28
10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC www.sbscyber.com 1 Contact Information Chad Knutson President SBS Institute CISSP, CISA, CRISC [email protected] Robb Nielsen Senior Account Executive 712‐369‐0139 [email protected] SBS Institute 605‐269‐0909 [email protected] ©2018 SBS CyberSecurity, LLC www.sbscyber.com 2

Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

  • Upload
    others

  • View
    5

  • Download
    1

Embed Size (px)

Citation preview

Page 1: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

1

Cryptocurrency, Cybercrime & the DarkwebSBS CYBERSECURITY

CHAD KNUTSON

©2018 SBS CyberSecurity, LLC www.sbscyber.com 1

Contact Information

• Chad Knutson◦ President SBS Institute◦ CISSP, CISA, CRISC◦ [email protected]

• Robb Nielsen◦ Senior Account Executive◦ 712‐369‐0139◦ [email protected]

• SBS Institute◦ 605‐269‐0909◦ [email protected]

©2018 SBS CyberSecurity, LLC www.sbscyber.com 2

Page 2: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

2

• Cryptocurrency and its impacts

• Cybercrime fraud trends in community banking

• Different dark parts of the internet

• Buying and selling cybercrime

• Education and Awareness

Agenda

©2018 SBS CyberSecurity, LLC www.sbscyber.com 3

CybercrimeSHIFT FROM TRADITIONAL CRIME TO TECHNOLOGY

©2018 SBS CyberSecurity, LLC www.sbscyber.com 4

Page 3: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

3

Technology & Cybercrime

New Products/Services◦ Mobile Solutions Mobile Cash Management Mobile Payments Mobile Capture

◦ Virtualization◦ Electronic Payments◦ Cloud◦ Online Account Opening◦ Interactive Teller Machines

Technology Cybercrime

Financial Institution

CustomerThird Party

©2018 SBS CyberSecurity, LLC www.sbscyber.com 5

• ROI Analysis◦ Average cash in ATM?◦ Average jail time? 

Technology Bank Robbery

©2018 SBS CyberSecurity, LLC www.sbscyber.com 6

Page 4: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

4

The GIOC received credible information that bad actors are activating cash out crews to attack Diebold front loading ATMs, specifically 500 and 700 series, using Ploutus Dmalware around the United States in the next 10 days. ATMs running Windows XP are particularly vulnerable. It is recommended that ATMs operate an up to date version of Windows 7 to defeat this specific type of attack. At least one attempted attack, as outlined below, occurred in Louisiana in the last 24 hours. 

The targeted stand‐alone ATMs are routinely located in pharmacies, big box retailers, and drive thru ATMs. During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATM’s operating system along with a mobile device to the targeted ATM. The attackers use an endoscope to obtain access to the ATM’s toggle to sync their laptop computer with the security features of the ATM. Once this is complete, the ATM is controlled by the fraudsters. The ATM will appear to be Out of Service to potential customers. At this point, cash out crews communicate with co‐conspirators remotely controlling the ATMs to initiate the ATM cash withdrawals. In previous Ploutus D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad or the cassette runs out of cash. The cash out crew/money mule takes the dispensed cash and places it in a large bag. After the cash is taken from the ATM and the mule leaves, the technicians return to the site and remove their equipment. The last thing the fraudsters do before leaving the site is to plug the Ethernet cable back in. 

The following pages, obtained from a private partner with knowledge of this style of attack, contain a detailed description of the steps taken by the fraudsters to perpetrate this attack. 

Please reach out to the GIOC at [email protected] if your office receives credible information relating to this attack. 

Any questions relating to this alert can be directed to ATSAIC Matt O’Neill, 202‐406‐6242, [email protected].

