Financial Sector Under Siege

Cybersecurity crime in the financial sector is as prominent as it has ever been and continues to grow.  Financial institutions are up against cyber-criminals that vary in size and complexity from individuals to nation-states.  The methods that these attackers use are increasingly damaging to organizations and are being executed against targets with impeccable timing.  Attackers will wait for an organization to launch a new program or service that has not been thoroughly vetted for security and leverage that to gain a position within the victim's environment.  As new technologies emerge and banking continues to move into the digital era, it is recommended that institutions always include security at the forefront of initiatives to ensure that all assets under their control are secure.

Relevant URL(s): https://www.darkreading.com/cloud/financial-sector-under-siege/a/d-id/1334725

'GozNym' Banking Malware Gang Dismantled by International Law Enforcement

Law enforcement agencies across six countries have successfully arrested a group of individuals that were responsible for the GozNym Banking malware.  The six countries that worked together to bring the group down were Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States.  The GozNym malware, a combination of Gozi ISFB and Nymaim, was used to steal over $100 Million from more than 41,000 victims, predominately in the United States and Europe.  Earlier this month, the U.S. Court released that the defendants are being charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering.

Relevant URL(s): https://thehackernews.com/2019/05/GozNym-banking-malware.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1989.nk0ao093p4.18do

Flaw Affecting Millions of Cisco Devices Let Attackers Implant Persistent Backdoor

Thrangrycat, a new vulnerability has been unveiled for Cisco routers, switches, and firewalls that attackers can leverage to install a persistent backdoor.  Thrangrycat has been identified as CVE-2019-1649 and was discovered by researchers at Red Balloon.  The vulnerability exists on Cisco products that support the Trust Anchor module (TAm) that is implemented on Cisco enterprise devices.  The TAm is used to verify that the firmware operating on the hardware platforms is authentic and unmodified. "By chaining Thrangrycat and remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco's secure boot mechanism and lock out all future software updates to the TAm," researchers said.  Further details regarding the vulnerability are expected to be released at Black Hat USA this August.

Relevant URL(s): https://thehackernews.com/2019/05/cisco-secure-boot-bypass.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1986.nk0ao093p4.18av

New Class of CPU Flaws Affect Almost Every Intel Processor Since 2011

Earlier this month, researchers released information about a vulnerability in all modern Intel chips to include the chips used by Apple.  The new flaw is a speculative execution side-channel vulnerability that could allow an attacker the ability to steal system and user-level secrets from the CPU buffer.  If properly executed, disk encryption keys and user passwords could be at risk due to the vulnerability.  It is executed through the use of Microarchitectural Data Sampling(MDS), which is a combination of four different flaws.  Microcode Updates (MCU) have been released by Intel to fix the MDS vulnerabilities, and users are urged to implement the patches as soon as possible.

Relevant URL(s): https://thehackernews.com/2019/05/intel-processor-vulnerabilities.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1989.nk0ao093p4.18e0

Open Banking Establishes New Access to Banks’ Networks, Creating Additional Security Issues

Financial organizations are having to find a balance between security and usability as they work to maintain and strengthen the trust of consumers.  Open banking has created a shift where organizations now have an ecosystem of partners that they also need to ensure are secure.  “Security is only as good as the weakest link in the network of ecosystem partners, and the global trend toward open banking is increasing the spiderweb of interconnectivity among banks and third parties — creating additional points of weakness and vulnerability in banks’ network security,” said Alan McIntyre, global head of Accenture’s Banking practice.  As open banking continues to grow and evolve, financial organizations are urged to always verify the security of a potential partner before allowing them access to organizational data. 

Relevant URL(s): https://www.helpnetsecurity.com/2019/05/08/open-banking-security-issues/

Researchers Flag New Oracle WebLogic Zero-Day RCE Flaw

All versions of Oracle Weblogic are vulnerable to a remote code execution flaw.  There is currently no CVE number attached to the flaw, but Oracle has been alerted, and it is being tracked by the following identifier: CNVD-C-2019-48814.  There are tens of thousands of Weblogic servers across the world with the majority being in the US and China.  These servers can be attractive to attackers because they allow them access to resources that they can use for covert crypto-mining.  Server administrators are urged to delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service.  Another option is to prevent access to the /_async/* and /wls-wsat/* URL paths with access policy control. 

