Week in Review 17 October 2015
Detecting Spear Phishing Attacks that Slip Past Defenses (#PhishLabs)
While desirable, blocking all threats in the Prevent phase is not achievable. Inevitably, a portion of email-based attacks will exhibit characteristics too similar to legitimate business activity to block or quarantine them prior to delivery into user inboxes. The objective of the Detect phase is to see these attacks that reach user inboxes and recognize them as a potential threat.
Consumer Alert: Debit card fraud at Walmart discovered in 16 states (#CSO)
Consumers are being warned about an uptick in the number of fraudulent purchases being made at Walmart, which in some cases has resulted in their financial institution moving to deny debit card transactions unless a PIN is used.
FBI and UK cops smash Dridex high-stakes bank-raiding botnet (#ZDNet)
Joint efforts by law-enforcement agencies in the US and UK have crippled an eastern European gang behind the bank credential-stealing botnet known as Dridex.
New zero-day exploit hits fully patched Adobe Flash [Updated] (#ARS Technica)
Update on October 14 at 1:15pm PDT: #Adobe officials have confirmed this vulnerability affects Flash version 18.104.22.168, which was released on Tuesday. The vulnerability has been cataloged as CVE-2015-7645. The company expects to release a fix next week.
The Dark Web Uncovered: From Stolen Netflix Accounts to CNI Hacks (#Info Security)
A new report from Intel Security has shone a light on the shadowy world of Dark Web #cybercrime markets, where everything from £1 Netflix accounts to critical infrastructure access is available.
U.S. accuses hacker of stealing military members’ data and giving it to ISIS (#The Washington Post)
The Justice Department has charged a hacker in Malaysia with stealing the personal data of U.S. service members and passing it to the Islamic State terrorist group, which urged supporters online to attack them.
Why ATM Fraud Will Continue to Grow (#Bank Info Security )
ATMs and other self-service payments devices, such as pay-at-the-pump gas terminals, have always been prime targets for criminals. These unattended terminals are easy to compromise with card skimmers and well-placed cameras designed to capture PINs as they’re entered on PIN pads.
In other Security News…
Outlook Web App Attack, Angler #Exploit Kit Disrupted, #California Privacy Law
#Samsung’s mobile payment system, LoopPay, was hacked earlier this year, only a month before the tech giant acquired the company for more than $250 million. According to The New York Times, a notorious hacking group breached #LoopPay’s corporate network back in February; however, the start-up says there has been no indication that the hackers infiltrating Samsung’s systems or that consumer data had been exposed.
Researchers discovered an advanced attack leveraging the Microsoft Outlook Web App (#OWA), which could provide intruders with access to a large number of enterprise credentials, allowing them to gain persistent control over an organization’s environment. Security firm Cybereason warned the attack consisted of a malicious module loaded onto the internet-facing webmail server, giving attackers the ability to record authentication credentials, as well as handing over complete backdoor capabilities.
#Cisco’s Talos Security Intelligence and Research Group announced the disruption of a large ransomware campaign connected to the Angler exploit kit – one of the most sophisticated exploit kits on the market estimated to have generated more than $30 million in revenue through ransomware attacks. After a deep analysis of the domain activity associated with the adversaries, researchers contacted affected hosting providers to shut down malicious servers and updated its products to prevent redirects to Angler proxies.
“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually,” said the researchers.
#Apple said it has removed several #apps from its App Store that could potentially be used to monitor information sent to and from iPhones and iPads. An Apple spokesperson stated: “We’ve removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions.” The move comes shortly after numerous cybersecurity firms reported that dozens, if not thousands, of Chinese apps available on the App Store contained embedded malware.
California Gov. Jerry Brown signed a privacy bill into law this week mandating the state’s law enforcement agencies to obtain a warrant for online data, including text and email messages, geographical location, as well as files stores remotely on cloud services. Among the bill supporters were tech and social media giants Google, Facebook and Twitter.
“For too long, California’s digital privacy laws have been stuck in the Dark Ages, leaving our personal emails, text messages, photos and smartphones increasingly vulnerable to warrantless searches. That ends today with the Governor’s signature of CalECPA, a carefully crafted law that protects personal information of all Californians. The bill also ensures that law enforcement officials have the tools they need to continue to fight crime in the digital age,” said Sen. Mark Leno (D-San Francisco).
A vulnerability in #Netgear routers – which was previously disclosed by researchers – has been publicly exploited. According to Threatpost, an unidentified user notified Compass Security, a firm based in Switzerland, of experiencing router instability. The company found that all DNS queries had been redirected to the attacker’s server. Netgear has yet to release patched firmware but is reportedly working with Compass to address the issue.