Link

©2018 SBS CyberSecurity, LLC www.sbscyber.com 7

FBI Unlimited Operations

©2018 SBS CyberSecurity, LLC www.sbscyber.com 8

Page 5: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

5

• Global Automated Teller Machine (ATM) cash‐out scheme 

• Unlimited operations compromise a financial institution or payment card processor

• With malware to access bank customer card information 

• Then exploit network access, enabling large scale theft of funds from ATMs 

FBI Unlimited Operations

©2018 SBS CyberSecurity, LLC www.sbscyber.com 9

• Unlimited operations have resulted in the theft of at least $2.5 million since 2016 in the United States alone. 

• Historic compromises have included small‐to‐medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third‐party vendor vulnerabilities. 

• The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.

FBI Unlimited Operations

©2018 SBS CyberSecurity, LLC www.sbscyber.com 10

Page 6: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

6

https://www.us‐cert.gov/ncas/alerts/TA18‐275A©2018 SBS CyberSecurity, LLC www.sbscyber.com 11

• Department of Homeland Security (DHS)

• Department of the Treasury (Treasury)

• Federal Bureau of Investigation (FBI)

• Identified malware and other indicators of compromise (IOCs)

• North Korean government

• Activity related to Automated Teller Machine (ATM) cash‐out scheme◦ U.S. Government calls this campaign “FASTCash.”

Alert TA18‐275A

©2018 SBS CyberSecurity, LLC www.sbscyber.com 12

Page 7: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

7

• Implement separation of duties or dual authorization procedures for account balance or withdrawal increases above a specified threshold. 

• Implement application whitelisting to block the execution of malware. 

• Block execution of files from TEMP directories, from which most phishing malware attempts to execute. 

• Monitor, audit, and limit administrator and business critical accounts with the required access and authority to modify the account attributes mentioned above. 

FBI: Bank Controls

©2018 SBS CyberSecurity, LLC www.sbscyber.com 13

• Implement an update and patch management cycle. 

• Install and regularly update anti‐virus or anti‐malware software on hosts. 

• Implement an incident management system, and prepare an incident response plan for rapid deployment in case of a cyber intrusion. 

• Implement strong password requirements and two‐factor authentication using a physical or digital token when possible for local administrators and business critical roles to inhibit lateral movement. 

FBI: Bank Controls

More Controls in FBI and US‐Cert Guidance. 

©2018 SBS CyberSecurity, LLC www.sbscyber.com 14

Page 8: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

8

ATM Fraud2) Magstripe Shimmer

1) Traditional Magstripe Skimmer

5) EMV Shimmer

3) Drill to insert USB w/ Malware or Mobile Device

4) Hacker in the network

©2018 SBS CyberSecurity, LLC www.sbscyber.com 15

Criminal Types

©2018 SBS CyberSecurity, LLC www.sbscyber.com 16

Page 9: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

9

Advanced Persistent Threat

©2018 SBS CyberSecurity, LLC www.sbscyber.com 17

Equifax Issues

©2018 SBS CyberSecurity, LLC www.sbscyber.com 18

Page 10: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

10

Asset‐Based Risk Assessment Web Application Firewall? Separate Database/Webserver

Patch Management

Change Control and Vulnerability Exception Process

Incident Response Program

Internal Vulnerability Assessment

External Web Application Testing

Equifax Lessons Learned

©2018 SBS CyberSecurity, LLC www.sbscyber.com 19

NotPetya Ransomware

©2018 SBS CyberSecurity, LLC www.sbscyber.com 20

Page 11: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

11

• World's largest container shipping business, 15% of global shipping

• NotPetya infection attacked their global network and forced operations to halt in 76 ports world wide

• Business volumes were affected for a couple weeks

• Email system was down and resorted to personnel cellphones and WhatsApp 

• $200‐300 million financial impact

• 4,000 computers and 45,000 workstations rebuild

Maersk

Source

©2018 SBS CyberSecurity, LLC www.sbscyber.com 21

©2018 SBS CyberSecurity, LLC www.sbscyber.com 22

Page 12: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

12

• Cryptojacking is defined as the secret use of your computing device to mine cryptocurrency.

• Malware installed on a system can utilize the hardware for mining operations. 

