FBI Takes Control of APT28's VPNFilter Botnet

The FBI obtained a court order and now has full command and control over a server of a botnet with over 500,000 routers and NAS devices known as VPNFilter. The FBI confirmed ownership and control of the botnet was from a Russian cyber-espionage unit widely known as APT28. VPNFilter has been deemed extremely dangerous due to its nation-state origin as well as its ability to brick devices by wiping firmware, intercept network traffic and search for SCADA equipment. The FBI has recommended to reboot network devices to reconnect to the command and control server so that the FBI can see the botnet's real size and to let ISP's know.

Relevant URL(s): https://www.bleepingcomputer.com/news/security/fbi-takes-control-of-apt28s-vpnfilter-botnet/

Detecting Cloned Cards at the ATM, Register

Recent research conducted at the University of Florida has found that many bank and gift cards that are cloned have a greater variance in digital bit placement on a card's magnetic strip. This is likely due to cloned cards being created by hand with inexpensive encoding machines contrary to legitimate cards which are created in automated and machine driven processes. The University of Florida tested a new technology that can be incorporated into point-of-sale systems and can detect legitimate from cloned gift cards with 99.3 percent accuracy. This still leaves the possibility of the system to flag a "false positive" result. However, with further testing the technology was able to detect a cloned bank card with "virtually zero false positives" due to the variation in the magnetic strip on counterfeit cards. Until chip readers are 100 percent adopted across all platforms, this type of fraud will be an issue for businesses. To mitigate this sort of fraud, businesses and consumers are urged by the FBI to use and look for sealed cards in stores and store cards behind counters with limited access. Banks are encouraged to make the transition to chip embedded cards due to their improved security. Educate customers and ensure employees are also trained on stop loss.

Relevant URL(s): https://krebsonsecurity.com/2018/05/detecting-cloned-cards-at-the-atm-register/

Phishing Attack Bypasses Two-Factor Authentication

2-factor authentication (2FA) adoption has been pushed and encouraged around the world to help strengthen login security measures and protect customer’s data. 2FA has helped businesses and consumers to improve security, but attackers have found ways to circumvent this best practice by way of social engineering. The tool essentially creates an email with a fake, but similarly spelled URL (linkedin to linked). Once the link is initiated in the email, it takes the user to a page that resembles the actual web page where they are prompted for their username and password. The hacker is able to see this and get the password and username, but also the session cookie. With the session cookie, the attacker does not need the username, password or 2FA code. They take the session key and enter it into the browser, paste the session cookie into their developer tools and hit refresh which puts them in the same session as the user. Businesses are urged to ensure their users have access to education and training; conduct simulated phishing attacks; and put employees through updated security awareness training. 

Relevant URL(s): https://www.darkreading.com/endpoint/phishing-attack-bypasses-two-factor-authentication/d/d-id/1331776

Office 365 Defenses Vulnerable to baseStriker Malware

Avanan, a cloud-security firm, tested a flaw called baseStriker against Office 365, Office 365 with ATP and Safelinks, Office 365 with Proofpoint MTA, Office 365 with Mimecast MTA and Gmail. They discovered that only Office 365 with Mimecast and Gmail are protected and that all other configurations are vulnerable. BaseStriker is being used for phisihing attacks and is able to infiltrate Office 365 by splitting and hiding a malicious link using a <base> URL tag. There is currently no fix for this exploit. Users are encouraged to ensure 2FA is implemented and to practice safe computing habits by not opening links from senders they do not recognize.

Relevant URL(s): https://www.scmagazine.com/office-365-defenses-vulnerable-to-basestriker-malware/article/764475/

Public Breaches Drive Increase in Account Takeover Attempts

Recently, Distil Networks published their 2018 Anatomy of Account Takeover Attacks Report, which highlighted that unethical hackers will employ the use of automated programs to launch account takeover attacks. The report is compiled from data that is drawn from 600 domains that all include a login page.  These account takeover attacks have the ability to validate credentials, gain access to proprietary financial data and sell personally identifiable information on the dark web. 39 percent of account takeover attacks take place between Friday and Saturday which showcases that most bot operators will schedule their attacks when fewer cyber security personnel will be working. Because they use bots, the data about account takeover attacks renders the attacks more predictable.  It is recommended that organizations educate themselves to identify warning signs and be prepared for the times when most of these attacks occur.

