Threat Intelligence Posts

TARGET – British Airways Credit Card Data Breach

September 7, 2018

On September 7th, it was publicly disclosed that 380,000 customer transactions processed by the British Airways website between August 21st to September 5th were compromised by attackers. The information believed to be obtained in the transactions included the name, email address, and credit card information for the transaction including the credit card CVV code.

Details of exactly how the British Airways site was hacked is not publicly available at this time. Because the CVV code was obtained as part of the stolen data, security researchers believe that the hackers may have copied customer data as they inserted it into the British Airways website.

Users affected are currently being notified. British Airways disclosed the breach within 72 hours of when the breach became known as part of new GDPR regulations. For GDPR regulations, if British Airways is found to have not done enough to protect consumer information, it could face a fine of up to 4 percent of annual revenue which is by some estimates around 500,000 pounds.

Proficio Threat Intelligence Recommendations:

  • Validate public facing web services that process payment information are patched.

  • Make sure a continuous monitoring solution around intrusions into websites that process payment information have a continuous monitoring solution in place.
General Info on Breach - Click Here

TARGET – Democratic National Committee Phishing Mix-up

August 23, 2018

On August 22nd, the Democratic National Committee made a press release stating that a cybersecurity service provider had alerted them of a phishing page that was stood up to target their Votebuilder website. The investigation was escalated to the FBI and immediately Russia was suspected due to previous attack activity from 2016.

A day later, the Democratic National Committee came out and stated that the event had been a false alarm and was actually an authorized penetration test being performed against the Michigan Democratic Party.

While some bad press was received regarding the matter, many cybersecurity professionals attempted to give some praise for the DNC gaining the capability to quickly detect and report the attack. Because of the miscommunication between the DNC and Michigan Democratic Party, penetration tests and red team activity will likely be coordinated between the groups in the future.

Proficio Threat Intelligence Recommendations:

  • Validate that any red team or penetration test activity performed is coordinated in some way with subsidiaries and business partners that might be affected.

  • Employ two factor authentication for public facing web services that might be a target for hackers to use in a phishing campaign.

Reporting before discovery of mix-up - Click Here
Reporting after discovery of mix-up - Click Here

VULNERABILITY – New critical vulnerability impacting Apache Struts

August 22, 2018

A new Apache Struts remote code execution vulnerability dubbed CVE-2018-11776 was recently discovered by security researchers. The root cause of the flow was identified in the lack of input validation on the URL passed to the Struts framework affecting all versions of Struts 2.

The criticality of the CVE-2018-11776 resides in the depth of its operational level. As a matter of fact, it affects the Struts code running not only on a single functional area but across all libraries used by the web application framework. Following the discovery, the Apache Software Foundation released the patch and urged all users of Struts 2.3 and Struts 2.5 to upgrade to the latest versions. Shortly after the patch was released on August 22nd, a proof-of-concept was posted on Github with a Python script that eases exploitation.

Proficio Threat Intelligence Recommendations:

  • Users of Apache Struts are urged to update their Struts framework to its latest version. More technical details and guidelines can be found in the advisory released by the Apache Software Foundation, available at: here.
General Information - Click Here

ATTACKER – Dark Tequila banking campaign hits Mexico

August 21, 2018

An active financial malicious campaign dubbed “Dark Tequila” heavily targeting Mexico since at least 2013 has been recently analyzed by the Kaspersky Lab researchers. According to reports, the malware primarily aims at stealing sensitive information, including but not limited to financial data, login credentials to popular websites, domain registers and file storage accounts.

Five operational modules have been identified by the researchers within the multistage payload, spread via spear-phishing or infected USB devices. The supporting infrastructure reportedly proved to be “unusually sophisticated” and the payload activates only if certain specific technical conditions are met. All the stolen data is then encrypted and uploaded to the C2 server.

The campaign was considered to be against Mexican institutions since the malware has a mechanism that will uninstall itself if the system is not in Mexico or the host infected is a "casual" infection. The target list retrieved from the final payload of the malware also contained the names of several Mexican banking institutions and some of the comments in the code were written in Spanish.

Proficio Threat Intelligence Recommendations:

  • Refrain from opening email from unknown senders and insert USB keys of unknown origin.

  • Deploy a SPAM filter that detects malicious attachments

  • Always make sure antivirus, software and operating systems are up-to-date.
General Information - Click Here

TARGET – Cosmos Global Bank Hack

August 17, 2018

Cosmos Bank, a co-operative bank based in India with an over 100 year-old history was hit with a globally coordinated attack between August 11th to August 13th. Attackers appeared to coordinate with what is suspected to be several individuals to siphon $13.4 million dollars (Rs 94 crore).

