Breach Preparedness , Data Breach

Special Agent Dan Wierzbicki on Cyber Threat Education Tracy Kitten (FraudBlogger) • June 28, 2016    

In recent months, the FBI has been more frequently issuing "flash alerts" about emerging cyber threats because it wants to "get information out as fast as possible," says Dan Wierzbicki, an FBI special agent in Chicago.

See Also: Data Center Security Study - The Results

Wierzbicki acknowledges some of these alerts, such as one about ways to mitigate risks associated with CEO fraud, have been criticized by some security experts as lacking in appropriate detail, and he welcomes feedback. "Companies that are seeing this [cyber threat] activity ... might have different suggestions or better suggestions than what we provide," he says.

In a video interview at Information Security Media Group's recent Chicago Fraud and Breach Prevention Summit, Wierzbicki also discusses:

Why CEO fraud and ransomware are top-of-mind for law enforcement; How organizations can submit feedback and suggestions about threat intel and cyber risk advice; and Why sharing threat information with law enforcement in a timely way is so important in the battle against cybercrime.

Wierzbicki is a supervisory special agent within the criminal and national security cyber investigations division at the FBI's Chicago office.

Anti-Malware , Fraud , Technology

Meanwhile, Ukrainian Bank Reports $10 Million Theft via SWIFT Mathew J. Schwartz (euroinfosec) • June 28, 2016     Logo of central bank of Bangladesh

Note: This story has been updated with comment from ISACA International

See Also: Protecting Your Assets Across Applications, Services and Tiers

The central bank of Bangladesh has opted to not extend a contract with the incident response team that it hired to investigate the theft of $81 million in February. Meanwhile, an unnamed bank in the Ukrainian capital of Kiev reportedly suffered a $10 million heist after attackers transferred funds via fraudulent SWIFT messages, as was the case in the Bangladesh heist.

The attack against Bangladesh Bank, which targeted its account at the Federal Reserve Bank of New York, involved sending fraudulent messages via the SWIFT interbank messaging system, backed by custom-built malware that infected the bank's systems and hid evidence of the attacks. SWIFT, formally known as the Society for Worldwide Interbank Financial Telecommunication, is a Brussels-based cooperative owned by 3,000 banks that maintains a messaging system used by 11,000 banks.

Last week, the Bangladesh Bank board met and ratified an earlier decision to not extend the contract it had signed with FireEye's Mandiant division, which had requested 570 hours of additional work to complete its investigation into the heist, Reuters reports.

"It was a unanimous decision," a director of Bangladesh Bank, Jamaluddin Ahmed, tells Reuters. The news service reports that Mandiant had been paid $280,000 for about 700 hours of work and that the high price tag associated with its services was a big factor in the bank opting to not renew the contract. Ahmed reportedly said that the bank is continuing to improve its information security program and defenses and may bring in outside cybersecurity experts again to help (see Bangladesh Eyes Insider Angle for SWIFT Bank Attack).

A Bangladesh Bank spokesman didn't immediately respond to a request for comment on that report. But spokesmen for both the bank as well as the Federal Reserve have previously said that they're continuing to probe the attack and attempt to identify the perpetrators (see Federal Reserve Watchdog Probes Banks' Cybersecurity).

A FireEye spokesman tells Information Security Media Group that the company has provided extensive information relating to the attack to Bangladesh Bank as well as other financial institutions. "We have uncovered and provided Bangladesh Bank and the global financial community extensive data about this unprecedented financial attack and how to prepare for the future and will continue to support law enforcement and the industry past the close of our engagement," he says. "It is important to note that the pricing and duration of our investigative work is unique to every incident."

Ukrainian Bank Heist Nets $10 Million

Meanwhile, investigators in Kiev say that a Ukrainian bank, which they have declined to name, lost $10 million after hackers infiltrated the bank's network and transferred the money via SWIFT, the Kiev Post reports.

The newspaper reports that the heist is being investigated by the Kiev chapter of the Information Systems Audit and Control Association, and that it's very likely that the attackers have employed similar tactics to steal money from other Ukrainian banks, according to Aleksey Yankovsky, head of ISACA's Kiev chapter.

"Banks now are not sharing such information at all and are afraid of publicity," Yankovsky tells the Kiev Post.

But ISACA International dismissed any suggestion that ISACA was involved in the investigation, saying that some ISACA members who are security consultants were hired, but "through their own organizations."

@BrianHonan @euroinfosec ISACA isn't involved. Consultants were hired through their own organizations. Some are members of the Kyiv Chapter.

