Written by James Orme Thu 21 Mar 2019

Russian cybersecurity specialists have discovered that cybercriminals have escalated their attacks in Asia with Singapore increasingly their victim of choice

Speaking at Money20/20 Asia yesterday, experts from Russian cybersecurity firm Group-IB revealed that over the course of 2017 and 2018 it discovered hundreds of government ID credentials from Singaporean government agencies and educational institutions for sale on the dark web.

The credentials included usernames and passwords from the Singapore Government Technology Agency, Ministry of Education, Ministry of Health, Singapore Police Force website, and the National University of Singapore learning management system.

Group-IB informed authorities as soon as the information was discovered.

“Cybercriminals steal user accounts’ data using special spyware aimed at obtaining users’ authentication data,” said Group-IB’s CTO and head of threat intelligence Dmitry Volkov.

“Even one compromised account, unless detected at the right time, can lead to the disruption of internal operations or leak of government secrets,” he added.

Group-IB data shows that Pony Formgrabber, QBot and AZORult have become the three most popular Trojan-stealers among cybercriminals.

Pony Formgrabber plunders login credentials from config files, databases and program storage locations from more than 70 programs on a victims computer and sends the information straight to an attacker’s C&C server. QBot worm grabs credentials through a keylogger, cookie files and certificates and active internet sessions, and AZORult steals passwords from common browsers.

Data leaks were also responsible for a large amount of the government credentials discovered. Group-IB analyzed several high-profile public data breaches and discovered 3689 unique government credentials belonging to the Singaporean state.

You can bank on Lazarus

Alongside these credentials, Group-IB found that 19,928 Singaporean bank cards have shown up for the sale on dark web card shops, a 56 percent increase compared to 2018.

According to the group, cybercriminals could have purchased the entirety of the compromised data for $640 000.

“Singapore, as one of the major financial hubs in Southeast Asia is drawing more and more attention of financially motivated hackers every year,” Group-IB said.

North-Korean state hacking group Lazarus is responsible for a number of targeted attacks in Asia and Singapore targeting financial organisations, it added.

In its most recent attack, Group-IB specialists discovered a new malware deployed by the group that it has dubbed “RATv3.ps”. The remote administration tool is ‘capable of data exfiltration from the victim’s computer, downloading and executing programs and commands via shell, acting as a keylogger to retrieve victim’s passwords, moving, creating and deleting files, injecting code into other processes and screencasting’.

“Given the group’s increased activity in the region in 2018, we believe that Lazarus will continue to carry out attacks against banks, which will result in illicit SWIFT payments, and will likely experiment with, primarily focusing on Asia and the Pacific,” said Volkov.

Group-IB detects and analyses data uploaded to global online card shops all over the world.

According to its yearly Hi-Tech Crime Trends 2018 report, 1.8 million card details were uploaded to these shops per month from June 2017 to August 2018.