Although many details are not confirmed regarding the incident, reporting so far details that over 14,000 ATM transactions within 28 countries are under investigation that were suspected to steal Rs 78 crore from the bank. The ATM transactions took place in various countries such as Canada, Hong Kong, and India. Additionally, around Rs 13.92 crore ($1.8 milion) was transferred on August 13th to Hong Kong using fraudulent transactions targeting the SWIFT system the bank uses for financial transactions.

It is unconfirmed but suspected that the attackers may have compromised the firewall that protects the servers that authorize ATM transactions. There may have been a some type of setup or redirection that may have allowed ATM withdrawals without actually checking whether cards were genuine that were being used to make the withdrawals. The bank has alerted the authorities and a police investigation is taking place.

Please note the level of complexity and coordination for this attack is extremely advanced. The coordinated withdrawals of ATMs all over the world would likely indicate the presence of several individuals involved with this particular campaign.

Proficio Threat Intelligence Recommendations:

  • Monitor government agencies for intelligence around global hacking campaigns that may affect the organization

  • Validate infrastructure that processes SWIFT transactions and ATM withdrawals cannot be hacked through organized penetration testing..
General Information - Click Here

METHOD – Business Email Compromise Statistics from FBI

August 15, 2018

Business email compromise (BEC) / email account compromise (EAC) is a scam where a combination of social engineering and computer intrusion techniques are used to obtain a transfer of funds from an organization. Lately, sophisticated / targeted social engineering and compromised email accounts have been used to conduct these attacks. According to the FBI, the scam has been reported in all 50 states in the US and 150 countries. Additionally, between December 2016 and May 2018, there was a 136% increase in identified global exposed losses.

In the report, the FBI mentions the targeting of the real-estate sector as the major increase. Also mentioned in the report was the fact that small, medium, and large sized businesses are being targeted as well.

Since 2015, Proficio has worked with clients that have been targets of various BEC scams. What Proficio has observed is impersonation of executives is common and finance and human resource departments are often targets of the scam.

Although the scams were known, What was not known was the impact of these scams and how profitable the parties performing the attacks could be. According to the FBI report, between October 2013 and May 2018, over 78,000 reported incidents accounted for over $12,000,000,000 in losses.

Because these attacks are now in the billions in losses and attackers will likely have resources and motives in the future to perform these attacks, it is recommended to pay a great deal of attention to these types of attacks in the future.

Proficio Threat Intelligence Recommendations:

  • Place additional checks and balances with procedures for wire transfers performed on behalf of the organization.

  • Deploy additional targeted user training around phishing for key executives and individuals in the finance and human resources department.

  • Report activity to the FBI if a successful BEC happens.
Public Service Annountcment - Click Here

TARGET – GoDaddy information Exposed on Amazon AWS Cloud

August 14, 2018

Researchers at UpGuard recently discovered a data breach affecting GoDaddy, considered the world’s largest domain name registrar and web host by market share to date. The leaked information was found in June on a publicly accessible AWS S3 bucket named “abbottgodaddy” and referenced the company’s infrastructure running in the Amazon AWS cloud. Majority of the exposed documents were multiple versions of the same Excel file containing data used for configuring thousands of systems as well as pricing options for the same, the researchers said. Fields included hostname; operating system; workload; AWS region, memory and CPU specs, among others.

GoDaddy was not the one to blame for the leak. According to an Amazon statement itself, human error appeared to be the cause of the data breach and an unnamed AWS salesperson was responsible for the misconfiguration. Amazon S3 buckets should be private by default, with access restricted to account owner and root administrator. Nevertheless, occasional misconfigurations or misunderstandings by both the customers and providers can compromise the privacy setting of the storage bucket, leading to unintentional exposure of data.

In this particular instance, Amazon reassured no GoDaddy customer information was revealed. However, configuration information can prove to be not only extremely valuable to malicious actors performing reconnaissance to increase the effectiveness of future attacks, but also to business competitors leveraging this kind of data to their own advantage.

Proficio Threat Intelligence Recommendations:

  • Regularly check the security posture on your cloud storage, enforcing tools for data loss prevention and promoting security awareness among your employees.

  • Consider performing regular audits on your service providers to reduce the risks associated with the digital supply chain.

General Information - Click Here

METHOD – The Ramnit Trojan Family Evolution Within the “Black” Botnet Campaign

August 8, 2018

Researchers at Check Point warned a much larger attack could follow the so-called “Black” botnet campaign. This campaign was uncovered between May-July 2018 and used the Ramnit Trojan to create a network of malicious proxy servers operating as a high-centralized botnet or as independent botnets. To date, over 100,000 computers have been infected, researchers said.