• Some browser based instances do not require malware to be installed. Source

Cryptojacking

©2018 SBS CyberSecurity, LLC www.sbscyber.com 23

Ransomware Training ‐ Employee (Slides and Video)

Ransomware Training ‐ Executive (Slides and Video)

Ransomware Incident Response Plan

Ransomware Policy

Ransomware Procedures

Ransomware Awareness Poster

https://sbscyber.com/products/toolkits/

Ransomware Toolkit

©2018 SBS CyberSecurity, LLC www.sbscyber.com 24

Page 13: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

13

Data Breaches

Source

©2018 SBS CyberSecurity, LLC www.sbscyber.com 25

Have I Been Pwned

©2018 SBS CyberSecurity, LLC www.sbscyber.com 26

Page 14: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

14

Finding Exploits

©2018 SBS CyberSecurity, LLC www.sbscyber.com 27

Darkweb

©2018 SBS CyberSecurity, LLC www.sbscyber.com 28

Page 15: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

15

Types of Internet

Less then 4%

©2018 SBS CyberSecurity, LLC www.sbscyber.com 29

©2018 SBS CyberSecurity, LLC www.sbscyber.com 30

Page 16: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

16

Tor Network

©2018 SBS CyberSecurity, LLC www.sbscyber.com 31

TOR Browser

©2018 SBS CyberSecurity, LLC www.sbscyber.com 32

Page 17: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

17

Tails Virtual Machine

©2018 SBS CyberSecurity, LLC www.sbscyber.com 33

©2018 SBS CyberSecurity, LLC www.sbscyber.com 34

Page 18: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

18

©2018 SBS CyberSecurity, LLC www.sbscyber.com 35

• Undercover

• Hacking

• Tor Nodes

• Information Breadcrumbs

• Follow the Money

• Postal System

• Source

Takedown

©2018 SBS CyberSecurity, LLC www.sbscyber.com 36

Page 19: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

19

• Sale of Illegal Drugs & Services

• 1.2B USD worth of Bitcoin (80M commission)

• 6 drug overdose deaths linked

• Life sentence for the Dread Pirate Roberts

• 1.5m buyers, 3800 vendors

• 1/2011 - 9/2013

• Source

Silk Road

©2018 SBS CyberSecurity, LLC www.sbscyber.com 37

• December 2014 Launch

• Takedown July 5, 2017

• Over 40,000 vendors

• 10x the size of Silk Road

• Source

Alpha Bay

©2018 SBS CyberSecurity, LLC www.sbscyber.com 38

Page 20: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

20

• Two administrators arrested in June 2017

• 1,800 vendors selling drugs

• Netherlands Police

• 1,000 bitcoins confiscated (2M dollars)

• 10,000 foreign addresses of buyers were passed on to Europol

• Source

• Dream Market Grew (oldest and now biggest)

Hansa Market

©2018 SBS CyberSecurity, LLC www.sbscyber.com 39

• Block TOR protocol

• Block VPN

• SSL Decryption

• Application Control

• Local Software Restrictions◦ TOR Browser◦ Virtualization Software

• Network segmentation

• Geo IP Filtering

• Monitoring/Alerting (IOC)

Darkweb Protections

©2018 SBS CyberSecurity, LLC www.sbscyber.com 40

Page 21: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

21

Darkweb Funds

©2018 SBS CyberSecurity, LLC www.sbscyber.com 41

• Prices have steadily increased

• 1,300 cryptocurrencies worldwide

• Attraction: uncontrolled and booming

• 1 in 3 millennials will own by end of 2018 (5% now)

Cryptocurrencies

©2018 SBS CyberSecurity, LLC www.sbscyber.com 42

Page 22: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

22

Bitcoin

©2018 SBS CyberSecurity, LLC www.sbscyber.com 43

• Since 2008, value grew expect for 2014

• First Purchase 10,000 Bitcoin for a pizza

• Bitcoin is untraceable… Sort of…

• There will only ever be 21 million bitcoins

• Lose your Bitcoin private key, you lose your bitcoins

• Can’t be banned

• https://coinsutra.com/bitcoin‐facts/

Bitcoin

©2018 SBS CyberSecurity, LLC www.sbscyber.com 44

Page 23: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

23

• https://blockchain.info/

Tracking Bitcoin

©2018 SBS CyberSecurity, LLC www.sbscyber.com 45

• Overstock

• Microsoft

• Virgin Galactic

• eGifter (gift cards)

