Anti-Malware , Fraud , Technology

Russia's Arrests of Lurk Gang Likely Took Bite Out of Crime Jeremy Kirk (jeremy_kirk) • July 8, 2016    

Cisco's Talos research unit says it has found evidence of ties between operators of the Angler exploit kit and a group of Russians that used the Lurk malware to loot banks in the country.

See Also: Detecting Insider Threats Through Machine Learning

The finding may help explain why the Angler exploit kit effectively disappeared after Russia arrested 50 people for allegedly pilfering 1.7 billion rubles ($25.5 million) from several Russian financial services firms over a five-year period using Lurk (see Russian Police Bust Alleged Bank Malware Gang).

Computer security experts suspected that the sudden drop-off in attacks using Angler - which until early June was one of the most popular for-rent kits to hack large number of computers - might have been linked with the arrests. But Russia hasn't revealed much about its investigation, leaving much speculation (see Did Russia Put Angler Out of Business?).

Digging further, Cisco says it found a single common email address - This email address is being protected from spambots. You need JavaScript enabled to view it. - was used to register around 85 percent of the 125 domains linked to Lurk's command-and-control infrastructure.

"This particular registrant account was of interest because of its role in the back-end communication of Angler," writes Nick Biasini, a threat researcher at Talos.

The email address was also linked to command-and-control infrastructure for Bedep, which was often the first payload dropped by Angler after a successful attack. Bedep was then used to download other types of malware.

One of Most Significant Cybercrime Arrests?

After Angler disappeared following the arrests, it was also noticed that the Necurs botnet also went offline. Necurs was "widely considered the largest botnet in the world" and was instrumental in distributing the Locky ransomware and the Dridex banking malware.

Talos also found two command-and-control domains linked to Necurs that used the same email account. Necurs only went down for about three weeks, however, and has resumed distributing Locky and Dridex.

When buying a domain name, purchasers must supply contact information, and cybercriminals invariably submit bogus data. Still, even false information can be useful for cybercrime analysts if the same information is reused.

The finding of a single, common email address can be an indicator that seemingly separate activities may be linked. Cybercriminals often get lazy and don't thoroughly scramble every digital trail left. Even if the information is totally false, it can still be useful.

Biasini writes there's no way to be certain that all of the threats are connected. But if there is a connection, "this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars."

Angler 'Not Dead Yet'

Andrew Komarov, chief intelligence officer at InfoArmor, says Angler isn't dead just yet. The main actors are still around and have opted to withdraw the commercial version of Angler from the market given the arrests. A closely held version is still active.

"[The] Angler EK actors have changed their tactics, and concentrated on more private operations," he says.

Meanwhile, those behind the Neutrino exploit kit have stepped into the void. Komarov said that group has raised its price to $7,000 per month. A new "Waves" module for Neutrino can detect if it is attacking a computer running a virtual machine or certain kinds of security software or sandboxes, which causes an attack to stop, he says.

"It is pretty advanced technology, which shows that they are concerned about [researchers or police] tracking them and their infrastructure," Komarov says.

Data Breach , Fraud

Investigators Identify Two POS Malware Attack Waves Jeremy Kirk (jeremy_kirk) • July 8, 2016    

Fast-food chain Wendy's says a cyberattack that stole payment card details affected 1,025 U.S. restaurants owned by franchisees, a far higher figure than first estimated.

See Also: How to Mitigate Credential Theft by Securing Active Directory

In May, Wendy's said fewer than 300 restaurants had been affected by the breach, which saw malware installed on point-of-sale systems. But on June 9, it said additional variants of the malware had been discovered, indicating a deeper breach.

Wendy's has created an online tool where patrons can check if a restaurant they visited was affected by the attacks, with search fields for the state and city.

A search showed customer payment details in some locales were at risk as late as June 10. But the systems are now clean.

"Working with our cybersecurity investigators, the malware has been disabled where it was found," says Bob Bertini, Wendy's senior director of corporate communications, via email.