Trump Hotel Collection recently announced confirmation of a credit card breach that occurred over a year-long period, potentially resulting in the theft of credit cards used at its string of luxury hotel properties. The company stated that the breach affects customers who used their credit or debit cards at locations between May 19, 2014, and June 2, 2015.
“Immediately upon learning of a possible incident, we notified the F.B.I. and financial institutions, and engaged an outside forensic expert to conduct an investigation of the incident,” said the company.
“In addition, as part of the investigation, we removed the #malware and are in the process of reconfiguring various components of our network and payment systems to further secure our payment card processing systems.”
Notable news stories and security related happenings:
Citizen Lab released a report identifying thirty-two countries whose governments are most likely using FinFisher, a commercial spyware suite used by law enforcement and intelligence agencies that is criticized by human rights advocates. By querying FinFisher “anonymizing proxies” to identify the location of master servers, the lab found more servers than ever previously detected. Based on the lab’s findings, the governments of Angola, Egypt, Gabon, Jordan, Kazakhstan, Kenya, Lebanon, Morocco, Oman, Paraguay, Saudi Arabia, Slovenia, Spain, Taiwan, Turkey, and Venezuela are all suspected of using FinFisher software. Many of the countries listed in the FinFisher report also appear in Citizen Lab’s 2014 report of countries likely to be using rival Hacking Team spyware.
As Congress signals that it may be ready to reform the 1986 Electronic Communications Privacy Act (ECPA), California Governor Jerry Brown has signed the state’s own electronic communications privacy law. The new legislation requires state law enforcement personnel to obtain a search warrant to access Californians’ electronic communications, including metadata and location data, which are generally not afforded the same protections as text messages and e-mails in other states or at the federal level. The law has widespread and bipartisan support in the state and could provide a basis for future privacy legislation. Meanwhile, the federal ECPA continues to enable law enforcement to retrieve electronic communications more than 180 days old without a warrant.
The White House announced that Obama administration “is not seeking legislation at this time” to create backdoors for law enforcement to access encrypted data stored on smartphones and other digital devices. Although many have lauded President Obama’s decision as a victory for Apple, Google, and privacy advocates, the decision could easily be reversed by the next president in 2017.
According to Bloomberg, Russian cyberattacks are on the rise, and the Kremlin’s “newly bellicose behavior in cyberspace” mirrors its increasingly aggressive military campaigns in Ukraine and Syria. Over the last year, Russian-based hackers are believed to have breached targets as varied as the Polish stock market, the French TV network TV5 Monde, a German steel plant, the New York Times, and the U.S. House of Representatives, occasionally leaving false trails and once even wreaking physical destruction. While Chinese cyber activity traditionally gets the most attention in the press, Russian cyber activity is often seen stealthier and harder to detect.
Researchers are puzzling over the Linux.Wifatch malware — sophisticated code which appears to help secure IoT devices, and yet also forces infected devices to a peer-to-peer network of infected systems. On Thursday, Symantec researchers revealed their research into the activity of Wifatch, a peculiar piece of code which does not replicate the usual activities of malware such as bricking systems, conducting surveillance or stealing data.
A Russian national was sentenced on Tuesday to 4-1/2 years in U.S. prison for using sophisticated malware known as “Citadel” to steal banking information from thousands of computers, authorities said. Dimitry Belorossov, 22, of St. Petersburg, had pleaded guilty in July 2014 to one count of conspiring to commit computer #fraud for his role in a $500 million global cybercrime scheme that infected more than 11 million computers worldwide. U.S. District Judge Thomas Thrash in Atlanta imposed the sentence, which also requires Belorossov to pay more than $320,000 in restitution.
It appears, hackers have figured out how to launch crippling distributed denial-of-service (DDoS) attacks through ad networks. The DDoS mitigation team at CloudFlare recently observed a large-scale attack which they believe was the result of malicious ads being loaded inside apps and browsers on mobile devices. The attack, which targeted one of the company’s customers, peaked at 275,000 HTTP requests per second and was launched from over 650,000 unique IP (Internet Protocol) addresses, most of them from China.
Hilton Worldwide is looking into reports that credit card information may have been exposed in hacks at Hilton Hotel properties across the U.S. Cybersecurity journalist Brian Krebs, citing several banking sources, reported on his blog on Friday that a pattern of fraud has been detected involving credit cards that had been used at point-of-sale registers in gift shops and restaurants at “a large number of Hilton Hotel and franchise properties.”
A data security research organization, the Ponemon Institute, conducted a study of 350 companies from 11 different countries that had encountered a #data breach in the past year. Their findings are sobering. How much do data breaches cost? The Ponemon Institute found that the cost of data breaches is rising.