The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 14 October 2015
NEW ZERO-DAY EXPLOIT HITS FULLY PATCHED ADOBE FLASH; USED TO TARGET USG
FROM THE MEDIA
Cyber criminals are infecting Linux servers with malware capable of launching strong distributed denial-of-service (DDoS) attacks, according to Akamai Technologies. Two attacks have been launched against the entertainment and other industries. One of the executed campaigns peaked at 119 Gbps and 110 Mpps.
Read the Story: Security Week
iSIGHT PARTNERS ANALYST COMMENT
Cyber criminals are increasingly using malware designed to infect Linux webservers, including other types of malware such as “Storm.bot.” Linux servers are a logical choice for conducting strong DDoS attacks since Linux is usually run by web servers and hosting providers, which have large amounts of bandwidth available. We recommend enterprises routinely conduct vulnerability patching, because widely-used applications such as Apache Tomcat, Apache Strut and Elasticsearch are known to be vulnerable.
RELATED iSIGHT PARTNERS REPORTS
11-16375 (Apache Vulnerability Incorporated into DDoS Tool), 14 Aug. 2014
Intel-1076834 (Threats to Linux Operating Systems), 31 March 2014
Intel-1006884 (Server-Based DDoS Malware ‘Storm.bot’), 16 Jan. 2014
COPS KNOCK DOWN DRIDEX MALWARE THAT EARNED ‘EVIL CORP’ CYBERCRIMINALS AT LEAST $50 MILLION
FROM THE MEDIA
Goodwill Industries International has confirmed a data breach affecting payment cards used at approximately 330 stores. The affected stores make up approximately ten percent of Goodwill stores, all of which used the same payment processing system affected by the malware. Reportedly, the malware was intermittently active between February 2013 and August 2014.
Read the Story: Bank Info Security
iSIGHT PARTNERS ANALYST COMMENT
As earlier media reports speculated, it appears that Goodwill stores were compromised through a third-party payment service used by some of its stores. Similar to the recent breach at some UPS Store locations, the credential compromise at Goodwill is limited in scope and will likely affect relatively few victims. However, the incident does highlight the importance of properly auditing security practices used by third-party vendors that could be an infection vector.
RELATED iSIGHT PARTNERS REPORTS
ThreatScape Media Highlights, 21 Aug. 2014 “UPS Hit by Data Breach”
ThreatScape Media Highlights, 23 July 2014 “Goodwill Industries Investigates Possible Card Breach”
14-32028 (Analysis of “Backoff” POS Malware Implicated in Recent Breaches), 1 Aug. 2014
ANDROID RANSOMWARE GETS A BETTER UI TO SCARE PEOPLE MORE EFFECTIVELY
FROM THE MEDIA
North Korea is reportedly conducting cyber warfare outside its borders. According to HP’s August 2014 Security Briefing, countries such as China and South Korea are being targeted. The report details, among other things, a North Korean hacking unit located in Pyongyang that depends on a command post based in China.
Read the Story: CSO Online
iSIGHT PARTNERS ANALYST COMMENT
It is reasonable to assume North Korea conducts cyber operations from outside its borders as the country greatly relies on China and other countries for its internet access and limited global web presence. iSIGHT Partners has previously reported information relayed by a defector indicating North Korea’s Unit 121 conducts cyber operations from the Chilbosan Hotel in Shenyang. Additionally, in 2009 North Korean hackers were suspected of launching a DDoS attack against US and South Korean government and banking websites. South Korean officials pointed to an IP address traced back to North Korea’s Ministry of Post and Telecommunications, which leased the IP address in China.
RELATED iSIGHT PARTNERS REPORTS
Intel-809535 (Baseline: North Korean Cyber Capabilities), 25 April 2013
Intel-432762 (Defector Claims North Korean Government is Training Cyber Warriors), 20 July 2011
MAJORITY OF AUSTRALIAN ISPS NOT READY FOR METADATA LAWS THAT COME INTO FORCE TODAY
FROM THE MEDIA
Cyber criminals launching recent attacks with the Angler exploit kit have been making detection more difficult by injecting malware into systems’ memory. According to an independent malware researcher known as Kafeine, this practice is not new. It is, however, not commonly seen in larger-scale attacks as the malware cannot persist once the RAM is cleared.