Relevant URL(s): https://www.helpnetsecurity.com/2018/05/02/account-takeover-attempts/

SunTrust Says Ex-Worker May Have Stolen Data on 1.5M Clients

A former employee of SunTrust Bank may have stolen the data of 1.5 million clients.  Compromised information may include names, addresses, account balances, and phone numbers.  Banks can mitigate these types of breaches by implementing an effective data loss prevention solution and prohibiting employees from storing sensitive information on USB drives and personal devices.

Relevant URL(s): https://abcnews.go.com/Business/wireStory/suntrust-warns-15-million-clients-potential-data-breach-54607794

Banks Need to be Worried About Facebook's Data-Sharing Debacle

Banks are increasingly becoming digital businesses, which puts them at high risk to errors such as those faced by Facebook recently.  The need for financial organizations to understand and fulfill customer needs to offer differentiated and more compelling products is leading to more data sharing with partners through application programming interfaces and other tools.  Institutions will need to ensure that information shared with third parties does not violate an individual’s privacy, is kept secure at all times, and customers are aware when their data is shared and how it benefits them.

Relevant URL(s): https://www.americanbanker.com/opinion/banks-need-to-be-worried-about-facebooks-data-sharing-debacle

Large U.S. Banks Scramble to Meet EU Data Privacy Rules

Many large, internationally-active U.S. banks are struggling with the General Data Protection Regulation (GDPR), which takes effect May 25.  The regulations do not make it clear which U.S. banks must comply, but those with European offices and those that market or sell products or services to European citizens do.  For smaller regional and community banks, it’s dependent on their analysis of what their exposure to European data subjects is and what their customer base looks like.  The starting point for GDPR compliance is to conduct a privacy risk impact analysis.  

Relevant URL(s): https://www.americanbanker.com/news/large-us-banks-scramble-to-meet-eu-data-privacy-rules

Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

Security researchers have identified a malware campaign designed to hijack DNS settings on poorly secured and vulnerable routers to inject rogue ads on web pages, redirect users to phishing pages, and distribute Android banking malware Roaming Mantis.  The malware steals users’ sensitive information, login credentials, bank account details, and two-factor authentication codes.  To protect against attacks such as this, routers should have trusted DNS servers hard coded, they should run the latest version of firmware, be protected with strong passwords, and remote administration should be disabled.

Relevant URL(s): https://thehackernews.com/2018/04/android-dns-hijack-malware.html

Mirai Variant Botnet Takes Aim at Financials

The Mirai botnet was recently used to target at least three European institutions in the financial sector.  These institutions were hit by a distributed denial-of-service (DDoS) attack, one of which hit 30 Gbps.  Researchers determined that the botnet in one attack was comprised of 80% MikroTik routers and 20% various IoT devices.  A layered security strategy focusing on DDoS mitigation services and policy adherence can help to limit the success of these types of attacks and limit downtime.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/mirai-variant-botnet-takes-aim-at-financials/d/d-id/1331472

Azure Guest Agent Design Enables Plaintext Password Theft

Researchers from Guardicore found that attackers can abuse the Microsoft Azure Guest Agent’s design to recover plaintext administrator passwords from target machines.  This flaw can be abused on any Azure machine, Windows or Linux, where the Azure reset password tool was used.  Microsoft recommends customers follow Azure security best practices to protect against this attack.  Azure users are also urged to check if they have reset password configuration files stored on their Azure machines and if so, delete them.

Relevant URL(s): https://www.darkreading.com/vulnerabilities---threats/azure-guest-agent-design-enables-plaintext-password-theft-/d/d-id/1331317

Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

Analytic efforts between the Department of Homeland Security (DHS) and the FBI uncovered information on Russian government actions targeting U.S. Government entities and multiple other critical infrastructure sectors.  This campaign was carried out in two phases: staging and intended targets.  Initial victims were most often trusted third-party suppliers, which were used as pivot points to obtain access to their final intended victim networks.  The DHS and the FBI believe the ultimate objective is to compromise organizational networks.  Banks should update their defense systems with the indicators of compromise provided by the DHS and FBI to help identify and block this attack.

Relevant URL(s): https://www.us-cert.gov/ncas/alerts/TA18-074A

Malware Leveraging PowerShell Grew 432% in 2017

The total number of PowerShell malware samples observed in 2017 was 432% higher than that in 2016, with 267% of that increase in the fourth quarter, according to McAfee.  Attackers take advantage of PowerShell’s legitimate functionality to carry out malicious activity, such as command and control communications, credential theft, privilege escalation, and to conceal lateral movement on breached networks.  Banks can better protect its systems by ensuring network segmentation is properly implemented and disabling PowerShell throughout the organization.

