The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 16 September 2015
CISCO ROUTER BREAK-INS BYPASS CYBER DEFENSES
FROM THE MEDIA
FireEye security researchers have found sophisticated malware, dubbed SYNful Knock, infecting Cisco routers. Routers are attractive targets for actors because, when compromised, they can provide access to all data stored behind them. The attacks have struck many industries and government agencies. FireEye found 14 occurrences in Ukraine, India, Mexico and the Philippines.
Read the Story: Reuters
iSIGHT PARTNERS ANALYST COMMENT
The Cisco Product Security Incident Response Team has confirmed that SYNful Knock activity does not leverage any product vulnerabilities, and that this method requires valid administrative credentials or physical access to the victim device. While there are no known malicious actors tied to SYNful Knock activity, we expect this attack is associated with sophisticated, well-resourced actors who are attempting to obtain persistent network compromise against targeted entities, which is consistent with espionage intent. The need for physical access or valid administrative credentials suggests the intrusions are specifically targeted, and the operators carry out reconnaissance and/or credential collection prior to the deployment of SYNful Knock malware. We commented on the Cisco advisory released for this issue (available here) in the August 14, 2015 ThreatScape Media Highlights.
RELATED iSIGHT PARTNERS REPORTS
ThreatScape Media Highlights (CISCO Warns Customers About Attacks Installing Rogue Firmware on Networking Gear), 14 Aug. 2015
15-00001240 (Pre-Installed Malware on Counterfeit Xiaomi Phone Highlights Continuing Threat Posed by Chinese Android Devices), 11 March 2015
15-00003250 (Home Routers Located in Western Countries Continue to be Exploited En Masse), 28 April, 2015
HACKERS HIT THE KREMLIN
FROM THE MEDIA
Russian officials announced that hackers attacked the Kremlin in a powerful cyber attack. The attack targeted the Russian election commission’s website and, according to officials, was very strong, though defense measures were successful. According to Russian officials, the attack made 50,000 requests per minute and was conducted by an unspecified company based in San Francisco.
Read the Story: The Hill
iSIGHT PARTNERS ANALYST COMMENT
Although we could not verify the Russian Government’s claims, previous Russian elections have seen DDoS attacks targeting Russian Government websites. We surmise the claims are true, but it is possible the Kremlin exaggerated the nature of the threat. Moreover, the attacks alleged origin from a San Francisco-based company likely only indicates a compromised server, provides little information on the attacker’s origin and serves to reinforce the Kremlin’s narrative of defending the nation from external threats at a time of strained US-Russian relations.
15-00004722 (Overview of Russian Threat Activity, including DDoS Attacks), 25 June 2015
15-00003104 (Hacktivist Group ‘Shaltai Boltai’ Targets the Russian Government), 20 April 2015
UK FIRMS HIT AS DRIDEX CRIMINALS TARGET 385 MILLION E-MAILS
FROM THE MEDIA
Fujitsu discovered a Russian server containing a “hitlist” of 385 million e-mail addresses used to distribute the Dridex banking Trojan. The company discovered the server while tracking the Trojan. GCHQ reportedly helped alert a large number of anticipated victims, ranging from government to financial institutions.
Read the Story: SC Magazine
iSIGHT PARTNERS ANALYST COMMENT
While it is certainly important to notify potential victims that Dridex malware operators are targeting them, it is highly likely a large number of other malicious actors are targeting them as well due to the opportunistic and highly active nature of the cyber crime market. Users, especially those working in financial and government institutions at any level, should assume they are being targeted and always conduct safe Internet and e-mail practices.
RELATED iSIGHT PARTNERS REPORTS
15-00009412 (Alleged Dridex Developer’s Arrest Followed by Pause in Dridex Activity, but Unlikely to Permanently Halt Malware’s Distribution), 10 Sept. 2015
15-00009030 (Bugat/Dridex Configuration Update: Incremental Target Expansions Prior to Likely Temporary Disruption), 14 Sept. 2015
15-00009104 (Indicator Report: Dridex Activity Report (Aug. 24 to Sept. 9, 2015)), 4 Sept. 2015
TRAVEL APPS RIDDLED WITH SECURITY FLAWS
FROM THE MEDIA
The top 10 iOS and Android travel apps have security flaws, according to a recent Bluebox security report. The major issues consist of lack of encryption, man-in-the-middle attacks and administrative or debugging code left in the apps. According to Bluebox, the biggest issue was a lack of encryption for data stored in the app. The names of the affected apps have not been disclosed.
Read the Story: CSO Online
iSIGHT PARTNERS ANALYST COMMENT
Shortcomings in app security may undermine user data security, and security provisions rarely influence the popularity of an app. Adversaries regularly attempt to place malicious apps into legitimate app stores, and will often try to convince users to download apps from third party app stores. Educating users about malicious activity targeting mobile devices is important, particularly within organizations that have corporate mobile devices or a bring-your-own-device policy.
RELATED iSIGHT PARTNERS REPORTS
15-00002136 (Google’s Play Store Implements Human Review of Apps Prior to Publication, Will Have Positive but Limited Impact on Android App Security), 30 March 2015
14-00000142 (Chinese-Language Actors Use ‘Shuabang’ Techniques to Promote Malware on Google Play), 17 Dec. 2014
MALWARE TARGETS CREDIT CARDS USED AT PENNSYLVANIA HOLIDAY INN
FROM THE MEDIA
Milestone Hospitality Management is advising an unknown number of guests who stayed at the Holiday Inn Harrisburg/Hershey in Pennsylvania that malware may have compromised their payment card information. Information compromised ranged from credit card numbers, expiration dates, CVV numbers and names. The malware infected the hotel’s property management computer system from June 2 to July 10.
Read the Story: SC Magazine
iSIGHT PARTNERS ANALYST COMMENT
While it is not clear how the compromise occurred in this case, this incident demonstrates the attractiveness of personal and financial information to malicious actors and their willingness to target small businesses. Broad targeting campaigns mean that entities of all sizes are likely to be targeted. Businesses, including small and medium-sized businesses, should be aware of potential threats and require strict computer security practices of their employees.
RELATED iSIGHT PARTNERS REPORTS
15-00003374 (Update: Intrusion Campaign Targeting the Hospitality Industry Continues), 24 April 2015
15-00008572 (‘Joker Stash’ Offers Multiple Datasets Connected to Alleged Breach of Hotel Network), 1 Sept. 2015
15-00006858 (Cyber Criminal Theft and Exploitation of Databases: Targeted Data, Targeted Industries and Malicious Uses), 11 Aug. 2015
The post ThreatScape Media Highlights Update – Week Of September 16th appeared first on iSIGHT Partners.
