Avast recently did analysis on a malware they named 'Torii'. Torii works on a wide range of devices and has a modular design that makes it easily able to data fetch and command execution. Telnet is the only vector currently used, but researchers worry that the authors of the malware have other vectors as well. Torii is an example of how IoT malware is evolving and getting more sophisticated. The relevant URL from Avast has more information about Torii and also depicts domains and IP's to monitor for a Torii infection.
The Secret Service recently published a non-public report about a new type of card and credential theft by way of an ATM. The thieves use a drill to enter the ATM and then attach a skimmer internally to the card reader. They then cover the hole with a sign or metal plate and return at a later time and install a camera or false PIN pad to steal the victim's credentials. It is advised to ensure an ATM is placed in a public, well lit area to deter thieves and that a focus is set on users taking precautions to secure their personal information.
The cyber kill chain, since 2011, has been made up of seven different steps in which attackers use reconnaissance, weaponization, delivery, exploitation, installation, command and control, and objective acting to complete their mission. With this system, each step has had its own interruption tactic and the earlier the interruption could be achieved, the less damage an attack does. The first five steps of the traditional cyber kill chain have now been compiled into one step and has reportedly been used in 88% of attacks. This new makeover is allowing attacks to be automated and easier to execute on a large scale or "spray and pray" method. Researchers advise to revert "back to basics" with vulnerability scans that focus on low-level vulnerabilities to determine the easiest point of entry for an attacker and to be constantly monitoring and assessing security posture.
A company that is used by many state and local governments for online payments leaked over fourteen million records including names, phone numbers, addresses and last four numbers of payment cards dating back at least six years. They claimed to have addressed "a potential issue" but did not successfully address this leak by restricting access to only authorized recipients. GovPayNet was acquired by Securus Technologies in January of 2018 which has a poor history with securing data and ensuring only authorized individuals have access. It is urged that consumers continue to monitor their transactions and credit to ensure their data is not being compromised and used against their will.
Relevant URL(s): https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/
Cold boot attacks have been around since 2008 and a security firm recently exposed a new cold boot vulnerability. If an attacker is able to get physical access to the machine, they're able to disable the current technology that overwrites cold boot RAM and steal any sensitive data stored on the computer. There is currently no patch available that stops attacker from being able to do this. It is recommended that physical access to machines is kept to a minimum and that computers are configured to shut down and require a BitLocker credential is required on reboot.
Relevant URL(s): https://thehackernews.com/2018/09/cold-boot-attack-encryption.html
Fiserv is a large financial processor for many financial institutions and holds a thirty seven percent share of the bank core processing market. They recently suffered from an exploit that allowed users to edit a single number within website code and see personal details, account numbers and adjust notification settings of other bank users. The exploit has been patched and the patch has been distributed to clients of Fiserv and it is critical for any customers of Fiserv that they update immediately to ensure the patch is applied.
Amazon Web Services (AWS) is becoming a target of sophisticated cyber attacks. Trends have been analyzed recently and have shown that attackers are using AWS accounts to ex-filtrate data primarily in the manufacturing, financial and tech industries. Attackers use a simple phishing attack to gain access and then maintain permission levels, rather than try and increase, to avoid detection while they copy and paste or screen shot data. Amazon does offer a multitude of services to help its customers stay protected and it is recommended to monitor all aspects of your environment, not just underlying servers.
Active Directory (AD) Administrators have adopted new methods to circumvent attackers and maintain positive control of their system. With the adoption of new tactics for AD admins, new exploits and attack styles have surfaced also. Multi-factor authentication (MFA) is a method commonly used by AD admins as well as password vaults. There are still ways to bypass MFA allowing attackers to gain access to an admin account and once an admin account has been compromised, MFA is easily bypassed on all other user levels. As with MFA, password vaults are being used to store and secure passwords. These are also able to be bypassed by attackers which could expose admin account data. It is recommended that AD admins not rely on one security control measure such as MFA or password vaults, but rather use multi-layer security and have as many controls in place as feasible to protect admin accounts.
A new phishing attack has surfaced in the form of an imitation SharePoint document. Attackers distribute an email that looks exactly like a SharePoint document that contains a malicious link to an identical website. The website is configured to steal credentials as they're input giving the attacker access to the victims SharePoint. Damage could still be done even if a user does not log in if the link they clicked is malware. It is urged that users of SharePoint know and follow information awareness and scan emails they are receiving. Using MFA is also another layer of security that would help to mitigate the chances of a security breach. Having well informed employees and knowing to watch out for things like emails with "URGENT" levels or links in the body is key to a better security posture.
