Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2019

FIN8 Reappears with BADHATCH Malware

FIN8 Reappears with BADHATCH Malware

The financially motivated threat group known as FIN8 has recently reemerged after being somewhat dormant, according to new research from Gigamon’s applied threat research (ATR) team. 

Researchers have published findings that show FIN8 continues to evolve and adapt its tools. As part of the threat research, ATR discovered a reverse shell from FIN8, dubbed BADHATCH, while observing variants of the ShellTea implant and PoSlurp memory scraper malware. In the report, ATR also compares BADHATCH to other popular malware variants, such as PowerSniff.

“The BADHATCH sample begins with a self-deleting PowerShell script containing a large byte array of 64-bit shellcode that it copies into the PowerShell process’s memory and executes with a call to CreateThread. This script differs slightly from publicly reported samples in that the commands following the byte array are base64 encoded, possibly to evade security products. While previous analyses saw PowerSniff downloaded from online sources and executed, Gigamon ATR incident response partners recorded the attackers launching the initial PowerShell script via WMIC,” researchers wrote.

In its initial stage, BADHATCH locates the embedded DLL in order to execute the injection, which creates a local event job. “On startup, and every 5 minutes thereafter, the sample beacons to a hardcoded command and control (C2) IP (149.28.203[.]102) using TLS encryption, and sends a host identification string derived from several system configuration details and formatted as %08X-%08X-%08X-%08X-%08X-SH. Only the one hardcoded IP address and no C2 domains were observed,” the report said.

BADHATCH reportedly contains no methods for sandbox detection, differentiating it from PowerSniff. Additionally, “it includes none of the environmental checks to evaluate if it is running on possible education or healthcare systems and has no observed built-in, long-term persistence mechanisms.”

One of the more important tools in the FIN8 toolkit is the component that retrieves credit card numbers as they pass through payment-card processing systems, the report said. Breaking down FIN8’s information collection process, the researchers explained that the malicious actors first deploy the non-persistent BADHATCH reverse shell to the server and then issue commands to each POS system in a target list before executing the PoSlurp.B PowerShell script.

Source: Information Security Magazine

Lancaster University Confirms Data Breach, Applicants Targeted

Lancaster University Confirms Data Breach, Applicants Targeted

Lancaster University has confirmed that it was “subject to a sophisticated and malicious phishing attack” which resulted in breaches of student and applicant data.

This has led to undergraduate student applicant data records for 2019 and 2020 being accessed, including names, addresses, telephone numbers and email addresses. Lancaster confirmed in its statement that it was “aware that fraudulent invoices” were being sent to some undergraduate applicants and has warned applicants to be aware of any suspicious approaches.

Also breached was Lancaster’s student records system. “At the present time we know of a very small number of students who have had their record and ID documents accessed,” it confirmed.

Its statement said that it “acted as soon as we became aware that Lancaster was the source of the breach on Friday” and immediately reported the issue to the Information Commissioner’s Office.

“Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected,” it said.

A spokesperson for the Information Commissioner’s Office said that the incident had been reported to them, and it was currently assessing the information provided.

The news follows the announcement that over 60 US colleges had been compromised after hackers exploited a vulnerability in popular ERP software.

Ed Macnair, CEO of Censornet, said that this proves how targeted cyber-criminals are becoming in their hacking methods, and how any and all sectors are now at constant risk. “The attack happened through the ever persisting phishing method,” he said. “This kind of data allows criminals to carry out attacks like credential stuffing, where hackers attempt to log in to a number of an individual's accounts with the intent to access card details that have been linked to certain accounts.

“This attack highlights how absolutely any organization is now vulnerable to being hacked, so more vigilance, education, and sophisticated protection is required.”  

Source: Information Security Magazine

Iranian Threat Group Targets LinkedIn Users

Iranian Threat Group Targets LinkedIn Users

Iranian threat actors are believed to be behind a phishing campaign that is masquerading as a member of Cambridge University to target users of LinkedIn, according to FireEye

In June 2019, FireEye devices detected a large phishing campaign from APT34 targeting Middle East critical infrastructure, telecom, and oil and gas entities. This campaign is consistent with the overall Iranian targeting of the energy sector that we’ve seen dating back to at least 2012. Further, this activity is representative of Iran's overarching efforts to collect strategic information of relevance to its national interests. With increasing geopolitical tensions between the U.S. and Iran and the introduction of new sanctions, we expect Iran to continue to increase the volume and scope of its cyber-espionage campaigns," FireEye's principal analyst, cyber-espionage analysis, Cristiana Brafman Kittner wrote in an email.