Two Waves of Attacks

The company appears to have fought a long battle against the hackers since late January when card issuers began noticing fraud patterns linked to payment cards used at restaurants (see 'Where's the Breach?').

"We had two waves of attacks, both starting in the fall," Bertini says.

The first wave of malware was disabled in March, and the second wave - discovered in May - was cleaned up last month, Bertini says.

The finding of a second wave of malware shows how hard it can be for breached entities to figure out the extent of a compromise, says Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner.

"This comes as no surprise because Wendy's is not in business to audit its systems beyond what PCI requires, and stealthy criminals don't leave many traces of their activities," Litan says. "This lack of effective auditing and monitoring is also why the breach went on so long unnoticed."

The data exposed included Track 1 and Track 2 data, which contains an account holder's name, the primary account number, expiration date, service and verification codes.

In May, Wendy's said the malware infected one type of POS system, which it did not identify. The attacks did not affect restaurants that use NCR Aloha POS, which is installed at locales directly owned by the company and in the majority of franchises. Wendy's has about 5,500 franchises in North America.

Compromise via Third-Party Credentials?

The cybercriminals are believed to have used access credentials from other service providers that had access to Wendy's systems in order to deploy malware on franchisees' POS systems, writes Wendy's CEO and President Tom Penegor in a statement.

That has been a common technique employed by cyberattackers. Rather than directly targeting an organization, hackers often find weaknesses in the networks of suppliers that have access to their clients' networks.

Target's attackers, for instance, gained access to the retailer through a contactor called Fazio Mechanical Services, which installs refrigeration systems for grocery stores (see Target Vendor Acknowledges Breach).

The contractor maintained a data link with Target for billing and project management purposes. Target suffered a loss of 40 million payment cards and 70 million other records, setting off a years-long chain of lawsuits and legal grief (see Target, Visa Reach Breach Settlement).

The type of malware typically installed on a POS system by an attacker is known as a RAM scraper. The malware collects unencrypted payment cards details from a computer's memory immediately after a card is swiped. The unencrypted payment card information sits only briefly in memory, but for enough time to be collected by the malware.

The seemingly nonstop spate of payment card breaches in recent years has prompted many U.S. retailers to speed their transition to accommodate EMV cards, which have a microchip that cryptographically signs transactions. But EMV doesn't provide a defense against RAM-scraping attacks, according to a white paper from Trend Micro.

Instead, EMV makes captured card data harder to use. If criminals try to clone a payment card by copying stolen payment data, the network should recognize that the card doesn't have the microchip and deny the transaction. But the stolen data could still be used for card-not-present transactions, and regions where payment cards have microchips have typically seen that type of fraud rise.

Nonetheless, due in part to a strong push by the card brands and a liability shift that took effect last October, many U.S. retailers are moving to EMV.

Wendy's Faces Lawsuits

Wendy's breach has already attracted lawsuits. In February, First Choice Federal Credit Union filed a class-action lawsuit in a Pennsylvania federal court alleging that the breach was the "inevitable result of Wendy's pervasive and inadequate approach to data security." The suit seeks compensation for breach-related expenses (see Suit Against Wendy's Cites Lack of EMV).

Ironically, Wendy's has been engaged in a four-year push to upgrade its POS systems, but some franchisees have resisted. In December 2014, Wendy's filed a lawsuit against DavCo., one of its largest franchisees, in part for not moving fast enough to install the NCR Aloha POS system.

DavCo. countered "that the new POS system has been fraught with serious technical and operational problems, and that Wendy's has acknowledged such problems," according to the First Choice Federal Credit Union complaint. DavCo. further alleged that at one point that Wendy's indefinitely suspended most installations of Aloha.

A bitter battle flares up in the fiercely competitive endpoint protection products market, and uncovering the real impact over Hillary Clinton's email server. These items highlight this edition of the ISMG Security Report.