Vulnerability CVE-2018-8340 has exposed a major issue within Microsoft Active Directory Federation Services (ADFS). The most common exploit is for an attacker to gain access to lower privileged accounts and then work to increase their permissions. This type of attack is most easily executed from within an organization by an already established account. They gain access via simple attacks such as phishing or by social engineering the help desk to reset passwords. Once the user has sufficient permissions, they are able to bypass MFA of lower privileged accounts within their organization. Microsoft has released a patch for this and it is recommended that users of ADFS apply the patch immediately.
Relevant URL(s): https://www.helpnetsecurity.com/2018/08/14/cve-2018-8340/
A new Spectre known as NetSpectre was recently exploited that has remote capabilities. It is believed that Intel, AMD and ARM processor chips are all vulnerable. NetSpectre has the ability to leak sensitive data off the chips and also has the ability to work on local area networks and virtual machines on Google Cloud. Intel has been notified by experts asserting that the issue has been alleviated in the chip refreshes that the creator has made available.
Relevant URL(s): https://gbhackers.com/netspectre/
A bank in the Western District of Virginia fell victim to two separate phishing attacks over the course of eight months that allowed hackers to steal in excess of $2.4M. The bank's insurance company refused to cover anything beyond their debit card policy due to the way the funds were stolen. When writing a cybersecurity insurance policy, it is recommended that the customer have a policy expert to review and help write the policy.
Emotet is an advanced modular banking trojan that continues to be of major concern to the banking sector. It is distributed primarily through malspam and very difficult to combat due to its ability to quickly spread through a network. It is one of the most destructive and costly malware that affect the state, local, tribal and territorial (SLTT) governments and can cost upwards of $1 million per incident. If a system gets infected it must be immediately removed from the network, ensure that a privileged account is not used to access it and that it is reported to MS-ISAC (Multi-Slate Information Sharing and Analysis Center).
Relevant URL(s): https://www.us-cert.gov/ncas/alerts/TA18-201A
A hacking group known as MoneyTaker recently hacked a bank in Russia taking almost $1 million after infiltrating a router on the bank's network. They would gain access and remain in the system as they worked their permissions up to domain admin before executing the attack. They have conducted 20 successful hacks netting almost $14 million in total. Groups such as MoneyTaker are skilled in concealing their attacks and can be very difficult to detect. Having strong security protocols and ensuring employees know what they can and cannot do on company networks and equipment is vitally important.
Apple will be releasing a feature in iOS 12 that allows 2FA to automate and when a code is sent through a text message, iOS will intercept and automatically fill the verification field to complete the 2FA. This takes away a vital component of 2FA and increases the chance of a successful infiltration. It is recommended that users turn off the feature if using a device with this enabled.
Due to multi-layered security controls in place by many financial institutions, "hidden tunnels" are used to move data and keep it safe. Cyber criminals acquire tools from the dark web that allow them to extract data and circumvent access controls of these tunnels and exfiltrate data. An example of these could be SaaS services for moving data securely, such as Dropbox for Business or similar services. Something as simple as a phishing attack can grant access to an attacker allowing them into the organization and behind their security. Banks using this layered security should ensure their security awareness training always includes best practices for identifying phishing attacks.
MysteryBot is a recently discovered banking trojan that had very similar features as LokiBot. It is believed that MysteryBot is being created by the same criminal group, so users should expect to see some of the same attack tactics. Smishing and phishing are the previous method of distribution. The latest MysteryBot contains ransomware and keylogger modules. Proper controls surrounding application downloads on Android devices, especially those from untrusted sources, should be restricted. In addition, since Android devices do not officially support Flash Player, this is a good metric to train users with to help reduce the risk of a malicious application being installed.
VMware recently identified and fixed a vulnerability in the AirWatch Agent that allowed cyber criminals, with knowledge of enrolled devices, to do add/remove files and install malicious software on Android and Windows Mobile devices. Users of AirWatch are urged to update to the latest software versions 8.2 (Android) and 6.5.2 (Windows) immediately.
Relevant URL(s): https://www.helpnetsecurity.com/2018/06/12/cve-2018-6968/
Microsoft Office has made strides in blocking common techniques used by cybercriminals to execute malicious code via email attachments and various file types, such as modified Word, Excel, and PowerPoint documents. An addition to Windows 10 has once again introduced another filetype that can be abused by attackers to achieve unauthorized access to systems. This "SettingContent-ms" file format allows for arbitrary shell commands, without displaying a warning or message box to the user, and is being actively exploited in the wild. To help protect systems, enable the Attack Surface Reduction (ASR) rules and monitor processes on endpoints. Process data should then be correlated and analyzed to determine any anomalous behavior.
A recent analysis of popular malware samples that target the finance sector were found to have an unusually high amount of keyloggers, some with the enhanced data exfiltration features. Lastline's analysis shows malicious keylogger usage is 47% higher than the national average. As financial institutions increase their security capabilities, cyber criminals are also having to increase their abilities. It is recommended that companies ensure their systems are running with the latest security patches installed, as well as updated endpoint security software, such as anti-virus and application whitelisting.