Russian cyber security vendor, Group-IB, has reported a rise in cyber crime activity focused on Asia, and in particular Singapore.
In 2018, around 20,000 bank cards belonging to Singaporeans appeared for sale on the dark web, in addition to hundreds of compromised government portals’ credentials stolen by hackers throughout the past two years.
In fact, the number of leaked cards increased by 56 per cent in 2018, while the total value of Singaporean banks’ cards compromised in 2018 is estimated at nearly $640,000.
The situation in Southeast Asia and Singapore, in particular, has surpassed other regions, including the US and Europe, in the number of state-sponsored groups detected.
Within the space of a year, 21 state-sponsored groups, which is more than in the US and Europe combined, were detected in Southeast Asia, which included Lazarus, a notorious North-Korean state-sponsored threat actor, according to Group-IB Hi-Tech Crime Trends 2018 report.
Groups like Lazarus are also using new tools to target the region, including a new malware that Group-IB detected in January 2019 that infects a host computer using what the firm describes as a ‘watering hole attack,’ which the specialist believes has been used since 2016.
It is believed this new malware has been used in a series of recent attacks across the region, with at least one legitimate Vietnamese resource found to be infected.
“The newly discovered Lazarus’ malware is multifunctional: it is capable of data exfiltration from the victim’s computer, downloading and executing programs and commands via shell, acting as a key-logger to retrieve the victim's passwords, moving, creating and deleting files, injecting code into other processes and screen-casting,” said Dmitry Volkov, CTO and head of Threat Intelligence, Group-IB.
“Given the group’s increased activity in the region in 2018, we believe that Lazarus will continue to carry out attacks against banks, which will result in illicit SWIFT payments, and will likely experiment with, primarily focusing on Asia and the Pacific."
Furthermore, groups such Lazarus do not shy away from attacking crypto hubs, which Singapore has become in recent years.
“We expect that other APTs like Silence, MoneyTaker, and Cobalt will stage multiple attacks on cryptocurrency exchanges in the near future,” said Volkov.
Worrying for Singapore, users’ logins and passwords from the government agencies, such as, Government Technology Agency, Ministry of Education, Ministry of Health, Singapore Police Force website, National University of Singapore learning management system and many other resources were stolen by cyber criminals.
“Users’ accounts from government resources are either sold on underground forums or used in targeted attacks on government agencies for the purpose of espionage or sabotage,” said Volkov. “Even one compromised account, unless detected at the right time, can lead to the disruption of internal operations or leak of government secrets.
"Cyber criminals steal user accounts’ data using special spyware aimed at obtaining users’ authentication data.
"According to Group-IB data, Pony Formgrabber, QBot and AZORult became the top 3 most popular Trojan-stealers among cybercriminals."
Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server.
Another Trojan-stealer - AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data.
Qbot worm gathers login credentials through use of key-logger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.
All these Trojans are capable of compromising the credentials of crypto wallets and crypto exchanges users.
Public data leaks is another huge source of compromised user credentials from government websites. The Group-IB team analysed recent massive public data breaches and discovered 3,689 unique records (email & passwords) related to Singaporean government websites accounts.