A statement provided by incident responders to the Kiev Post notes that the heist may be part of a much larger series of attacks - although it has released no additional information to back up that assertion. And it says attackers likely conducted months' worth of reconnaissance before attempting to submit fraudulent SWIFT messages and route bank funds to attacker-controlled offshore accounts.

"At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars," the statement says.

Heist Follows Malware-Enabled SWIFT Fraud

A series of recent bank heists or attempted heists - affecting not just Bangladesh Bank, but also Vietnam's TPBank and Banco del Austro in Ecuador - used malware, disguised as a PDF reader, to help hide attackers' fraudulent SWIFT transfers (see 5 SWIFT Cyber Heist Investigations).

But it's not yet clear if the Ukrainian bank heist involved the same malware or was the work of the same hackers that attacked Bangladesh Bank.

Threat-intelligence firm iSight Partners, which is a FireEye division, notes that the Ukraine hack attacks may be the work of a different cybercrime gang that used malware to steal an estimated $25.5 million from Russian bank accounts. The gang was recently disrupted by Russia's Federal Security Service, although when it comes to the attacks ascribed to that gang, and the $10 million Ukrainian bank heist, "we have not yet definitely established the incidents are the same," iSight Partners says (see Russian Police Bust Alleged Bank Malware Gang).

In the Russian and Ukrainian bank hacks disrupted by Russia's FSB, which came to light earlier this month, the gang allegedly compromised not just Russian banks but also Ukrainian ones "via spear-phishing, used multiple tools to move laterally within their networks, and performed fraudulent SWIFT transactions," iSight Partners says. "We believe the attackers are distinct from those responsible for the bank compromise cases in Bangladesh and Vietnam."

SWIFT Launches Security Program

As more hack attacks and cases involving fraudulent SWIFT messages have come to light, SWIFT has responded by promising to offer more education to users and to facilitate better sharing of attack-related information (see SWIFT to Banks: Get Your Security Act Together).

The board of SWIFT met on June 9 and approved the new five-point customer security program and promised to begin funding it and "to actively oversee the program and assess incremental financial needs this year and next," according to a statement issued by SWIFT (see SWIFT Promises Security Overhaul, Fraud Detection).

"The industry's security is a top priority for the cooperative," said Yawar Shah, chairman of the SWIFT board as well as chief operating officer of customer intelligence for Citibank, in a statement. "We will work closely with regulators and customers to ensure this program's success and the industry's take up of the necessary security measures. A dedicated management team has been put in place under the CEO to manage the program and actively consult and engage with the community to further define and execute the five initiatives. The board has earmarked funds for the program and will ensure it receives the right focus and investment as it moves forward."

Breach Preparedness , Continuous Monitoring , Data Breach

Advice on Guarding Against Stolen Credentials Misuse and Related Risks Varun Haran (APACinfosec) • June 28, 2016    

As many as 250,000 credentials for Remote Desktop Protocol servers around the world may have been offered for sale on the now-shuttered xDedic cybercrime marketplace. If an organization suspects credentials to servers may have been traded by cybercriminals, what can they do to mitigate related risks and avoid a major network intrusion?

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

Security experts advise information security professionals to take several important steps that go far beyond simply changing credentials. For example, it's urgent that they scan all public listed IPs for any open RDP or SSH ports and block them, in addition to carefully monitoring for unusual behavior on their networks.

Kaspersky Lab described the credential exposure in a June 15 blog. In a followup June 20 blog, the security firm explained why the amount of credentials exposed could be higher than originally estimated (see: Compromised RDP Server Tally From xDedic May Be Higher).

Kaspersky is advising organizations to check with their local CERT for information on whether their credentials were exposed on xDedic.

Even though the xDedic marketplace has been shut down, many criminals could still have access to the credentials that were offered for sale for as little as $6 each, says Vitaly Kamluk, Kaspersky Lab's principal security researcher for APAC. And that means thousands of organizations could be vulnerable to hacker attacks.

Implications of Stolen Credentials

If attackers have access to an RDP server credential, they could try to use it to quickly establish a foothold in the network and compromise additional servers, establishing a "beachhead" before these credentials get revoked.

Even if credentials for just one server from an organization were listed on xDedic, it's likely that nearly every server in that organization's DMZ network could be compromised by hackers using those credentials, says K.K. Mookhey, founder and principal consultant at NII Consulting in India. That's because in typical setups, security controls exist between network segments and not within each segment.

