ISACA Refreshes COBIT Framework to Address the Latest Business Technology Trends and Standards

ISACA has released the first update in over five years to the COBIT framework. COBIT 2019 offers guidance to organizations that will help with information technology management and governance. The guidance is being released in four phases that focus on technological trends and priorities, updates aligned with current industry standards, and a guide that will help organizations build a governance system that meets their specific needs.

Relevant URL(s): https://www.helpnetsecurity.com/2018/11/14/isaca-cobit-2019-framework/

Lazarus 'FASTCash' Bank Hackers Wield AIX Trojan

Lazarus, a North Korean hacking group, has been tied to an attack known as 'FASTCash' which they execute by breaching a bank's network and injecting a Trojan. The trojan intercepts the cash withdrawal request from Lazarus and sends a fake approval which allows the attackers to withdraw the cash. The attack is known to have been behind fraudulent withdrawals in excess of $10 million. FASTCash has been utilized since 2016 and has been targeting institutions in Asia and Africa. The attackers were exploiting outdated versions of AIX, an IBM program. It is recommended that banks ensure all systems are appropriately updated to minimize the risk of an attack.

Relevant URL(s): https://www.bankinfosecurity.com/lazarus-fastcash-bank-hackers-wield-aix-trojan-a-11694

New Bluetooth Vulnerabilities Exposed in Aruba, Cisco, Meraki Access Points

A vulnerability has been uncovered in Aruba, Cisco, and Meraki Access Points. There is an exploit in the Bluetooth Low Energy (BLE) chips. An attacker can load packets of data containing malicious code to the chip and then load an execution packet that makes the system execute the previously loaded data packets. The executed data provides the attacker full access to the device. The Aruba device has over-the-air updating capabilities which allow the attacker to drop a larger payload. Cisco has already published an update for their devices and Meraki has released guidance to help the user disable this functionality.

Relevant URL(s):

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap
https://documentation.meraki.com/MR/Bluetooth/Bluetooth_Low_Energy_(BLE)#Enable_Bluetooth_Scanning

Companies Implementing DevSecOps Address Vulnerabilities Faster Than Others

A recent study promotes that DevSecOps is providing better security with higher efficiency. It is also providing flaw persistence analysis, which "measures the longevity of flaws after first discovery." SOSS has been documenting DevSecOps practices for three years, and the data is showing a direct correlation between "security scanning and lower long-term application risk." Active DevSecOps programs are fixing flaws quicker than a traditional organization. The data also supports that the DevSecOps programs respond "more than 11.5 times faster."


Relevant URL(s): https://www.helpnetsecurity.com/2018/11/05/implementing-devsecops/

SMS Phishing + Cardless ATM = Profit

Cardless ATM's are a new feature being used by banks that allow their customers to withdraw cash from an ATM using their phone. Attackers are pairing that functionality with SMS phishing attacks that are falsely notifying users that their accounts have been locked. The provided link takes the user to a mimicked website and prompts the user for their login credentials. Once the attacker has the user's credentials, they can initiate a withdrawal at an ATM and scan the QR code to acquire the funds. It is recommended to remind customers to never respond to personal finance text messages or emails.


Relevant URL(s): https://krebsonsecurity.com/2018/11/sms-phishing-cardless-atm-profit/

Patch Now! Multiple Serious Flaws Found in Drupal

Drupal maintainers have distributed patches for five security vulnerabilities which includes 2 'critical'. The two critical flaws allow remote code execution in Drupal versions 7.x and 8.x. There are three moderate flaws that also affect Drupal 7 and 8 and can be used for cache poisoning attacks, entering an open redirect path to malicious URLs and a content moderation access bypass. The recommendation is to upgrade 7.x to 7.60, 8.6.x to 8.6.2, and 8.5.x or earlier to 8.5.8.


Relevant URL(s): https://nakedsecurity.sophos.com/2018/10/23/patch-now-multiple-serious-flaws-found-in-drupal/

HIDDEN COBRA - FASTCash Campaign

The DHS, FBI, and Treasury have discovered a 'malware and other indicators of compromise (IOCs)' that the North Korean government used for an ATM cash-out scheme. They have named the project HIDDEN COBRA and refer to the attack as 'FASTCash'. Attackers remain in the victim's network to enable the exploitation. If users or administrators detect malware activity tied to FASTCash, they should report it immediately to DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).