In addition the behavior aligns with elements of activity reported as OilRig and Greenbug by various security researchers who have attributed those attacks to APT34. "This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however, we believe APT34's strongest interest is gaining access to financial, energy, and government entities,” researchers wrote

Victims received a message from Rebecca Watts, a specious member of the research staff at Cambridge University. 

Credit: FireEye
Credit: FireEye

These types of attacks have been seen across social media platforms, whereby criminals attempt to gain a foothold into the network or infrastructure by inducing users to click on malicious links or to download compromised files.

“Organizations and nation-states should be prepared for what is already to all intents and purposes a war. Cybercrime, much like any other form of criminal activity, is either motivated by monetary gains or by political interests, or – more often – by both,” said DomainTools’s senior security advisor Corin Imai.  

“Both private and public organizations should be investing in their employees’ cybersecurity training. As threats continue to evolve, having a solid foundational understanding of the best practices to stay safe online is the most effective way to create a first line of defense. In the current climate, organizations can no longer compromise on their security efforts, which should be holistic and account for both technical vulnerabilities and for human ones,” said Imai.

Source: Information Security Magazine

We “Cannot Stop Cyber-Attacks,” Say Over 40% of UK Orgs

We “Cannot Stop Cyber-Attacks,” Say Over 40% of UK Orgs

More than 40% of UK organizations believe cyber-attackers can infiltrate their networks at every attempt, according to new research from CyberArk.

CyberArk surveyed 1000 global organizations and detailed its findings in the CyberArk Global Advanced Threat Landscape Report 2019. The firm discovered that while UK organizations view privileged access security as a core component of an effective cybersecurity program, understanding has not yet translated to action.

For example, only 45% of those polled have a privileged access security strategy in place for protecting business critical applications and cloud infrastructure respectively, with even fewer having a strategy for DevOps (28%) or IoT (20%).

What’s more, only 17% of respondents understood that privileged accounts, credentials and secrets exist in containers.

UK organizations ranked hackers (74%), organized crime (57%), hacktivists (46%) and privileged insiders (42%) among the greatest threats to critical assets.

Rich Turner, SVP EMEA, CyberArk said: “These findings are sober reading for businesses and cybersecurity practitioners. Despite the vast sums being spent on cybersecurity, it’s clear that businesses have very little confidence in their ability to defend themselves from cyber-attacks, protect their most critical assets, or their value creation activities. UK businesses need to be on the front foot with security, know what is most valuable to them, how it may be attacked and how to protect it while ensuring their cyber-strategy supports collaboration and innovation.

“Proactive cybersecurity strategies have to be implemented wherever critical data and assets live, specifically to manage and secure the privileged credentials that are fundamental to their operation. This is the most valuable step security teams can take to support wider business initiatives in today’s digital economy.”

Source: Information Security Magazine

Pen Tests Show Passwords Still a Security Problem

Pen Tests Show Passwords Still a Security Problem

Passwords continue to be a top security challenge for organizations, with penetration testers revealing that they can easily guess passwords in the majority of their engagements, according to the 2019 Under the Hoodie report published by Rapid7.

The new report, which documents the results of 180 pen tests carried out from September 2018 through May 2019, highlights the most common external and internal weaknesses present in companies. Sample findings showed that password management continues to be a problem. In 72% of engagements hackers were able to compromise one password. Of those, 60% were easily guessed passwords.

In its fifth year, the report shows year-over-year progress. The data suggests that basic network segmentation controls between internal and external networks are generally effective, particularly when looking at migration to the cloud for externally accessible resources. 

In only 21% of the attempts at an externally based engagement were hackers able to gain internal LAN access. The numbers decreased significantly for web-application–specific engagements, where hackers were rarely to never successful (under 3%) at achieving a total site-wide compromise. Over 70% of web applications were hosted somewhere other than the client's data center, making an attacker’s path far more complex.

