The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Thursday, 28 January 2016
Wendy’s Investigating Unusual Payment Activity
From The Media
Wendy’s has launched an investigation after payment card companies reported suspicious activity. The alert specifically advised Wendy’s that potentially fraudulent charges were being made on payment cards after they were legitimately used at some Wendy’s restaurants. The investigation is ongoing. It is not clear how many locations or payment cards were affected.
Read the Story: USA Today
iSIGHT Partners Analyst Comment
POS malware has grown in size and scope and now affects organizations from a wide range of industries. Although the United States payment processors have begun to put pressure on retailers to install EMV card processors at checkout stations, the majority of processed payments in the US continue use magnetic stripe. Thus, malicious actors still continue to target POS systems and may, in fact, feel pressure to increase credential collection activity before US customers switch more fully to EMV transactions.
Related iSIGHT Partners Reports
14-00000075 (‘Goodshop’ Card Shop: Victims and Bank Identification Numbers in ‘HAPPY WINTER UPDATE’ Dataset Allegedly Related to Bebe Breach), 9 Dec. 2014
15-00010218 (Overview of Threats to EMV Payments), 16 Dec. 2015
South Korea Suspects North Korea Attempted Cyber Attacks Following Its Nuclear Test
From the Media
South Korea suspects that North Korea attempted cyber attacks on southern targets after the country conducted a nuclear test on Jan. 6, 2016. According to unconfirmed news sources, South Korean government agency computers had been infected with malware that may have come from North Korea following the tests. According to South Korean authorities, an investigation is underway and no details have been released.
Read the Story: Reuters
iSIGHT Partners Analyst Comment
We have reason to believe the events described in the media are plausible given some recent activity we have observed that is tied to the Volgmer malware family, which we believe is leveraged in North Korean operations. While we have not completed analyzing the associated samples, the observed activity fits the proposed timeframe of the reported intrusions.
Related iSIGHT Partners Reports
15-00000128 (North Korean Cyber Capabilities), 15 Jan. 2015
15-00011382 (Hangul Zero-Day Leveraged Against South Korea), 15 Oct. 2015
15-00012308 (TEMP.Hermit Targets South Korean Research Institute), 6 Nov. 2015
ISIS Affiliate Cyber Caliphate Announces Plans to Hack Google
From The Media
According to international terrorism watchdog Terror Monitor, the Cyber Caliphate has announced that they will hack Google. The Cyber Caliphate has plans to establish a team, dubbed Google Hacking Team, specifically for attacking Google. According to the hacking collective Anonymous, the majority of the Cyber Caliphate’s claims are fake.
Read the Story: Tech Worm
iSIGHT Partners Analyst Comment
We maintain our judgment that that the actor currently using the name CyberCaliphate is a member of the pro-ISIS group Islamic Cyber Army (ICA, aka Caliphate Cyber Army) and is not connected to the Russian group that previously used that name. We surmise that media sources claiming that CyberCaliphate intends to target Google mistakenly interpreted a derisive comment from anti-ISIS hacktivists as a statement from the ICA, which has frequently falsified data leaks. The ICA recently announced its intention to avenge Abu Hussain Al-Britani, who was killed in a US drone strike in Aug. 2015. We do not expect any ensuing cyber threat activity to pose a threat to maintained and patched enterprise systems.
Related iSIGHT Partners Reports
16-00000358 (Islamic Cyber Army (ICA) Announces New Group Name), 12 Jan. 2016
15-00012688 (ICA Member ‘CyberCaliphate’ Not Connected to Russian Group ‘CyberCaliphate’), 12 Nov. 2015
15-00009824 (Pro-ISIS Hacktivism Overview), 22 Dec. 2015
Giant DDoS Attacks Are Now Hitting 500Gbps as Criminals Flex Their Muscles
From The Media
In a recent study, Arbor Networks found that cyber actors’ largest motivation for conducting distributed denial-of-service attacks in 2015 was to showcase their capabilities, followed closely by extortion. Arbor Network’s study further found that the largest DDoS attacks reported in 2015 were 500Gbps, 450Gbps and 425Gbps.
Read the Story: ZDNet
iSIGHT Partners Analyst Comment
The methodology used in Arbor Network’s survey is dependent on enterprise stakeholders’ perception of the motivations behind DDoS attacks they experienced. While most respondents selected “demonstrating attack capabilities,” we believe this option may have been used when respondents were either unsure or unaware of an attack’s true motivation. Further, media articles fail to mention that “gaming” was listed as the second most common answer, demonstrating that Arbor Network’s findings are not being accurately portrayed.
Related iSIGHT Partners Reports
15-00007358 (DD4BC Attacks Increasingly Affect Small Business Enterprises with an Online Presence), 4 Aug. 2015
15-00012330 (Recent Extortion-Linked DDoS Attacks Target Multiple Organizations; Many Attackers Likely Inspired by DD4BC), 1 Dec. 2015
Intel-1039924 (Extortion DDoS Attacks Expected to Pose a Low Threat to Major Enterprises), 28 Feb. 2014
PayPal is the Latest Victim of Java Deserialization Bugs in Web Apps
From The Media
A serious vulnerability that is part of a group of bugs stemming from Java object deserialization has been patched in PayPal’s back-end management system. The vulnerability, which could have allowed a malicious actor to execute arbitrary commands, was discovered in the manager.paypal.com website. The security researcher who discovered the vulnerability was given credit via PayPal’s bug bounty program.
Read the Story: CSO Online
Java deserialization issues pose a potentially significant threat to users and owners of vulnerable web applications as they could allow malicious actors to execute code without being detected. Like any input, serialized data should be validated after deserialization to ensure the data does not contain any undesired code that could be executed. This type of data validation is already considered best practice for application development, but similar issues, such as those identified by FoxGlove Security in early November 2015, have been identified in recent months, with more likely to be found in the future.Related iSIGHT Partners Reports
ThreatScape Media Highlight (Java Deserialization Vulnerability Found in More Java Libraries), 8 Dec. 2015
15-00012798 (Jenkins Deserialization of Untrusted Data Vulnerability CVE-2015-8103), 17 Dec. 2015
The post ThreatScape Media Highlights Update – Week Of January 28th appeared first on iSIGHT Partners.