Relevant URL(s): https://www.us-cert.gov/ncas/alerts/TA18-275A

Windows PCs Vulnerable To RID Hijacking; Grants Full System Access To Attackers

Sebastian Castro, a security researcher, discovered an exploit of obtaining admin rights and boot persistence. This exploit is on Windows PCs, is easily executable, and is difficult to stop. Account security identifiers (SIDs) typically have a Relative Identifier (RID) code associated with them. They define the access level of the account and are easily manipulated. The manipulation can be executed from Windows XP to 10 and on Server 2003 to 2016. Microsoft has yet to release a statement or patch for this vulnerability. Luckily, it is not a widely known exploit yet, but users of Windows systems are advised to monitor their access accounts closely and investigate any accounts appearing suspicious.


Relevant URL(s): https://fossbytes.com/windows-pcs-vulnerable-to-rid-hijacking-grants-full-system-access-to-attackers/

FFIEC Launches New BSA/AML InfoBase on its Website

The Federal Financial Institutions Examination Council (FFIEC) has released a redesigned Bank Secrecy Act/Anti-MOney Laundering (BSA/AML) InfoBase website. It shares 'bank examination procedure information with examiners, financial institutions, the public, and other stakeholders.' It was redesigned to better the user experience with improved site navigation, search capabilities, downloadable manuals, and is now mobile-friendly.

Relevant URL(s):

https://www.ffiec.gov/whatsnew.htm
https://bsaaml.ffiec.gov/

Who Is Responsible For Cybersecurity? NBT Bank Has Some Ideas

In honor of National Cybersecurity Awareness Month, NBT's VP and Director of Information Security and Fraud Risk wrote an article about the responsibility of cybersecurity. She highlights that cyber threats are abundant and growing within the financial sector and that cybersecurity is the responsibility of everyone and that it 'takes a village.' She later defines that village as 'a mix of professionals and everyday citizens'. Cybersecurity is important at work and home and safeguarding sensitive information should be practiced at all times. Using secure passwords and learning how to recognize and report suspicious emails are paramount in defending your work and home life. This will help build a safer environment and instill cybersecurity best practices in those around you.

Relevant URL(s): https://www.nbtbank.com/Personal/About-Us/News/NBT-Celebrates-Cybersecurity-Awareness-Month

'Torii' Breaks New Ground For IoT Malware

Avast recently did analysis on a malware they named 'Torii'. Torii works on a wide range of devices and has a modular design that makes it easily able to data fetch and command execution. Telnet is the only vector currently used, but researchers worry that the authors of the malware have other vectors as well. Torii is an example of how IoT malware is evolving and getting more sophisticated. The relevant URL from Avast has more information about Torii and also depicts domains and IP's to monitor for a Torii infection.

Relevant URL(s): https://blog.avast.com/new-torii-botnet-threat-research , https://www.darkreading.com/attacks-breaches/-torii-breaks-new-ground-for-iot-malware/d/d-id/1332930

Secret Service Warns of Surge in ATM 'Wiretapping' Attacks

The Secret Service recently published a non-public report about a new type of card and credential theft by way of an ATM. The thieves use a drill to enter the ATM and then attach a skimmer internally to the card reader. They then cover the hole with a sign or metal plate and return at a later time and install a camera or false PIN pad to steal the victim's credentials. It is advised to ensure an ATM is placed in a public, well lit area to deter thieves and that a focus is set on users taking precautions to secure their personal information.

Relevant URL(s): https://krebsonsecurity.com/2018/09/secret-service-warns-of-surge-in-atm-wiretapping-attacks/

The Cyber Kill Chain Gets a Makeover

The cyber kill chain, since 2011, has been made up of seven different steps in which attackers use reconnaissance, weaponization, delivery, exploitation, installation, command and control, and objective acting to complete their mission. With this system, each step has had its own interruption tactic and the earlier the interruption could be achieved, the less damage an attack does. The first five steps of the traditional cyber kill chain have now been compiled into one step and has reportedly been used in 88% of attacks. This new makeover is allowing attacks to be automated and easier to execute on a large scale or "spray and pray" method. Researchers advise to revert "back to basics" with vulnerability scans that focus on low-level vulnerabilities to determine the easiest point of entry for an attacker and to be constantly monitoring and assessing security posture.

Related URL(s): https://www.darkreading.com/threat-intelligence/the-cyber-kill-chain-gets-a-makeover/

GovPayNow.com Leaks 14M+ Records

A company that is used by many state and local governments for online payments leaked over fourteen million records including names, phone numbers, addresses and last four numbers of payment cards dating back at least six years. They claimed to have addressed "a potential issue" but did not successfully address this leak by restricting access to only authorized recipients. GovPayNet was acquired by Securus Technologies in January of 2018 which has a poor history with securing data and ensuring only authorized individuals have access. It is urged that consumers continue to monitor their transactions and credit to ensure their data is not being compromised and used against their will.

