STE WILLIAMS

Doron Voolf and Jesse Smith also contributed to this article.

Compared to the most recent version we examined in July (v24), TrickBot’s target URL list has grown significantly, surpassing the 1,000 mark for the first time with notable increases in US targets.

TrickBot authors also introduced a worm module in v29 that spreads locally through SMB, a port usage we questioned when it turned up on the command and control (CC) list in v24. Starting with v29, we began analyzing the infection targets separately by static injection (sinj) targets, which are redirection attacks, and dynamic injection (dinj) targets, which are webinjects. Whereas there are more dinj targets in total, there has been a sharp rise in sinj targets in the latest analyzed configurations.

URL Target Analysis
US financial institutions were the most targeted starting in v28 (185 URLs), followed by Australia, Spain, and Canada, which stayed consistent through v29 and v30. Rounding out the top 5 country targets was the “unknown” group. The top five company targets are led by “unknown” with 46 URLs, and followed by Chase, PayPal, American Express, and Bank of America. Little change in the URL targets occurred in v29 with the introduction of the worm module, but v30 saw the addition of 40+ US targets and a handful of new Canadian targets, moving Citibank into the third most targeted position. We also saw Amazon begin to be targeted for the first time, with 10 URLs present in the dinj target list.

Version 31 featured more Australian, New Zealand, Singapore, UK, and “unknown” targets. No URLs at all were dropped from v30, and we saw 159 added, while the company target list remained the same from v30. Version 32 saw almost twice as many URL targets as v31, even though 119 targets from v31 were dropped. There is a large focus on the US and UK, and the Nordic banks (previously observed in v24) are back.

In many instances, it appears that the targets for v32 were simply a combination of targets from previous versions. Almost all of the countries with eight or less targets appearing in v32 did not appear in v31, but did appear in v24. The Nordic countries behaved similarly: they did not appear in v31, but 78% of their URLs did appear in v24. Most of the increase in targets in this version are attributable to recycling older targets from previous versions that had been discarded over time. Notably, Amazon was discarded as a target in v32.

“Unknown” URL Target Analysis
URLs in this group often resemble “*/business/login/Login.jsp*”, about which it is impossible to make a target determination. Every “unknown” URL target is a dinj (webinject) target, which makes sense; static inject targets need to be sure of what page the user is attempting to access in order to serve up a convincing redirect, while webinject targets merely need to insert malicious code into legitimate pages.

These “unknown” URLs could be used to target groups of banks all relying on a single online platform with an identical subdomain architecture. For instance, Bank XQW could use “www.bankxqw.com/business/login/Login.jsp”, while Bank QRS could use “www.bankqrs.co.uk/business/login/Login.jsp”. Both banks would be affected by the example “unknown” dinj target URL, allowing TrickBot to target multiple banks with a single URL. Certain URLs within the TrickBot target list strongly suggest this intent.

There was also a large number of URLs in the form of “*/snapshoot/#”, “*/rcrd/#”, and */getq/#” targets; a few were wildcarded versions of URLs from Dyre, but most differed in the specific number used at the end of the URL from those seen in Dyre target lists. In the original Dyre configuration, these URLs took the form of “bankqrs.com/snapshoot/###”, with a different 1, 2 or 3-digit number assigned to different companies. When they appeared on both the TrickBot and Dyre target lists, comparing these numerical identifiers allowed us to determine which company was being targeted. It is also possible that these URLs were not targeting a specific firm at all, and so we hesitate to offer definitive analysis on these URLs at this time, other than to note that they are unusual and worth our further attention.

CC Locations and Owners
It’s well known that TrickBot hosts its CC servers on compromised wireless routers. Prior to IoT devices being used as attacker infrastructure (hosting malware and growing thingbots), it was unusual to see the US have such a large portion of the pie because it’s typically not hard to get nefarious activity hosted in the US shut down quickly. JSC Mediasoft had the most used networks for hosting TrickBot CC servers (10 of Russia’s 15), followed by OVH; the 9 US CC servers are spread out among 8 separate networks.

The unusual targets that stood out in our analysis were the rise in US-based firms—especially credit card companies. In addition to credit card companies, we have seen some development of net new URLs. This indicates some level of effort being placed on refining the target set, but there is still an overwhelming reliance on the target set found in the Dyre malware, circa late 2015.

This partly explains how TrickBot is able to go through so many iterations so quickly. It’s time-consuming to research all the appropriate URLs for all the financial services providers in a specific country, but almost all of that work has been done before. TrickBot’s authors can simply swap in the set of URLs they want from Dyre, make some tweaks based on updates to banks’ login sequences, and spend the rest of their time focusing on making the code itself more effective. We anticipate that TrickBot will continue to focus on the same firms targeted by Dyre through 2015, and will continue to make small modifications to the URLs to improve the effectiveness of their targeting.

Get the latest application threat intelligence from F5 Labs.