• Tesla

• Expedia

• Newegg 

• CheapAir

Retailers

https://99bitcoins.com/who‐accepts‐bitcoins‐payment‐companies‐stores‐take‐bitcoins/

©2018 SBS CyberSecurity, LLC www.sbscyber.com 46

Page 24: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

24

Flight to Austin

©2018 SBS CyberSecurity, LLC www.sbscyber.com 47

Education

©2018 SBS CyberSecurity, LLC www.sbscyber.com 48

Page 25: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

25

• Conference Events◦ Hot Topics and ideas to pursue further www.iowabankers.com

◦ Interact with vendors and peers

• Webinars◦ Select topics needed to fill knowledge Gaps

◦ Online offers a flexible schedule and many options www.iowabankers.com

• Seminars◦ Select topics needed to fill knowledge Gaps

◦ Onsite event with peers of similar knowledge interest.

• Certification Programs◦ ISC2: CISSP https://www.isc2.org/

◦ ISACA: CISM, CISA https://www.isaca.org

◦ SBS: https://www.sbscyber.com/sbsinstitute/certifications/

• In‐house Training Options◦ Specific training for employees and customers

• College/University Options◦ Cybersecurity, Information Assurance

Ongoing Training (role‐specific)

Role Based

ISO

Network Admin

Internal Audit

Compliance

©2018 SBS CyberSecurity, LLC www.sbscyber.com 49

• Board/Senior Management

• Employees

• Customers

Ongoing Training

Annual Training?

©2018 SBS CyberSecurity, LLC www.sbscyber.com 50

Page 26: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

26

• Annual Cybersecurity Training◦ Board / Executive Team Training◦ Employee Training◦ Customer

• Acceptable Use Training

• Policy & Procedure Training

• Social Engineering Testing/Training

• Regular/Monthly Email Updates

• Threat Alerts

Education and Awareness

securingthehuman.org

©2018 SBS CyberSecurity, LLC www.sbscyber.com 51

Employee & Customer: Continual Education

• Share Articles and Example Threats

• Posters

• Computer Desktop Images or Screensavers

• Online Learning Management System with quarter or monthly training

• Phish Tank

• Continual Employee Contact

• October Security Awareness Month

• Social Engineering Tests

• Weekly or Monthly Phishing Tests/Training

• Involvement in education high school and community folks

https://sbscyber.com/education/free‐downloads

©2018 SBS CyberSecurity, LLC www.sbscyber.com 52

Page 27: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

27

Metrics

4% will click on every phishing email

Verizon DBIR

©2018 SBS CyberSecurity, LLC www.sbscyber.com 53

• Internet and External Auditing

• Test your people

• Check effectiveness of training program

• Types Include:◦ Phishing Emails

◦ Phone Impersonation

◦ Physical Impersonation

◦ Dumpster Diving

Social Engineering

©2018 SBS CyberSecurity, LLC www.sbscyber.com 54

Page 28: Cryptocurrency, Cybercrime & the Darkweb · 10/30/2018 1 Cryptocurrency, Cybercrime & the Darkweb SBS CYBERSECURITY CHAD KNUTSON ©2018 SBS CyberSecurity, LLC 1 Contact Information

10/30/2018

28

Contact Information

• Chad Knutson◦ President SBS Institute◦ CISSP, CISA, CRISC◦ [email protected]

• Robb Nielsen◦ Senior Account Executive◦ 712‐369‐0139◦ [email protected]

• SBS Institute◦ 605‐269‐0909◦ [email protected]

©2018 SBS CyberSecurity, LLC www.sbscyber.com 55