Relevant URL(s): https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/

New Cold Boot Attack Unlocks Disk Encryption On Nearly All Modern PCs

Cold boot attacks have been around since 2008 and a security firm recently exposed a new cold boot vulnerability. If an attacker is able to get physical access to the machine, they're able to disable the current technology that overwrites cold boot RAM and steal any sensitive data stored on the computer. There is currently no patch available that stops attacker from being able to do this. It is recommended that physical access to machines is kept to a minimum and that computers are configured to shut down and require a BitLocker credential is required on reboot.

Relevant URL(s): https://thehackernews.com/2018/09/cold-boot-attack-encryption.html

Fiserv Flaw Exposed Customer Data at Hundreds of Banks

Fiserv is a large financial processor for many financial institutions and holds a thirty seven percent share of the bank core processing market. They recently suffered from an exploit that allowed users to edit a single number within website code and see personal details, account numbers and adjust notification settings of other bank users. The exploit has been patched and the patch has been distributed to clients of Fiserv and it is critical for any customers of Fiserv that they update immediately to ensure the patch is applied.

 

Relevant URL(s): https://krebsonsecurity.com/2018/08/fiserv-flaw-exposed-customer-data-at-hundreds-of-banks/

Hackers Use Public Cloud Features to Breach, Persist in Business Networks

Amazon Web Services (AWS) is becoming a target of sophisticated cyber attacks. Trends have been analyzed recently and have shown that attackers are using AWS accounts to ex-filtrate data primarily in the manufacturing, financial and tech industries. Attackers use a simple phishing attack to gain access and then maintain permission levels, rather than try and increase, to avoid detection while they copy and paste or screen shot data. Amazon does offer a multitude of services to help its customers stay protected and it is recommended to monitor all aspects of your environment, not just underlying servers.

 

Relevant URL(s): https://www.darkreading.com/cloud/hackers-leverage-aws-to-breach-persist-in-corporate-networks/d/d-id/1332618

Exploring, Exploiting Active Directory Admin Flaws

Active Directory (AD) Administrators have adopted new methods to circumvent attackers and maintain positive control of their system. With the adoption of new tactics for AD admins, new exploits and attack styles have surfaced also. Multi-factor authentication (MFA) is a method commonly used by AD admins as well as password vaults. There are still ways to bypass MFA allowing attackers to gain access to an admin account and once an admin account has been compromised, MFA is easily bypassed on all other user levels. As with MFA, password vaults are being used to store and secure passwords. These are also able to be bypassed by attackers which could expose admin account data. It is recommended that AD admins not rely on one security control measure such as MFA or password vaults, but rather use multi-layer security and have as many controls in place as feasible to protect admin accounts.

 

Relevant URL(s): https://www.darkreading.com/vulnerabilities---threats/exploring-exploiting-active-directory-admin-flaws/d/d-id/1332593

New Office 365 Phishing Attack Uses Malicious Links in SharePoint Documents

A new phishing attack has surfaced in the form of an imitation SharePoint document. Attackers distribute an email that looks exactly like a SharePoint document that contains a malicious link to an identical website. The website is configured to steal credentials as they're input giving the attacker access to the victims SharePoint. Damage could still be done even if a user does not log in if the link they clicked is malware. It is urged that users of SharePoint know and follow information awareness and scan emails they are receiving. Using MFA is also another layer of security that would help to mitigate the chances of a security breach. Having well informed employees and knowing to watch out for things like emails with "URGENT" levels or links in the body is key to a better security posture.

 

Relevant URL(s): https://www.helpnetsecurity.com/2018/08/15/office-365-phishing-sharepoint/

Microsoft ADFS Flaw Allows Attackers to Bypass MFA Safeguards

Vulnerability CVE-2018-8340 has exposed a major issue within Microsoft Active Directory Federation Services (ADFS). The most common exploit is for an attacker to gain access to lower privileged accounts and then work to increase their permissions.  This type of attack is most easily executed from within an organization by an already established account. They gain access via simple attacks such as phishing or by social engineering the help desk to reset passwords. Once the user has sufficient permissions, they are able to bypass MFA of lower privileged accounts within their organization. Microsoft has released a patch for this and it is recommended that users of ADFS apply the patch immediately.

 

Relevant URL(s): https://www.helpnetsecurity.com/2018/08/14/cve-2018-8340/