Sara Boddy currently leads F5 Labs, F5 Networks’ threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/trickbot-rapidly-expands-its-targets-in-august/a/d-id/1329810?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Equifax recently confirmed that the vulnerability responsible for the massive breach of 143 million records was indeed for the ApacheStruts 2 Web framework, but not CVE-2017-9805 as was initially circulated. Rather, CVE-2017-5638, which could enable an attacker to perform a remote code execution using malicious content in the absence of suitable security measures, has been pinpointed as the flaw that permitted access to the yet-to-be identified actors. CVE-2017-9805 is certainly worthy of our attention: until last week, it was essentially a zero day with exploits available in the wild.

The bug was first found in March, and a patch has been available since its discovery. In essence, Equifax could have been working to address the shortcomings and protect the personal information of millions using publicly available information approximately two months before the breach occurred. For reasons yet unknown, it did not. As a result, millions of Americans are scrambling to find out if they have been breached and to protect their information from being used for identity theft.

On the other hand, Equifax is facing federal scrutiny and a massive hit to its reputation and consumer trust. The firm’s top information security executives — its CIO and chief security officer — have departed the company following what’s being called one of the worst breaches in US history.

What happened at Equifax, and how can organizations patch their systems and improve their security posture to prevent breaches of this magnitude in the future?

Let’s start with what happened: The data exfiltrated between May to July 2017 included names, Social Security numbers (SSNs), dates of birth, and “other information,” according to Equifax. That data may now be for sale. Security blogger Krypt3ia found a listing on the Dark Web (shown in the image below) ostensibly placed by the Equifax hackers offering records for sale in return for digital currency. The listing includes some samples of the data in the form of screenshots. How much are the records worth? Four Bitcoins would net you 1 million entries; at today’s rate, that’s approximately $13,840. It’s unclear if the purchaser could specify what type of entries they could acquire, as an SSN would certainly command more money than dates of birth on secondary markets.

The listing is very disconcerting. Until recently, we were aware of the breach’s grand scale and some rough order of magnitude in terms of the number of records: 143 million in comparison to the Yahoo hack, which included more, but arguably less-sensitive, records. Seeing records — and the personal identifiable information of individuals — is sobering. For those engaged in threat modeling, the price points provide a marker by which to assess the value of such records in underground markets, although both wallets appeared to be empty at the time of writing.

Vulnerabilities Matter but Do Not Stop Business
We can elicit a number of lessons from this event. In response to Equifax’s disclosure of the Struts2 bug, the Apache Software Foundation released some cogent guidance to those using any Web framework. As always, Brian Krebs has provided practical advice to those who may have been affected by the breach. Gartner’s Strategic Planning Assumptions are also worth repeating here:

• Through 2021, the single most impactful enterprise activity to improve security will be patching.
• Through 2021, the second most impactful enterprise activity to improve security will be removing Web server vulnerabilities.

This incident highlights the importance of a multilayer application security strategy. Firstly, it is absolutely critical to patch systems in a timely fashion. Had Equifax had an effective, multilayered application security strategy that includes the underlying infrastructure, middleware, application, and edge, the company likely would have prevented the intrusion or caught it much sooner. Appropriate data governance also could have diminished the scale of exposure of sensitive data: an understanding of what kind of records are in their possession, their classification, how long they can be kept for, and the security that must be applied to safeguard them accordingly appears to have been elusive.

A mature security regime requires organizations to implement a combination of technical vulnerability management processes and the ability to deploy effective security controls — including compensating controls when patches cannot be deployed in a timely manner.

Web applications and services (like APIs) represent critical business drivers as well as an exposed attack surface for a growing number of organizations. That attack surface can be reduced by properly hardening infrastructure and middleware, using up-to-date frameworks, and defeating attacks at the edge of the network: a Web application firewall, a security control that proxies all Internet traffic while applying a security posture to block traffic deemed malicious or unauthorized, is a highly effective control when properly configured. This year’s Verizon Data Breach Investigations Report confirms that Web application attacks lead the pack with respect to breaches, with botnet activity bolstering that number considerably.

Hackers tend to view the human user as a path of least resistance, but that calculus changes considerably when vulnerabilities are discovered in technologies. Today’s time-to-exploit has become relatively shorter as security expertise proliferates, even if the number of publicly available exploits is dropping.

Don’t give attackers a window of opportunity! Vulnerabilities don’t need to slow down or stop business operations. Deploying patches is absolutely imperative to maintain a strong security posture, but the process can be disruptive or complex, especially for legacy systems, making additional security measures — acting as compensating controls — necessary to provide suitable defenses to maintain exploitable systems while patches are deployed.