Read the Story: Computer World
iSIGHT PARTNERS ANALYST COMMENT
The media claim that memory-based malware is typically used by state-sponsored actors is inaccurate. This broad category of malware has been associated with both cyber espionage actors and financially motivated cyber criminals at various points. Additionally, the idea that cyber criminals prefer persistence over stealth is a false dichotomy. Once stealth infection is achieved, other measures can ensure malware persistence.
RELATED iSIGHT PARTNERS REPORTS
ThreatScape Media Highlights, 5 Aug. 2014 “Registry-Residing Malware Creates No File for Antivirus to Scan”
14-32083 (Analysis of Malware Running Entirely in Memory), 7 Aug. 2014
Intel-1022127 (Analysis of Flash Vulnerability to Angler Exploit Kit), 14 Jan. 2014
FAKE BANKING AND COMMERCE SITES WRONGLY ISSUED AUTHENTICATION CERTIFICATE
FROM THE MEDIA
Fraudulent websites appearing as Apple iTunes, Halifax and Natwest were incorrectly issued legitimate security certificates and have been capturing victim credentials. Malicious actors used typo squatting and other methods to create domains that would appear legitimate. Services such as CloudFlare, Symantec and GoDaddy issued hundreds of legitimate certificates to these malicious websites.
Read the Story: The Telegraph
iSIGHT PARTNERS ANALYST COMMENT
Adversaries are aware that certificates are used as a mechanism for establishing trust, and as such, regularly attempt to obtain them for phishing sites and for signing malware. By using certificates issued by legitimate services, actors can bypass some security checks and make their activities appear to be legitimate at first glance. We are certain malicious actors will continue activity intended to abuse the certificate system to support malicious activity, not only for cyber crime, but also espionage and targeted intrusion activity.
RELATED iSIGHT PARTNERS REPORTS
15-00010768 (Shifu: Malware Behavior, Capabilities and Communications), 8 Oct. 2015
15-00009218 (Update on ‘Sphinx’ Banking Trojan: Vendor Unreliability Tarnishing Product Credibility), 9 Sept. 2015
15-00005566 (Duqu 2.0 Leveraging Stolen Certificates; Possible ICS Module Identified), 21 July 2015
CHROME EXTENSION LETS YOU HIJACK YOUR FRIEND’S BROWSER
FROM THE MEDIA
Mozilla’s latest browser version, Firefox 32, now supports public key pinning, a mitigation that protects users from man-in-the-middle attacks, in addition to security updates. Public key pinning binds a set of public keys issued by a known good certificate authority. When a user visits a website protected by public key pinning and an unknown certificate is detected, the browser will reject the connection.
Read the Story: Threat Post
iSIGHT PARTNERS ANALYST COMMENT
We agree with the article’s assessment that the implementation of public key pinning will help protect Firefox users from man-in-the-middle attacks. However, in the short-term, this protection will be limited to certificates forged for a handful of Twitter domains and Mozilla add-on sites, with pinsets for other sites to follow at a later time. Additionally, we have yet to observe any exploit code or exploitation activity targeting any of the eight vulnerabilities addressed in the patch.
RELATED iSIGHT PARTNERS REPORTS
Intel-1225580 (Use of Man-In-The-Middle Attacks to Install Mobile Malware), 28 Aug. 2014
14-32389 (Use-After-Free Vulnerability (CVE-2014-1563) Patched by Mozilla), 3 Sept. 2014
14-32388 (Use-After-Free Vulnerability (CVE-2014-1567) Patched by Mozilla), 3 Sept. 2014
The post ThreatScape Media Highlights Update – Week Of October 14th appeared first on iSIGHT Partners.