Deeper penetration is also likely where the DMZ barrier can be crossed through the traffic allowed between the DMZ and the internal server segment, Mookhey says. "There is really no practical purpose to allow an RDP port to be accessible on a public IP address, and my first step would be to scan for and close public facing RDP & SSH ports," he says.

Sahir Hidayatullah, CEO of the Mumbai-based security firm Smokescreen, says such lateral movement is indeed, a major concern. "The attackers will move laterally off the compromised system extremely quickly and try to establish multiple command-and-control channels as they know they will likely lose the initial access," he says.

Detecting this lateral movement is difficult if the attackers don't move between network segments because the IDS/IPS sensors that are located between segments won't get triggered, Hidayatullah explains.

Attackers also may make attempts to escalate privileges, which means any other accounts that logged into the system should also be considered at risk, he adds.

Even worse, just de-authorizing the compromised credentials or cutting off access could signal to the attackers that they've been discovered. Then they might attempt to operate in stealth mode, making them harder to detect. Or they might even avoid the environment for a time, returning after the security team believes the breach has been resolved, Hidayatullah says.

In the meantime, the attackers may try to sniff out other credentials that will enable them to return via a legitimate channel and ditch the RDP route altogether - VPN for instance - and the organization then has very little hope of pin pointing them, Hidayatullah says.

RDP & SSH brute force attacks have been prevalent for the last 18 months, largely due to poor passwords and failure to restrict RDP services, says Shomiron Das Gupta, founder at Indian security services firm Netmonastery. Such attacks can permit the intruders to install backdoors and complete code drops for APT-style attacks, he says.

Remediating RDP-driven Compromises

Experts say organizations can take several steps to remediate the risk stemming from stolen RDP credentials. In addition to closing RDP and SSH ports, organizations should:

Monitor for unusual behavior. Attacker movement can be difficult to pinpoint, even with the right tools. Look for unusual behavior and strange access patterns - out of office hours use, for instance, Hidayatullah advises. Also, look for newly created accounts on other systems on the same network segment and any other areas the attackers may have accessed (see: Role Based Behavior Analytics - Patterns and Anomalies in User Behavior as Indicators of Attack). Mandate two-factor authentication. Remote access should be via VPN and require two-factor authentication. If organizations complying with PCI DSS, this is mandatory in any case, Mookhey notes. Adopt strong password policies. Monitor for weak passwords and password reuse. This is one of the major causes for these kinds of attacks today, Das Gupta says. Implement privileged ID management.This can help prevent one server compromise from leading to other compromises through the shared administrator/root account credentials. Use deception and decoys. Deception technology and commercial honeypot systems are effective in picking up intruders' activities, Hidayatullah says. "The attacker hits the decoy systems both during the brute force process and in the lateral movement phase. Deploying decoys in DMZ networks have shown so much value that it's pretty much the first thing we recommend now," he says. Decoy credentials, which can be left on systems around the network to be discovered by attackers, are also helpful. "This way, when an attacker compromises a system and then tries to escalate privileges, they encounter the decoy credentials that trigger when used," Hidayatullah explains.

Pinpointing attacker movement in the initial phases of such attacks is essential, and honeypots and other sensors are becoming an increasingly valuable source of intel, experts says. Mookhey also recommends the use of open-source big data setups such as ELK (Elasticsearch, Logstash, Kibana) to visualize and analyze raw data and mine it for security intelligence. And he suggests that organizations run red team attacks on their environments at least annually to help determine if they can detect when a privileged ID is being misused.

What are the privacy, cybersecurity and data protection implications of Britain's vote to exit the European Union? This edition of the ISMG Security Report kicks off with an analysis of Britain's surprise referendum result to "Brexit" the EU and details the likely cybersecurity, cybercrime intelligence-sharing and privacy repercussions.

You'll also hear (click on player beneath image to listen):

A report by Jeremy Kirk, ISMG managing editor for security and technology, on why digital certificate giant Comodo was in hot water over its move to trademark the phrase "let's encrypt." A discussion with Varun Haran, ISMG associate editor, about the implications of the now-shuttered xDedic cybercrime marketplace selling access credentials for as many as 250,000 Remote Desktop Protocol servers around the world. Why Facebook CEO Mark Zuckerberg tapes over his webcam when not in use, and why you should too.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our June 21 and June 24 reports, which respectively analyze the new ransomware threat posed by JavaScript, and the steps the U.S. federal government took to nab 301 individuals - including physicians, pharmacists and nurses - for Medicare and Medicaid fraud. The next ISMG Security Report will be posted Friday, July 1.

Theme music for the ISMG Security Report by Ithaca Audio under Creative Commons license.