Relevant URL(s): https://www.darkreading.com/vulnerabilities---threats/malware-leveraging-powershell-grew-432--in-2017/d/d-id/1331255

North Korea Threat Group Targeting Turkish Financial Orgs

McAfee reported finding malware associated with North Korean group Hidden Cobra on Turkish systems belonging to three large financial institutions and at least two major government-controlled entities in March.  The malware, Bankshot, was distributed via sophisticated phishing emails in these latest attacks.  They believe the goal was to “surveil their operations, establish functions of their processes, and ultimately compromise funds”.  Regular social engineering and phishing testing coupled with end-user awareness training can help protect against threats such as this.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/north-korea-threat-group-targeting-turkish-financial-orgs/d/d-id/1331223

Threats from Mobile Ransomware & Banking Malware Are Growing

The number of unique mobile malware samples increased greatly in 2017.  Compared to the previous year, unique mobile ransomware samples increased 415%, while the number of distinct mobile banking malware samples increased by 94%.  Android is the predominant target for most malicious apps, but attackers are starting to target iOS more due to the number of potential victims.  As always, users should keep their mobile devices updated to the latest version, avoid installing apps from third-party app stores, and carefully review the permissions that apps request.  

Relevant URL(s): https://www.darkreading.com/mobile/threats-from-mobile-ransomware-and-banking-malware-are-growing-/d/d-id/1331140

SWIFT Network Used in $2 Million Heist at Indian Bank

Once again, the Society for Worldwide Interbank Financial Telecommunications (SWIFT) system was leveraged to transfer nearly $2 million through three unauthorized remittances in February.  India-based City Union Bank's SWIFT systems were hacked and leveraged to transfer the funds to accounts in Dubai, Turkey, and China.  City Union Bank is working with authorities to investigate and have found no evidence of internal staff involvement.  Multiple layers of security, such as continuous network monitoring, fraud detection solutions, and adaptive endpoint protection can help protect against threats such as this.

Relevant URL(s): https://www.reuters.com/article/us-city-union-bank-swift/indias-city-union-bank-ceo-says-suffered-cyber-hack-via-swift-system-idUSKCN1G20AF

U.S. Announces Takedown of $530 Million Cyberfraud Network

The U.S. Department of Justice recently announced one of the largest cyberfraud prosecutions it has ever undertaken.  36 individuals that were part of an international cybercrime ring were charged.  The group, called Infraud, operated like a business and allegedly stole $530 million through purchases made with pilfered and counterfeit credit card information.  Consumers can better protect themselves by monitoring account balances and activity closely and reporting potential indicators of compromise immediately. 

Relevant URL(s): https://www.paymentssource.com/articles/us-announces-take-down-of-530-million-cyberfraud-network

Criminals Obtain Code-Signing Certificates Using Stolen Corporate IDs

New research indicates that code-signing certificates are being created using stolen corporate identities.  Malware authors then use these certificates when distributing their malicious software, because most systems assume it can be trusted.  This hard-to-spot malware has been used in a wide range of attacks, such as website spoofing, data exfiltration, and man-in-the-middle attacks.  Application whitelisting technologies and sophisticated endpoint protection can help mitigate this pervasive threat.

Relevant URL(s): https://www.darkreading.com/vulnerabilities---threats/criminals-obtain-code-signing-certificates-using-stolen-corporate-ids--/d/d-id/1331113

New Zero-Day Ransomware Evades Microsoft, Google Cloud Malware Detection

A new ransomware variant, dubbed Shurl0ckr, managed to evade the built-in malware protections on Google Drive and Microsoft Office 365.  In fact, only seven percent of 67 major antivirus platforms detected it.  Shurl0ckr has been observed being distributed via drive-by downloads and phishing emails.  Using restricted accounts for day-to-day work and leveraging adaptive endpoint security solutions can limit exposure to ransomware attacks.  

Relevant URL(s): https://www.darkreading.com/cloud/new-zero-day-ransomware-evades-microsoft-google-cloud-malware-detection/d/d-id/1330999

Over 12,000 Business Websites Leveraged for Cybercrime

Researchers found that over 12,000 websites in the business category were used to deliver malware or launch cyberattacks in 2017.  Much of this is attributed to the background sites, such as ad delivery networks, that sites in the business category contact behind the scenes.  They also found that economy and business sites ran more vulnerable software, hosted more phishing sites, and experienced more security incidents than other categories in 2017.  These threats can often be mitigated with up-to-date, adaptive web security filtering solutions.  

Relevant URL(s): https://www.darkreading.com/endpoint/over-12000-business-websites-leveraged-for-cybercrime/d/d-id/1330980