in this region again i think it goes back to especially on the drug side
maybe because of the the regional influences there not a lot of drugs in that area whereas
in north at north america for example drugs are are pretty predominantly sold in the criminal underground, cyber underground, because there's such a prolific area of use of drugs in the United States.
Those were probably the main things that we saw. information or malware or service or tools and tactics to some of the interesting, some of the
things that you would see sold more often in some of the other regions, you don't see them as much
as you see here. So in terms of awareness and people dialing in their defense posture against
different organizations in different parts of the world, are there any specific advice when it comes
to what you've learned from the Middle Eastern and North African threat actors?
Yeah, I think, you know, when you think about cybercrime, the process to target an organization
is going to be very similar from this region as you see from other regions of the world. So
the actors there, they will investigate and do their reconnaissance on an
organization or a person to understand who they are, what they do, what kind of information,
what they want to do in terms of get monetary value out of this victim. So they'll do their
research. They'll look at social media to find the victims inside the organization who they want to
target to get inside their network. And then they use the the malware that is available to them so and that they can purchase
right so and the malware tends to be the same there's nothing unique about this region versus
others so you're going to see ransomware you're going to see key loggers you're going to see
rats and remote access tools and and uh so forth so to combat this, they just need to take a posture
that they are going to build a layered security strategy against these threats. So from outside
in, I'm going to look at email and web as a primary defense because that's where the attack's
going to start from. It's going to come in either as an email message to an employee, or it's going to be a
web download from somebody browsing the web or doing something on the web. And so if I can tighten
up my security in that area, I can block that threat at the source instead of waiting till,
say, a piece of malware gets down to the endpoint. So you want to cover all your bases in between.
So you want that gateway or cloud security.
You want your network security.
You want email messaging security.
You want your endpoint security.
And that includes mobile.
We see malicious mobile apps being sold in the underground as well.
So mobile is definitely an attack surface that they are targeting as well. So organizations would be recommended to be building that layered approach
so that they have visibility
across the entire network stack
that they have from the gateway
or the cloud all the way down
to their mobile devices
and everywhere in between
because these threats will go
across their entire network.
Our thanks to John Clay
from Trend Micro for joining us.
The research paper is called Digital Souks,
a glimpse into the Middle Eastern and North African underground.
You can find it on the Trend Micro website.
Cyber threats are evolving every second, Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.