Ramnit was first seen in 2011 as one of the most prominent banking malware with extensive information exfiltration capabilities, which targeted industries and banks in North America and the UK throughout 2015 and 2016. Additional Ramnit’s features also include modules such as FTPServer and WebInjects embedded in the malware package and the capability of backdooring infected machines. According to Check Point, Ramnit recently proved to be in fact merely a first-stage compromise, likely distributed via spam campaigns and employed as a loader for a second infection – the Ngioweb malware.

Originally seen in the second half of 2017, Ngioweb is reported as a multifunctional proxy server using two layers of encryption and supporting back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports. After analyzing the malware functionality, Check Point researchers identified two stages of C2 infrastructure used. Meanwhile STAGE -0 C2 server informs the malware is ready to go over an unencrypted HTTP connection, STAGE -1 C2 server later controls the malware via an encrypted channel. In addition, Ngioweb has a dual operational mode, working as both a regular back-connect proxy and a relay proxy. The first allows to access remote service on behalf of an infected host or internal resources in the local network of an infected host, whereas the latter - most powerful - allows the attackers to build chains of proxies, making their services barely traceable. Concerns are that between the two pieces of malicious code, the operators behind the campaign are attempting to build an extended, multi-purpose proxy botnet possibly used to launch further attacks.

4th Paragraph.

Proficio Threat Intelligence Recommendations:

  • Consider educating users on the best practice for email security, especially if the source looks suspicious. In addition, network administrators should also consider implementing an effective anti-spam strategy within their organization.

  • Assess adding the IOCs provided in the Check Point analysis to preventative endpoint security controls.

  • Ensure endpoint security controls are maintained and up-to-date for a higher detection rates.
General Information - Click Here

VULNERABILITY – Symfony Component Vulnerability Impacting Drupal

In April of this year, attackers began exploiting two critical vulnerabilities in the Drupal, a common open source website content-management system. The vulnerabilities were dubbed Drupalgeddon2 (CVE-2018-7600) and Drupalgeddon3 (CVE-2018-7602). This month, a new flaw was recently discovered in Drupal, this time residing in Symfony HttpFoundation, a component of a third party library used in Drupal Core. CVE-2018-14773, which is how it is the new CVE assigned for this bug, was found to be affecting Drupal 8.x versions before 8.5.6.

Symfony released an advisory, explaining how the flaw originates from the component’s support for legacy IIS header. As a trigger, a remote attacker would have just to employ specially crafted “X-Original-URL” or an “X-Rewrite-URL” HTTP request header. This would allow to override the path in the request URL, thus accessing a different URL which leads to restrictions’ bypass.

According to the advisory the vulnerability was patched in the versions 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3 of the Symfony HttpFoundation component, while Drupal has also fixed the issue in the 8.5.6 version.

The Drupal team also warned of a similar vulnerability affecting the Zend Feed and Diactoros libraries included in Drupal Core, dubbed ‘URL Rewrite vulnerability’. However, Drupal confirmed they do not use the vulnerable functionality, but still recommends to fix it on sites and modules directly utilizing either library.

Proficio Threat Intelligence Recommendations:

  • Update your vulnerable site with the latest patch, available at symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers or drupal.org/SA-CORE-2018-005

  • Administrators of websites using the Zend Feed or Diactoros directly are advised to patch the ‘URL Rewrite vulnerability’, by reading the Zend Framework security advisory available at framework.zend.com/security/advisory/ZF2018-01
General Information - Click Here

METHOD – Law Office Credentials on the Dark Web

August 5, 2018

CNBC has reported that access to various law firms' files and networks are being sold on the Dark Web. In one particular example, access to a New York City law firm was being sold for $3,500 and the individual or group offering access stated they could give screenshots as evidence of the break in.

According to Cybersecurity Service Provider Q6, beyond the New York one, law firms across the United States including multiple firms in Beverly Hills have access being advertised for sale on the Dark Web. The information in the specific New York example was identified on a Russian speaking Forum.

The popular credentials that are advertised on this site were mainly IT admin credentials with high privileges. These accounts appeared to go for the most money. Some of the value provided by these credentials is the ability to access multiple users' email accounts to obtain sensitive information.

The sanitized screenshots provided by CNBC on where the information was being sold detailed a robust web platform that included support, a balance for purchases, and website sections such as "FAQ", "Invoices" and "Settings."

Proficio Threat Intelligence Recommendations:

  • Employ additional controls around privileged users within the organization.

  • Assess working with partners to perform dark web sweeps or dark web monitoring.

  • Have a continuous monitoring program in place to detect suspicious access for public facing remote authentication services..
CNBC Article - Click Here