“The traditional 'external compromise' test, where the client wants to ferret out their weaknesses and exposures that are exposed to the general internet, is the most popular scoping choice, accounting for just about 40% of the engagements surveyed,” according to the report.

“This makes sense, since most clients are concerned about external bad actors – the criminal hackers that don't already have some reach into the internal network and are seeking some kind of leverage over the target to execute whatever criminal enterprise they're involved in.”

Once attackers gain a foothold, the next task is to leverage access to more and better systems across the internal network. Increasingly attackers are veering away from using PowerShell to gain a foothold because its restrictions are “becoming increasingly common in enterprise Windows networks, and while attackers got a lot of mileage in years past with PowerShell, those techniques seem to be falling by the wayside in 2019,” the report said.

Source: Information Security Magazine

New Laws in Asia Pacific Impact Threat Landscape

New Laws in Asia Pacific Impact Threat Landscape

The Chinese government is enabling law enforcement and military to monitor citizen behavior through advanced artificial intelligence and video surveillance, according to Charity Wright, former NSA and cyber threat intelligence analyst, IntSights Cyber Intelligence, who presented at the Asia Pacific & Japan 2019 RSA Conference.  

In her presentation, Dark Consequences: How New Laws Are Impacting the Cyberthreat Landscape, Wright said the Chinese government has developed and implemented technology that can recognize people by their facial features and movements, eye color, hair color and distinct marks in an effort to increase national security. “This technology is implemented through millions of cameras across the nation and in airports and is allegedly able to find an individual in real time and send location information to law enforcement,” Wright wrote in an email to Infosecurity Magazine.

Additionally impacting the cyber-threat landscape is Vietnam’s Cybersecurity Law of 2017, which, Wright explained, “allows the government to collect data, including encrypted data within its borders and internet infrastructure, and forces companies in Vietnam to allow the government access to all data.”

Slide from Wright's Talk on Dark Consequences
Slide from Wright's Talk on Dark Consequences

The law also limits the content allowed within Vietnam and enables the government to secure the nation against foreign and domestic threats to the people and the regime, with a focus on cyber-threats from criminals and advanced nation-state actors, Wright said.

As many of these laws enforce limitations of how citizens can use the internet, the information they can access and what business they are allowed to do, Wright said, “Some restrictions incite fear of being constantly monitored by technology and government forces and push users to the dark web for anonymity in their internet use. Many people are flocking to cryptocurrency forums and dark web tutorials for advice on how to stay anonymous, how to not be tracked by their government and how to use alternate currencies. As usership in dark web forums grow, business grows. The deep web is often a gateway to criminal forums and markets that clear-web users would not be exposed to.” 

Source: Information Security Magazine

TrickBot Trojan Pushed as Browser Update

TrickBot Trojan Pushed as Browser Update

A fake Office 365 site created by malicious actors has been discovered distributing a password-stealing Trojan, according to MalwareHunterTeam.

Disguised as Chrome and Firefox browser updates, the site is actually sharing the TrickBot Trojan. 

Fake Office 365 Site
Fake Office 365 Site

The above sample of one of the links appears to be legitimate, but the site quickly alerts the user that the browser needs to be updated, according to BleepingComputer. Clicking on the update button then launches an executable that installs the Trojan, the report said. 

"Chrome is the leading browser, with 63% of web users, which translates to billions of users. With Chrome removing the XSS Auditor, web applications are now at risk of delivering a poor user experience. More users are potentially vulnerable to client-side injections due to that lack of alternatives,” said Deepak Patel, security evangelist at PerimeterX.

“Also, most users are unaware of the security implications of XSS Auditor removal," he continued. "As a result of the change in Chrome, web application owners now have to take a hard look at client-side protection to preserve the user's intended path on their web properties. There is also an explosion in the use of third-party code/libraries in any modern application amplifying the client-side threats. The e-commerce, travel and hospitality, and retail verticals, in particular, need to protect their brand reputation. There is a good chance, with Chrome removing XSS Auditor, that bad actors will cash in and infect more users and web visitors. It is time to bolster application security with client-side protection and advanced bot management and mitigation. It is imperative for application owners to take control of the third-party code that runs on the users’ browser. "

Users are being warned to avoid installing browser updates prompted from pop-up alerts. 

