The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
HACKERS STOLE NEWS RELEASES, MADE $100M FROM TRADES
FROM THE MEDIA
The US Securities and Exchange Commission and the US Department of Justice filed charges against 32 individuals for allegedly hacking newswire services and performing stock trades based on unreleased information from the services. The suspects allegedly made a total of $100 million from the scheme. Officials believe two of the individuals, Ukrainian men, hacked the newswire services while the rest made stock trades. The two Ukrainians are believed to have conducted the operation for over five years, hacking at least two newswire services.
Read the Story: Fox
iSIGHT PARTNERS ANALYST COMMENT
Multiple cyber criminals have conducted or at least attempted to manipulate the stock market in the past. In this case, the actors used compromised access to news outlets to obtain an unfair advantage. In addition to this tactic, we have also observed direct targeting of stock exchanges and attempts to influence the market via DDoS attacks. This type of illicit profiteering undermines public trust in the stock market as a whole and creates unnatural fluctuations and opportunity costs for current and would-be shareholders. However, since this scheme monetized the knowledge from the newswire services rather than compromised access to accounts, the effect may not have been easily detected by its victims thus allowing the actors to avoid notice and persist for relatively long periods of time.
RELATED iSIGHT PARTNERS REPORTS
Intel-1021738 (Ukrainian Stock Exchange Targeted by DDoS Attacks; Market Possibly Affected), 21 Jan. 2014
Intel-902080 (Actor Attempts to Sell Insider Access to DASDEC Emergency Alert System), 31 July 2013
Intel-597522 (Russian-Speaking Actor Seeking Access to US News Sites, Including CNBC, CNN and FOX News), 26 June 2012
ADROID VULNERABILITY LETS HACKERS REPLACE APPS ON YOUR DEVICE
FROM THE MEDIA
Researchers discovered a vulnerability in Android’s OpenSSLX509Certificate class that could allow an attacker to escalate an app’s access privileges. Hackers would only need a small amount of code to exploit the flaw and thus could hide it in a legitimate app to gain system-level privileges. Actors could download malicious APKs and use them to replace legitimate apps.
Read the Story: Softpedia
iSIGHT PARTNERS ANALYST COMMENT
CVE-2014-3153 is an unspecified vulnerability in Linux Kernel versions 3.14.5 and earlier. The vulnerability was publically disclosed over a year ago (and exploit code has been publically available for just as long), but its ability to affect Android devices using versions 4.3 to 5.1 of the OS was not previously realized. This vulnerability could allow an attacker to conduct a number of malicious activities through a compromised device, so we recommend implementing the already-released patch for this issue as well as limiting app installations to those from verified vendor stores on any device.
RELATED iSIGHT PARTNERS REPORTS
14-31221 (CVE-2014-3153), 25 Nov. 2014
15-00007664 (Android Stagefright Vulnerability, One of Seven), 5 Aug. 2015
UK COUNCILS SUFFER OVER 4,000 SENSITIVE DATA BREACHES IN THREE YEARS
FROM THE MEDIA
Privacy group Big Brother Watch recently released the “A Breach of Trust” report and found that 4,236 sensitive data breach incidents involving local government councils in the UK occurred between April 2011 and April 2014. Furthermore, there were 628 occurrences where data was incorrectly or inappropriately shared via e-mail, and 99 cases of unauthorized individuals accessing data. Big Brother Watch has called for tighter data breach regulations and suggested jail time for council workers in serious cases.
Read the Story: V3
iSIGHT PARTNERS ANALYST COMMENT
The report found only one in ten incidents led to disciplinary action, suggesting a widespread failure to create or enforce policy that may have reduced the rate or severity of data breaches. Councils’ failure to properly handle and report data breaches may result in actors gaining access to citizens’ or council members’ personally identifiable information (PII).
RELATED iSIGHT PARTNERS REPORTS
15-00006858 (Cyber Criminal Theft and Exploitation of Databases: Targeted Data, Targeted Industries and Malicious Uses), 11 Aug. 2015
15-00004862 (Cyber Criminal in Russian Community Seeks Tax Credentials Stolen from US Tax Payers), 4 June 2015
ASPROX BOTNET, A LONG-RUNNING NUISSANCE, DISAPPEARS
FROM THE MEDIA
Asprox botnet’s command and control servers have shut down, according to Palo Alto Networks. The botnet, which conducts malware-spamming activities, had been active for years. Researchers have commented that the botnet’s operators may be regrouping to evade detection. The botnet is known for sending spam e-mails purporting to be court notices or to come from delivery services such as FedEx.
Read the Story: Computer World
iSIGHT PARTNERS ANALYST COMMENT
In early 2015, iSIGHT Partners reported on Asprox’s inactivity; we have not observed any further activity since that time. However, in light of the availability of other underground malware distribution services, we do not think its disappearance as a major spam and malware distribution network has had a significant impact on the overall threat posed by malicious mass-mailing services and spam e-mail.
RELATED iSIGHT PARTNERS REPORTS
15-00001062 (Asprox Spam and Malware Distribution Network Inactive Since January 2015), 25 March 2015
15-00000546 (Zemot: Behavior, Capabilities and Communications), 19 Feb. 2015
14-33167 (Kuluoz: The Asprox Botnet’s Field Agent), 24 Oct. 2014
FIREFOX 42 WILL NOT ALLOW THE INSTALLATION OF UNSIGNED EXTENSIONS
FROM THE MEDIA
Mozilla announced that, due to security concerns, Firefox 42 will prohibit installation of unsigned extensions. Installation of unsigned extensions was first allowed in Firefox 40 but came with a warning. Firefox 41 only permitted installation if a special option was enabled. According to Mozilla, developers are increasingly abusing Mozilla’s add-on installation procedures; some even use them to redirect users to malware.
Read the Story: Softpedia
iSIGHT PARTNERS ANALYST COMMENT
Malicious extensions often conduct unwanted advertising and credential collection functions, and may redirect users to pages without their knowledge, actions representing a significant risk to browser security. Although we expect adversaries will attempt to bypass Mozilla’s automated checking process, preventing users’ ability to install unsigned extensions should improve user security.
RELATED iSIGHT PARTNERS REPORTS
15-00003244 (Superfish, PrivDog, Demonstrate Continued Threat Third-Party Software Poses to SSL), 21 April 2015
Intel-1259793 (Advanced Browser Tracking Techniques Developed for Advertising Could Pose Security Risks), 17 Oct. 2014
The post ThreatScape Media Highlights Update – Week Of August 12th appeared first on iSIGHT Partners.