Relevant URL(s): https://www.helpnetsecurity.com/2019/04/25/oracle-weblogic-zero-day-rce/

New, Improved BEC Campaigns Target HR and Finance

Business email compromise (BEC) campaigns have been targeting HR and Finance representatives to alter direct-deposit routings and transfer funds to a throwaway criminal account.  BEC attacks are cheap for attackers to use and can yield rapid and lucrative results.  The latest trend in BEC attempts is for the attacker to spoof an email from a high-level employee and convince a lesser employee to transfer the funds.  The use of spoofing a senior account makes an attempt seem authentic and urgent as they are coming from an authoritative employee.  This type of attack can be considered a form of Social Engineering with a successful attack being dependent on the behavior of the victim.  Protection from these types of attacks involves the organization having proper policies and technology.  It can be summed up with, "If it's possible for someone to request a check to be cut for $5 Million to someone not in the system, you've got a problem." says Phil Reitinger, President and CEO of Global Cyber Alliance.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/new-improved-bec-campaigns-target-hr-and-finance/d/d-id/1334343

Patched Apache Flaw is a Serious Threat for Web Hosting Providers

A recent privilege escalation flaw (CVE-2019-0211) affecting Apache HTTP Server and Unix Systems can be fixed by implementing the latest security update.  The flaw allows root privileged code execution to an unprivileged web host user via scripting. Any user permitted to write a script for the Apache web host can gain root access.  The proof of concept exploit code has not been released to enable admins ample time to deploy the Apache 2.4.39 security update.  Any web hosting providers are urged to apply this fix immediately, and all other Apache admins are advised to apply as soon as possible. 

Relevant URL(s): https://www.helpnetsecurity.com/2019/04/03/apache-web-server-cve-2019-0211/

Major Mobile Financial Apps Harbor Built-In Vulnerabilities

Mobile applications are failing to protect user data because they are lacking necessary security features.  A recent research study conducted by Aite Group tested application security by decompiling the apps to their source code.  This was the first of many vulnerabilities given that application shielding should prevent unauthorized individuals the ability to decompile and perform their own vulnerability assessment.  There are noticeable differences in the applications produced by traditional financial institutions known for their security but lacking the knowledge needed for mobile development, and the newer online financial institutions that lack experience in regulatory requirements but know proper secure development tactics.  Nathan Wenzler, Senior Director of Cybersecurity  at Moss Adams, is "adamant that a failure to improve mobile financial app security could have huge consequences for banks and financial services companies."  Clients are urged to review their DevSecOps to ensure that security is at the forefront of all development practices. 

Relevant URL(s): https://www.darkreading.com/application-security/major-mobile-financial-apps-harbor-built-in-vulnerabilities/d/d-id/1334321

In the Race Toward Mobile Banking, Don't Forget Risk Management

Banks are in a race to develop their digital platforms to make it easier for consumers to adapt to new payment types as well as to compete with emerging financial technology companies.  The last couple of years has shown astounding growth and popularity in the use of mobile payment and banking applications.  While this digital convergence is helping to streamline consumer experiences, it must align with the goals and regulatory guidance of the financial institution.  Risk management needs to be at the forefront of the development and deployment of these mobile banking solutions to ensure company and customer data is secure.  The features and capabilities of the technology available today is advancing faster than the resources available to manage and complete the projects.  It is recommended that institutions look at mobile development from the same risk perspective that they would any other system deployment, and account for the influx in the data that will need to be monitored.

Relevant URL(s): https://www.darkreading.com/risk/in-the-race-toward-mobile-banking-dont-forget-risk-management-/a/d-id/1334254

Flaw in Popular PDF Creation Library Enabled Remote Code Execution

Polict, a cybersecurity researcher, found a new exploit in PHP that relies on deserialization to 'unpack' malicious code that can be remotely executed.  The original flaw was fixed in September of 2018, but Polict found another method using XSS to inject code and initiate the deserialization process.  He disclosed the flaw privately to the TCPDF developers in September 2018, and that flaw was fixed within a month.  Users of TCPDF are safe as long as they are using version 6.2.22 and above.

Relevant URL(s): https://nakedsecurity.sophos.com/2019/03/21/flaw-in-popular-pdf-creation-library-enabled-remote-code-execution/

PDF Signature Spoofing

PDF signatures are a way to check the authenticity and edits of a PDF document to ensure it is not a fraud attempt.  Recently, PDF-Insecurity.org found a way to edit a PDF after it had been signed and would not reflect that anything had been changed.  To determine how severe the issue was, they tested it against native desktop applications, as well as online validation software and found that 21 out of 22 desktop applications failed to report the changes along with 5 out of the 7 online validation clients.  PDF-Insecurity reached out to the companies that did not recognize the change and have been working with them to get the issue fixed.  It is always advised to check the signature of a PDF, and if something seems off, ask the sender for validation of the information. 


Relevant URL(s): https://www.pdf-insecurity.org/index.html

New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites

A content management software (CMS) flaw exists that can lead to remote code execution attacks in WordPress versions that have not been updated to 5.1.1.  The exploit allows the attacker to take complete control over a compromised WordPress website remotely by injecting a payload via XSS that modifies the template to include a PHP backdoor.  Everything happens in one swift step and without alerting an administrator.  WordPress 5.1.1 fixes the issue, so any users that have not updated are highly encouraged to do so immediately.

