NetSpectre - New Spectre Remote Attack

A new Spectre known as NetSpectre was recently exploited that has remote capabilities. It is believed that Intel, AMD and ARM processor chips are all vulnerable. NetSpectre has the ability to leak sensitive data off the chips and also has the ability to work on local area networks and virtual machines on Google Cloud. Intel has been notified by experts asserting that the issue has been alleviated in the chip refreshes that the creator has made available.

Relevant URL(s): https://gbhackers.com/netspectre/

Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M

A bank in the Western District of Virginia fell victim to two separate phishing attacks over the course of eight months that allowed hackers to steal in excess of $2.4M. The bank's insurance company refused to cover anything beyond their debit card policy due to the way the funds were stolen. When writing a cybersecurity insurance policy, it is recommended that the customer have a policy expert to review and help write the policy.

Relevant URL(s): https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/

Emotet Malware

Emotet is an advanced modular banking trojan that continues to be of major concern to the banking sector. It is distributed primarily through malspam and very difficult to combat due to its ability to quickly spread through a network. It is one of the most destructive and costly malware that affect the state, local, tribal and territorial (SLTT) governments and can cost upwards of $1 million per incident. If a system gets infected it must be immediately removed from the network, ensure that a privileged account is not used to access it and that it is reported to MS-ISAC (Multi-Slate Information Sharing and Analysis Center).

Relevant URL(s): https://www.us-cert.gov/ncas/alerts/TA18-201A

$1 Million Heist on Russian Bank Started with Hack of Branch Router

A hacking group known as MoneyTaker recently hacked a bank in Russia taking almost $1 million after infiltrating a router on the bank's network. They would gain access and remain in the system as they worked their permissions up to domain admin before executing the attack. They have conducted 20 successful hacks netting almost $14 million in total. Groups such as MoneyTaker are skilled in concealing their attacks and can be very difficult to detect. Having strong security protocols and ensuring employees know what they can and cannot do on company networks and equipment is vitally important.

Relevant URL(s): https://arstechnica.com/information-technology/2018/07/prolific-hacking-group-steals-almost-1-million-from-russian-bank/

iOS 12 2FA Feature May Carry Bank Fraud Risk

Apple will be releasing a feature in iOS 12 that allows 2FA to automate and when a code is sent through a text message, iOS will intercept and automatically fill the verification field to complete the 2FA. This takes away a vital component of 2FA and increases the chance of a successful infiltration. It is recommended that users turn off the feature if using a device with this enabled. 

Relevant URL(s): https://www.darkreading.com/endpoint/ios-12-2fa-feature-may-carry-bank-fraud-risk/d/d-id/1332196

'Hidden Tunnels' Help Hackers Launch Financial Services Attacks

Due to multi-layered security controls in place by many financial institutions, "hidden tunnels" are used to move data and keep it safe. Cyber criminals acquire tools from the dark web that allow them to extract data and circumvent access controls of these tunnels and exfiltrate data. An example of these could be SaaS services for moving data securely, such as Dropbox for Business or similar services. Something as simple as a phishing attack can grant access to an attacker allowing them into the organization and behind their security. Banks using this layered security should ensure their security awareness training always includes best practices for identifying phishing attacks.

Relevant URL(s): https://www.darkreading.com/hidden-tunnels-help-hackers-launch-financial-services-attacks/d/d-id/1332109

 

New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware

MysteryBot is a recently discovered banking trojan that had very similar features as LokiBot. It is believed that MysteryBot is being created by the same criminal group, so users should expect to see some of the same attack tactics. Smishing and phishing are the previous method of distribution. The latest MysteryBot contains ransomware and keylogger modules. Proper controls surrounding application downloads on Android devices, especially those from untrusted sources, should be restricted. In addition, since Android devices do not officially support Flash Player, this is a good metric to train users with to help reduce the risk of a malicious application being installed.

Relevant URL(s): https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware

VMware Plugs RCE Hole in Remote Management Agent

VMware recently identified and fixed a vulnerability in the AirWatch Agent that allowed cyber criminals, with knowledge of enrolled devices, to do add/remove files and install malicious software on Android and Windows Mobile devices. Users of AirWatch are urged to update to the latest software versions 8.2 (Android) and 6.5.2 (Windows) immediately.