You'll hear (click on player beneath image to listen):

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our July 1 and July 5 reports, which respectively analyze the hacker who calls himself "The Dark Overlord," who has been stealing healthcare databases and then attempting to ransom them back to victim organizations in exchange for bitcoins, and the latest victim of hackers making fraudulent SWIFT transfers. The next ISMG Security Report will be posted Tuesday, July 12.

Theme music for the ISMG Security Report by Ithaca Audio under Creative Commons license.

POS Malware Reportedly Harvested More Than 50,000 Cards Mathew J. Schwartz (euroinfosec) • July 11, 2016     Omni Rancho Las Palmas Resort & Spa in California

Omni Hotels & Resorts warns customers that hackers infiltrated its networks and for six months used point-of-sale malware to siphon off payment card data.

See Also: Vulnerability Management with Analytics and Intelligence

In a July 8 notice posted on its website, the Dallas-based luxury hotel chain said that it first learned of the data breach on May 30; it doesn't say how. Related malware infections began at some properties on Dec. 23, 2015, and lasted up to June 14, the hotel says.

Omni runs 46 properties in the United States, plus two each in Canada and Mexico. Its data breach notification does not detail how many of those properties were hacked or how many customers had their payment card details compromised by attackers.

"The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date," Omni says in its breach notification. "Upon learning of the intrusion, we promptly engaged leading IT investigation and security firms approved by the major credit card companies to determine the facts and contain the intrusion. The issue has been resolved, and we have taken steps to further strengthen our systems. We have contacted law enforcement and are cooperating with its investigation."

Omni Hotels couldn't be immediately reached for comment on which cybersecurity firms it hired or how many customers may have been affected.

But Andrei Barysevich, director of Eastern European research and analysis for Flashpoint - a company that specializes in cybercrime intelligence - tells The Wall Street Journal that related fraud was first spotted in February after a hacker called JokerStash began selling more than 50,000 payment cards stolen from Omni Hotels on underground forums.

Barysevich said Flashpoint has been helping payment card issuers and payment processors investigate the Omni breach. JokerStash regularly works with other hackers, who continue to refine their POS malware, he added. "They have a very sophisticated operation going on," he told the newspaper.

Investigators: Only Payment Cards Compromised

Based on the investigation to date, Omni says the hack attack only appeared to lead to POS malware infections and apparently did not touch any other systems housing customers' personally identifiable information or payment card data. "Accordingly, if you did not physically present your payment card at a point-of-sale system at one of the affected Omni locations, we do not believe your payment card was affected," the notification reads. "Additionally, there is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue."

The company's breach announcement arrives less than two weeks after Omni Hotels announced that it had hired Ken Barnes, an IT executive with extensive experience in the hospitality industry, to serve as its CIO.

Omni didn't immediately respond to a request for comment about whether it previously employed a CIO, and if so, if the departure of that individual was tied to the data breach.

Identity Theft Cleanup Service Offered

Omni Hotels says that potentially affected customers can receive prepaid identity theft cleanup assistance until July 8, 2017, from AllClear ID. That service says it helps identity theft victims clean up any mess that results from their personal details and payment card data having been stolen and used to commit fraud.

As with most data breaches, however, it's largely up to consumers to spot any related fraud and attempt to recover fraudulent charges. While U.S. consumer protection law stipulates that credit-card-holders have a maximum liability of $50 per card - though many issuers waive even that fee - no such protections exist for debit cards.

In addition, breached businesses such as Omni Hotels do not compensate customers for time spent attempting to clean up any related mess.

POS Malware Epidemic Continues

Security experts say that most POS malware infections could be prevented if hotels and retail chains segmented their networks, audited POS devices before deploying them, changed devices' default account names and passwords, and employed monitoring and anti-malware tools (see Why POS Malware Still Works).

Nevertheless, related infections continue. In the past 12 months, for example, a number of hotels have reported POS malware infections - often affecting their check-in systems, as well as restaurants and bars. Victims have included Hilton, Hyatt and Starwood Hotels and Resorts, as well as Trump Hotels, which potentially fell victim to two separate breaches.