Source: Information Security Magazine

Equifax to Pay $575m in Data Breach Settlement

Equifax to Pay $575m in Data Breach Settlement

In a settlement between Equifax and the United States, the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB), Equifax will pay $575 million for damages related the to 2017 data breach, according to today’s press release

The allegations against Equifax claimed that the company failed to take “reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people,” the release stated.

“In its complaint, the FTC alleges that Equifax failed to secure the massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.”

The settlement could potentially cost a total of $700 million given that the agreement mandates that Equifax implement a comprehensive information security program.

“I’m far from an Equifax apologist, but the truth is it could have been anyone. It’s not an excuse but rather the reality we live in. The best outcome isn’t Equifax making the situation right – although that is important for all of those affected – it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place,” said Adam Laub, CMO, STEALTHbits Technologies.

“And it’s got to be from the ground up too. There’s no silver bullet. There’s no one thing that mitigates the exposure. A multilayered, multifaceted approach is critical to making the juice not worth the squeeze for bad actors looking to score quickly and easily.”

One of the largest data breaches on record, the Equifax breach exposed the personal data of millions of people, much of which is likely still being used in account takeover (ATO) attacks, which is one reason Colin Bastable, CEO, Lucy Security, said, “We need a consumer compensation fund, into which all of these fines are paid, for disbursement to long-abused US consumers. And maybe we could rein in the credit reporting industry – if they did not collect and sell our personal financial data, we would not be in this mess.”

Source: Information Security Magazine

Ex-NSA Contractor Gets Nine Years for Stealing Secret Docs

Ex-NSA Contractor Gets Nine Years for Stealing Secret Docs

A former government contractor has been sentenced to nine years behind bars after stealing as much as 50TB of sensitive information over two decades.

Harald Martin III, 54, of Glen Burnie, Maryland, pleaded guilty to all charges – having previously denied them – back in March.

From December 1993 to August 27, 2016, he was employed by at least seven different defense contractors including Edward Snowden’s former employer, Booz Allen Hamilton.

He worked at the NSA and a number of other government agencies, holding security clearances up to Top Secret and Sensitive Compartmented Information (SCI) at various times.

For a period of over 20 years, Martin has admitted stealing and keeping documents relating to national defense: both hard copies and digital, and including Top Secret and SCI information.

“As detailed in his plea agreement, Martin retained the stolen documents and other classified information at his residence and in his vehicle. Martin knew that the hard copy and digital documents stolen from his workplace contained classified information that related to the national defense and that he was never authorized to retain these documents at his residence or in his vehicle,” a DoJ statement noted.

“Martin admitted that he also knew that the unauthorized removal of these materials risked their disclosure, which would be damaging to the national security of the United States and highly useful to its adversaries.”

The big question is why Martin stole the documents. His defense team claimed it was only so that he could bone up on work at home to get better at his job. He was linked in some news reports to major leaks of sensitive government information by WikiLeaks and Shadow Brokers, although never charged.

Martin’s nine-year sentence will be followed by three years of supervised release.

Source: Information Security Magazine

Over 60 US Colleges Compromised by ERP Exploit

Over 60 US Colleges Compromised by ERP Exploit

Scores of US colleges and universities have been compromised after hackers exploited a vulnerability in popular ERP software, according to the Department of Education.

The government revealed the campaign in an alert last week, explaining that the flaw in question exists in the Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9, and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4.

The former is a module of the Ellucian Banner ERP platform which allows organizations to customize their web apps. The latter is employed to manage user accounts.

The vulnerability in question, CVE-2019-8978, is an “improper authentication” flaw which has a CVSS 3.0 score of 8.1 (high) and could allow attackers to remotely access user accounts.

“This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID,” noted a NIST advisory. “During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.”

The education department has now identified 62 colleges that have been affected by the flaw, after revealing that it spotted cyber-criminal actively scanning for organizations that had yet to patch.

“Victimized institutions have indicated that the attackers exploit the vulnerability and then leverage scripts in the admissions or enrolment section of the affected Banner system to create multiple student accounts,” the notice explained.

“It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts. Some of these accounts appear to be leveraged almost immediately for criminal activity.”

It's unclear exactly what criminal activity was afoot, although the notice warned that because Banner “affects or influences all aspects of academic administration,” the vulnerability could put financial aid data at risk.

Source: Information Security Magazine