Relevant URL(s): https://www.helpnetsecurity.com/2018/06/12/cve-2018-6968/

 

Windows Settings Shortcuts can be Abused for Code Execution

Microsoft Office has made strides in blocking common techniques used by cybercriminals to execute malicious code via email attachments and various file types, such as modified Word, Excel, and PowerPoint documents. An addition to Windows 10 has once again introduced another filetype that can be abused by attackers to achieve unauthorized access to systems. This "SettingContent-ms" file format allows for arbitrary shell commands, without displaying a warning or message box to the user, and is being actively exploited in the wild. To help protect systems, enable the Attack Surface Reduction (ASR) rules and monitor processes on endpoints. Process data should then be correlated and analyzed to determine any anomalous behavior.

Relevant URL(s): https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

Sophisticated Keyloggers Target the Finance Industry

A recent analysis of popular malware samples that target the finance sector were found to have an unusually high amount of keyloggers, some with the enhanced data exfiltration features. Lastline's analysis shows malicious keylogger usage is 47% higher than the national average. As financial institutions increase their security capabilities, cyber criminals are also having to increase their abilities. It is recommended that companies ensure their systems are running with the latest security patches installed, as well as updated endpoint security software, such as anti-virus and application whitelisting.

Relevant URL(s): https://www.helpnetsecurity.com/2018/06/06/keyloggers-finance-industry/

 

FBI Takes Control of APT28's VPNFilter Botnet

The FBI obtained a court order and now has full command and control over a server of a botnet with over 500,000 routers and NAS devices known as VPNFilter. The FBI confirmed ownership and control of the botnet was from a Russian cyber-espionage unit widely known as APT28. VPNFilter has been deemed extremely dangerous due to its nation-state origin as well as its ability to brick devices by wiping firmware, intercept network traffic and search for SCADA equipment. The FBI has recommended to reboot network devices to reconnect to the command and control server so that the FBI can see the botnet's real size and to let ISP's know.

Relevant URL(s): https://www.bleepingcomputer.com/news/security/fbi-takes-control-of-apt28s-vpnfilter-botnet/

Detecting Cloned Cards at the ATM, Register

Recent research conducted at the University of Florida has found that many bank and gift cards that are cloned have a greater variance in digital bit placement on a card's magnetic strip. This is likely due to cloned cards being created by hand with inexpensive encoding machines contrary to legitimate cards which are created in automated and machine driven processes. The University of Florida tested a new technology that can be incorporated into point-of-sale systems and can detect legitimate from cloned gift cards with 99.3 percent accuracy. This still leaves the possibility of the system to flag a "false positive" result. However, with further testing the technology was able to detect a cloned bank card with "virtually zero false positives" due to the variation in the magnetic strip on counterfeit cards. Until chip readers are 100 percent adopted across all platforms, this type of fraud will be an issue for businesses. To mitigate this sort of fraud, businesses and consumers are urged by the FBI to use and look for sealed cards in stores and store cards behind counters with limited access. Banks are encouraged to make the transition to chip embedded cards due to their improved security. Educate customers and ensure employees are also trained on stop loss.

Relevant URL(s): https://krebsonsecurity.com/2018/05/detecting-cloned-cards-at-the-atm-register/

Phishing Attack Bypasses Two-Factor Authentication

2-factor authentication (2FA) adoption has been pushed and encouraged around the world to help strengthen login security measures and protect customer’s data. 2FA has helped businesses and consumers to improve security, but attackers have found ways to circumvent this best practice by way of social engineering. The tool essentially creates an email with a fake, but similarly spelled URL (linkedin to linked). Once the link is initiated in the email, it takes the user to a page that resembles the actual web page where they are prompted for their username and password. The hacker is able to see this and get the password and username, but also the session cookie. With the session cookie, the attacker does not need the username, password or 2FA code. They take the session key and enter it into the browser, paste the session cookie into their developer tools and hit refresh which puts them in the same session as the user. Businesses are urged to ensure their users have access to education and training; conduct simulated phishing attacks; and put employees through updated security awareness training. 


