The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 7 October 2015
TARGETED ATTACK EXPOSES OWA WEAKNESS
FROM THE MEDIA
Cybereason researchers have discovered an attack method whereby actors were able to access a corporate network and steal usernames and passwords via Outlook Web Access (OWA). An attack against an organization with 19,000 end points was executed for months, resulting in the theft of 11,000 user accounts. The actors were able to load a malicious dynamic library onto the victim’s OWA server and open a back door to collect credentials for the majority of the organization’s accounts.
Read the Story: Threat Post
iSIGHT PARTNERS ANALYST COMMENT
Indicators of compromise that would inform attribution efforts related to this event have not been released. However, OWA servers are certainly a valuable target for espionage actors as these servers authenticate based on domain credentials and, if compromised, can provide adversaries with domain administrator-level access. Espionage actors have also leveraged OWA in previous efforts to carry out mass compromise. It is noteworthy that in 2013 iSIGHT Partners reported activity conducted by Hippo Team actors leveraging the OWA login page for Norseman Defense Technologies to profile page visitors and likely direct desired victims to malicious exploits.
RELATED iSIGHT PARTNERS REPORTS
Intel-965305 (Hippo Team Profiling Activity Using OWA), 9 Oct. 2013
Intel-1004906 (Hippo Team Profiling Activity Affects Additional Websites), 8 Dec. 2013
CISCO DISRUPTS MAJOR RANSOMWARE OPERATION POWERED BY ANGLER EK
FROM THE MEDIA
Cisco, with the help of L3 and OpenDNS, caused major operational damage to a group using the Angler exploit kit. Cisco found that many of the proxy servers the group used were hosted at a Dallas-based services provider. Cisco was then able to shut down the servers and obtain new insight into the group’s operations. The investigation found that the actors used stolen credit card information to purchase 815 servers in one week and served exploits to about 9,000 unique IP address per day.
Read the Story: Security Week
iSIGHT PARTNERS ANALYST COMMENT
Angler is currently one of the most popular and technically sophisticated exploit kits. While Cisco obtained an unprecedented look into Angler’s operations, we do not expect their actions to have significant long-term impact on Angler or its associated malware operations. At worst, we believe Cisco’s actions will force Angler’s operators to temporarily suspend activity to reconfigure their operations in a way Cisco’s new measures cannot affect. Even if Cisco could hinder Angler’s long-term operations or shut them down completely, malware operators utilizing Angler could easily adopt other exploit kits with little to no disruption, as many alternatives currently exist in the market (some of which may actually be more effective than Angler)
RELATED iSIGHT PARTNERS REPORTS
15-00000226 (Angler Exploit Kit Overview), 23 April 2015
15-00003550 (TeslaCrypt Malware Overview), 13 Aug. 2015
Intel-1162876 (Cryptowall Malware Overview), 5 Nov. 2015
AVERAGE COST OF CYBER CRIME PER ORGANIZATION ESCALATES TO $15 MILLION USD
FROM THE MEDIA
A recent study conducted by the Ponemon Institute found that in the US the average annual cost of cyber crime was $15 million USD. The figure represents an almost 20 percent increase over one year. The study also found that a variety of security technologies, policies and other investments, including using security intelligence, provide a significant return on investments.
Read the Story: Security Magazine
iSIGHT PARTNERS ANALYST COMMENT
Organizations continue to incur significant expenses as the result of cyber crime campaigns. We expect taking pro-active defense measures will help limit both the probability of these attacks being successful and the impact of breaches should they occur, which will help limit the cost of incidents. Furthermore, we expect organizations will increasingly turn to cyber security insurance policies to help mitigate costs in the event of malicious activity.
RELATED iSIGHT PARTNERS REPORTS
Intel-1281518 (Insurers in the US Seek to Bar Cyber Coverage Under Commercial General Liability; Appear to be Largely Successful), 6 Nov. 2014
15-00008770 (Data Loss Prevention (DLP) Software Effectiveness and Best Practices), 30 Sept. 2015
15-00001636 (Wide-Ranging Predictions for 2015 Generally Expect Increase in Quantity and Variety of Adversary Activity), 20 March 2015
RESEARCHERS STEAL SECRET RSA ENCRYPTION KEYS IN AMAZON’S CLOUD
FROM THE MEDIA
A group of professors at the Worcester Polytechnic Institute found a way to hack secret cryptographic keys used in Amazon Web Service’s virtual machine. The flaw, not specific to Amazon Web Service, lay in the Libgcrypt encryption library. The professors used a side-channel attack that allowed them to obtain information from users sharing virtual machines on the same server. According to the proof of concept hack, the attack is complicated and requires several steps, such as starting a virtual machine to first check if other users are on the same host and then seeing if they are running Libgcrypt for their RSA encryption.
Read the Story: CSO Online
iSIGHT PARTNERS ANALYST COMMENT
As this issue has been patched, we expect malicious adversaries will not be able to use it in the future. Given the complexity, we do not expect anyone, possibly other than state-supported actors, discovered and leveraged this particular flaw in the past. However, the flaw demonstrates the threat side-channel attacks may pose to cloud computing services in the event they are discovered and used by malicious actors.
RELATED iSIGHT PARTNERS REPORTS
15-00007290 (Threats to Cloud Providers), 31 July 2015
Intel-1229849 (Access Control, Input Validation and Cryptographic Vulnerabilities Commonly Affecting Cloud-Based Service Providers), 5 Sept. 2014
The post ThreatScape Media Highlights Update – Week Of October 7th appeared first on iSIGHT Partners.