Relevant URL(s): https://thehackernews.com/2019/03/hack-wordpress-websites.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29&_m=3n.009a.1946.nk0ao093p4.17bh

Word Bug Allows Attackers to Sneak Exploits Past Anti-Malware Defenses

Anti-malware controls and enterprise sandboxes are being circumvented due to a flaw discovered in the way Microsoft Word processes integer overflow errors for Object Linking and Embedding (OLE) file formats.  By leveraging this flaw, attackers can cloak any payload and trick Microsoft Word into not functioning correctly and delivering regardless of controls.  Microsoft has been alerted about the exploit and acknowledges the abnormal behavior, but has no immediate plan to fix the issue because there is no memory corruption or code execution directly linked to the flaw.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/word-bug-allows-attackers-to-sneak-exploits-past-anti-malware-defenses/d/d-id/1334070

Google Discloses Unpatched 'High-Severity' Flaw in Apple macOS Kernel

Project Zero, a cybersecurity research division at Google, recently disclosed a 'High Severity' flaw in macOS due to the way the XNU kernel allows filesystem image manipulations without informing the operating system.  Copy-On-Write (COW) is a resource management and optimization strategy that allows two processes to access data from the same source without making a copy.  If a change is made, COW makes a copy of the data in the memory so that both processes have the original data accessible.  Project Zero gave a 90 day period to fix the flaw after Apple silently acknowledged the issue.  Apple missed the deadline, causing the exploit to be publicly disclosed.

Relevant URL(s): https://thehackernews.com/2019/03/cybersecurity-macos-hacking.html

WARNING - New Phishing Attack That Even Most Vigilant Users Could Fall For

Antoine Vincent Jebara recently discovered a new phishing campaign to which even the most vigilant users could fall victim.  An increasing amount of websites are offering the ability to log in using Facebook which is a generally safe way to access a website.  An attacker has taken the time to produce a site that looks identical to a Facebook prompt with green HTTPS, shadows, status and navigation bars, and even a link to Facebook.  It is actually a phishing scam that steals the victim's credentials when entered.  The only way to tell it is a phishing scam is to drag the prompt to the edge of the screen to make it disappear.  If the prompt disappears, it is a fake.

Relevant URL(s): https://thehackernews.com/2019/02/advance-phishing-login-page.html


Snapd Flaw Lets Attackers Gain Root Access On Linux Systems

Security researcher Chris Moberly discovered a flaw called "Dirty_Sock" (CVE-2019-7304) that exploits a sever privilege escalation vulnerability and allows an attacker to gain root access on Linux systems.  The REST API for Snapd service is where the vulnerability resides with versions 2.28 through 2.37 being susceptible because of an incorrectly validated and parsed remote socket.  The vulnerability has been addressed in version 2.37.1, and it is highly recommended that Ubuntu users update immediately.

Relevant URL(s): https://thehackernews.com/2019/02/snapd-linux-privilege-escalation.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1928.nk0ao093p4.16u0

Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions

Credit Unions along with other financial organizations became the target of a phishing campaign in February that has sparked a fear that a regulatory agency may have been compromised.  Bank Secrecy Act (BSA) contacts received emails that appeared to be from other BSA officers and claimed a member of their credit union had received a suspicious money transfer and the account was being locked.  The email included a PDF that was not malicious according to a scan by virustotal.com but contained a malicious link.  Only BSA officers were targeted which introduced the question of what agencies hold that data and might have been compromised.  The NCUA and CUNA have released statements that they were not breached and left the situation as a lingering mystery.  It is essential never to click embedded links or open files that are sent from an unknown / untrusted source.

Relevant URL(s): https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/

Cybercriminal Exploit Gmail Feature to Scale Up Attacks

Security vendor Agari announced in February that attackers are taking advantage of a long-standing Gmail feature to create multiple accounts rapidly.  Google believes that "dots don't matter" and therefore treats certain variations of an email as the same.  For example, Johndoe@gmail.com is treated the same as john.doe@gmail.com and jo.hn.do.e@gmail.com, but johndoe@gmail.com will receive the correspondence sent to the variations.  Attackers have used this trick to submit 48 credit card applications and conduct $65,000 in fraudulent credit charges.  It has also been used to file tax returns; submit a change-of-address; apply for unemployment; and submit for FEMA disaster assistance.  Organizations are urged to watch for the rapid creation of accounts that contain dots(.) in the username to help mitigate this threat.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/cybercriminals-exploit-gmail-feature-to-scale-up-attacks-/d/d-id/1333800

SpeakUp Linux Backdoor Sets Up for Major Attack

A backdoor trojan dubbed "SpeakUp" is a new threat that has been targeting Linux servers.  CVE-2018-20062 was the initial infection vector that targeted a remote code execution vulnerability.  It has infected over 70,000 servers worldwide and is currently being used for crypto mining campaigns.  The trojan is capable of infecting on-premises and cloud-based servers.  While it is presently affecting Linux machines, it also has the capabilities to infect MacOS.  Given its broad spectrum of capabilities, researchers are wondering what it will ultimately be used for, fearing that it may have other threat factors.  One of the fears is that once the trojan has infected a host, the attacker will sell the capabilities to the highest bidder.  It is recommended to consistently scan for trojans and apply patches when they are released.

Relevant URL(s): https://threatpost.com/speakup-linux-backdoor/141431/