Relevant URL(s): https://www.darkreading.com/endpoint/phishing-attack-bypasses-two-factor-authentication/d/d-id/1331776

Office 365 Defenses Vulnerable to baseStriker Malware

Avanan, a cloud-security firm, tested a flaw called baseStriker against Office 365, Office 365 with ATP and Safelinks, Office 365 with Proofpoint MTA, Office 365 with Mimecast MTA and Gmail. They discovered that only Office 365 with Mimecast and Gmail are protected and that all other configurations are vulnerable. BaseStriker is being used for phisihing attacks and is able to infiltrate Office 365 by splitting and hiding a malicious link using a <base> URL tag. There is currently no fix for this exploit. Users are encouraged to ensure 2FA is implemented and to practice safe computing habits by not opening links from senders they do not recognize.

Relevant URL(s): https://www.scmagazine.com/office-365-defenses-vulnerable-to-basestriker-malware/article/764475/

Public Breaches Drive Increase in Account Takeover Attempts

Recently, Distil Networks published their 2018 Anatomy of Account Takeover Attacks Report, which highlighted that unethical hackers will employ the use of automated programs to launch account takeover attacks. The report is compiled from data that is drawn from 600 domains that all include a login page.  These account takeover attacks have the ability to validate credentials, gain access to proprietary financial data and sell personally identifiable information on the dark web. 39 percent of account takeover attacks take place between Friday and Saturday which showcases that most bot operators will schedule their attacks when fewer cyber security personnel will be working. Because they use bots, the data about account takeover attacks renders the attacks more predictable.  It is recommended that organizations educate themselves to identify warning signs and be prepared for the times when most of these attacks occur.

Relevant URL(s): https://www.helpnetsecurity.com/2018/05/02/account-takeover-attempts/

SunTrust Says Ex-Worker May Have Stolen Data on 1.5M Clients

A former employee of SunTrust Bank may have stolen the data of 1.5 million clients.  Compromised information may include names, addresses, account balances, and phone numbers.  Banks can mitigate these types of breaches by implementing an effective data loss prevention solution and prohibiting employees from storing sensitive information on USB drives and personal devices.

Relevant URL(s): https://abcnews.go.com/Business/wireStory/suntrust-warns-15-million-clients-potential-data-breach-54607794

Banks Need to be Worried About Facebook's Data-Sharing Debacle

Banks are increasingly becoming digital businesses, which puts them at high risk to errors such as those faced by Facebook recently.  The need for financial organizations to understand and fulfill customer needs to offer differentiated and more compelling products is leading to more data sharing with partners through application programming interfaces and other tools.  Institutions will need to ensure that information shared with third parties does not violate an individual’s privacy, is kept secure at all times, and customers are aware when their data is shared and how it benefits them.

Relevant URL(s): https://www.americanbanker.com/opinion/banks-need-to-be-worried-about-facebooks-data-sharing-debacle

Large U.S. Banks Scramble to Meet EU Data Privacy Rules

Many large, internationally-active U.S. banks are struggling with the General Data Protection Regulation (GDPR), which takes effect May 25.  The regulations do not make it clear which U.S. banks must comply, but those with European offices and those that market or sell products or services to European citizens do.  For smaller regional and community banks, it’s dependent on their analysis of what their exposure to European data subjects is and what their customer base looks like.  The starting point for GDPR compliance is to conduct a privacy risk impact analysis.  

Relevant URL(s): https://www.americanbanker.com/news/large-us-banks-scramble-to-meet-eu-data-privacy-rules

Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

Security researchers have identified a malware campaign designed to hijack DNS settings on poorly secured and vulnerable routers to inject rogue ads on web pages, redirect users to phishing pages, and distribute Android banking malware Roaming Mantis.  The malware steals users’ sensitive information, login credentials, bank account details, and two-factor authentication codes.  To protect against attacks such as this, routers should have trusted DNS servers hard coded, they should run the latest version of firmware, be protected with strong passwords, and remote administration should be disabled.

Relevant URL(s): https://thehackernews.com/2018/04/android-dns-hijack-malware.html

Mirai Variant Botnet Takes Aim at Financials

The Mirai botnet was recently used to target at least three European institutions in the financial sector.  These institutions were hit by a distributed denial-of-service (DDoS) attack, one of which hit 30 Gbps.  Researchers determined that the botnet in one attack was comprised of 80% MikroTik routers and 20% various IoT devices.  A layered security strategy focusing on DDoS mitigation services and policy adherence can help to limit the success of these types of attacks and limit downtime.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/mirai-variant-botnet-takes-aim-at-financials/d/d-id/1331472