Related Content:

• 7 Takeaways From The Equifax Data Breach
• FTC Opens Probe into Equifax Data Breach
• Equifax Data Breach Prompts Calls For Tougher Security Requirements On Data Aggregators
• Equifax Exec Departures Raise Questions About Responsibility for Breach

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Nick Deshpande, CISSP, is the vice president of product development at Zenedge, where he combines his passions for user experience and security. He’s a graduate of the Royal Military College of Canada and American Military University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/equihax-identifying-and-wrangling-vulnerabilities/a/d-id/1329966?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Even after several years of escalation, ransomware continues its hockey-stick growth by just about every metric. This week, three new studies show how ransomware continues to escalate around the globe, proving to be one of the fastest-growing problems that cybersecurity practitioners face today.

“Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen following the emergence of self-propagating ‘ransomworms,’ as observed in the WannaCry and Petya/NotPetya cases,” write Europol experts in the agency’s Internet Organized Crime Threat Assessment (IOCTA) 2017 report published this week. “Moreover, while information-stealing malware such as banking Trojans remain a key threat, they often have a limited target profile.”

Interestingly, many experts proclaimed the highly proliferated worms to be failures because WannaCry and Petya/NotPetya didn’t reap financial benefits as effectively as other attacks. According to Europol, less than 1% of victims paid a ransom for WannaCry. But the ill effects remain disruptive and costly no matter which way these attacks are analyzed. For example, though most industry estimates peg total ransoms paid to attackers in the past two years to be only about $25 million, the FBI believes the total cost of ransomware broke the $1 billion mark in 2016.

According to a report out today by McAfee, this year the WannaCry attacks infected more than 300,000 systems worldwide in less than 24 hours. The total costs of the attacks are still being compiled, but given the disruption of major infrastructure such as hospitals and factory floors, the bill will be high.

“It has been claimed that these ransomware campaigns were unsuccessful due to the amount of money made,” said Raj Samani, chief scientist for McAfee.”However, it is just as likely that the motivation of WannaCry and NotPetya was not to make money but something else. If the motive was disruption, then both campaigns were incredibly effective. We now live in a world in which the motive behind ransomware includes more than simply making money. Welcome to the world of pseudo-ransomware.”

Whatever the motivation, new ransomware increased by 54% in the second quarter of this year, according to McAfee. The number of total new ransomware samples has increased by 47% in the past four quarters.

Tellingly, 80% of security pros view ransomware to be a moderate or extreme threat today. This is from a study of nearly 500 practitioners among the Information Security Community on LinkedIn, conducted by Cybersecurity Insiders and Crowd Research Partners. That survey showed that 75% of organizations affected by ransomware have experienced up to five attacks in the last year, and 25% have been hit by six or more attacks.

Disconcertingly, the study showed that 39% of organizations say it takes them anywhere between several days to a few weeks to recover from a ransomware attack. This lack of resiliency and the fallout from attacks this year highlight the lack of accountability for instituting the basics of IT security within organizations, says James Carder, CISO of LogRhythm.

“Core IT operational competencies, such as patch management, backups, disaster recovery, and incident response, are not well implemented or maintained,” he says. “These are absolutely essential in protecting your company from damaging cyberthreats, and without them, you are left in a perpetually vulnerable state, a sitting duck for these types of attacks, merely hoping that you aren’t compromised.”

Related Content:

• 10 Security Product Flaw Scares
• Equihax: Identifying Wrangling Vulnerabilities
• Why Your Business Must Care about Privacy

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ransomware-numbers-continue-to-look-abysmal/d/d-id/1330005?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Central banks from major economies have suggested steps to advance security of inter-bank messaging and payment systems, Reuters reports. The Committee on Payments and Market Infrastructures (CPMI) has called for banks to improve security to protect the financial system.

Last year, attackers tried to steal almost $1 billion from the Bangladesh central bank’s account at the Federal Reserve Bank of New York. About $80 million was taken before the hackers were detected. Bangladesh blamed the incident on poor security around the Bangladesh Bank’s SWIFT terminal. SWIFT is used among banks to send payment instructions and until last year, was used to transfer trillions of dollars every day.

CPMI made suggestions to secure messaging services like SWIFT and Britain’s CHAPS system. These include ensuring quick reporting of fraud and attempted fraud, risk audits, user education, and monitoring system access points, where hackers often enter the system.

The security proposals will be published in early 2018.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/central-banks-propose-better-inter-bank-security/d/d-id/1330006?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A spate of bogus “secure message” emails from financial institutions are making the rounds, following the high-profile Equifax breach, according to a report released today by Barracuda.

Over the past month, variants of the “secure message” email attacks have included malicious Word document attachments that rewrite directory files in users’ computers once opened, according to Barracuda’s Threat Spotlight report.

In some of these cases, depending on the script, the malware will remain dormant to avoid anti-virus detection when downloaded or opened but will spring into action later – potentially as ransomware.

Techniques used in these fraudulent “secure message” emails include impersonation of financial institutions, spoofed email domains and phishing attacks to get users to open the attachments or click on the links, the report notes.

Read more about the bogus “secure messages” here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/report-bank-email-fraud-increases-since-equifax-breach/d/d-id/1330007?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple