U.S. consumers now own about 870 million IoT devices, according to a new study from Javelin Strategy & Research. As these devices become more prolific and versatile, payment capabilities are being layered in. So how can the exploding IoT landscape be secured?
"There's such a diversity of devices, such a diversity of things they can do, that solving for security - whether that's preventing fraud or keeping the data safe, keeping the customer safe - is not an easy thing to do," says Al Pascual, Javelin's senior vice president of research. "It takes a lot of planning, a lot of forethought and some really deep consideration. The challenge, particularly for banks and payment companies, is that there's no real guidance out there."
The relatively shallow functionality of banking and payment capabilities in IoT devices is not pushing banks and payment networks to focus on security in today's apps, Pascual says in an interview with Information Security Media Group about Javelin's latest research.
"Within banking in particular, fraud and security issues are usually not addressed until something is ready to be launched or has been launched," Pascual says. "Because we're not at a point where banks are doing anything that is very risky, how do you incent them to go ahead and make these security changes?"
In this interview (see audio link below photo), Pascual also discusses:
The scale of the current IoT device landscape; How fraud risks can be mitigated by focusing on entire device lifecycles; Protecting an ever expanding IoT attack surface.Pascual is Javelin's senior vice president of research and head of fraud and security. Previously, he held risk management roles at HSBC, Goldman Sachs and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators and the Federal Reserve Secure Payments Task Force.
A new campaign by the Russia-based Cobalt hacking group was observed on August 13, 2018. Cobalt is best-known for targeting financial institutions, and this campaign is no different. Two targets have been identified to date: NS Bank in Russia and Carpatica/Patria in Romania.
Cobalt has been operating since at least 2016. So far it is credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan. Last year it was reported that Cobalt had expanded its range into also targeting government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare organizations, often using government organizations and ministries as a stepping stone for other targets.
A common theme for Cobalt is to start with spear-phishing emails to gain the initial entry. In financial attacks, the emails usually masquerade as other financial institutions or a financial supplier/partner domain to gain the target's trust.
In an analysis of the new campaign, Netscout's ASERT researchers show numerous parallels with known Cobalt TTPs and tools -- but with one new divergence. One of the phishing emails it has discovered contains two separate malicious URLs. The first is a weaponized Word document, while the second is a binary with a .jpg extension.
The researchers had uncovered two malware samples that connect the new campaign to Cobalt. The first was a JavaScript backdoor that shares functionality with other backdoors. The second is COOLPANTS, a reconnaissance backdoor linked to Cobalt and originally found by researcher Szabolcs Schmidt. The new report notes that COOLPANTS appears to be an evolution of Coblnt -- 28 of its 57 functions match under comparison tool Diaphora. Furthermore, COOLPANTS connects to hxxps://apstore[.]info, which Proofpoint describes as a Cobalt C2.
On 13 August 2018, ASERT found a new sample almost identical to COOLPANTS. It was compiled at the same time on 1 August 2018. Its 48 functions match those in COOLPANTS under the 'Best Match' tab in Diaphora. This sample, however, has rietumu[.]me as its C2. Inspecting rietumu[.]me, ASERT found the email address, solisariana[@]protonmail[.]com. Pivoting from this address, it found five more new domains all created on 1 August 2018.
The domains are compass[.]plus; eucentalbank[.]com; europecentalbank[.]com; inter-kassa[.]com; and unibank[.]credit. Each one is clearly designed to masquerade as the domain of a financial services organization. The real Interkassa, for example -- and according to its genuine website -- is a payments processing firm based in Ukraine.
The researchers used the inter-kassa domain and searched for samples. They found a spear-phishing email that bears all the hallmarks of a Cobalt campaign, dated 2 August 2018. It is addressed to bulavina AT ns-bank DOT ru and sent by "Interkassa" <denis AT inter-kassa DOT com>. Interestingly, LinkedIn lists a Denys Kyrychenko as co-owner and CTO of Interkassa.
It is this email that provides two embedded malicious links. One calls a weaponized Word document with an embedded VBA script. If macros are allowed, the script generates a cmd.exe command that launches cmstp.exe with an INF file. The INF file beacons back to the C2 to download a payload that is executed by cmstp.exe.
The eventual JavaScript backdoor -- named 'more_eggs' -- is almost identical to the backdoor analyzed by Trend Micro this time last year and attributed to Cobalt. Both provide five commands that essentially allow attackers to take over an infected system.
These commands are d&exec (downloads and executes a PE file); more_eggs (downloads an update for itself); gtfo (deletes itself and related registry entries); more_onion (executes the 'new' copy of itself); and vai_x (executes a command via cmd). Only the last command differs between the two versions, with the earlier one having the name more_power for vai_x.
The second URL in the spear-phishing email, with a dot-jpg filename, downloads an executable rather than an image file. This also ultimately beacons to its C2 server, which was not -- at the time of analysis -- responding.
ASERT is confident that this, and another campaign discovered by Intel471 targeting Romanian carpatica[.]ro by masquerading as Single Euro Payments Area (SEPA), are both the work of the Cobalt group. Only the use of two separate infection points in one email with two separate C2s makes this campaign unusual. "One could speculate that this would increase the infection odds," comments the report -- for example, if Word macros are successfully disallowed by the target, he or she might still succumb to the disguised jpg.
"ASERT believes," says the report, "Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi." It is worth mentioning that Trend Micro has suggested that COBALT starts by targeting Russia and the old USSR states to test out its methodology before moving on to European and other targets.
ASERT is the threat intelligence team of Arbor Networks, which is the security division of NETSCOUT.
Related: Dark Web Chatter Helpful in Predicting Real World Hacks, Firm Says
Related: Russia-linked Hackers Exploit Lojack Recovery Tool in Attacks
Loki Bot’s operators have been targeting corporate mailboxes with their spam messages, Kaspersky Lab reports.
The emails employ various lures to trick potential victims into opening malicious attachments that would deploy the Loki Bot stealer onto the target machines. The messages masquerade as notifications from other companies, or as orders and offers.
As part of the campaign, cybercriminals have been targeting corporate mailboxes that can be obtained from public sources or which are listed on the targeted companies’ websites, Kaspersky discovered.
The spam messages would attempt to deliver the malicious payload via an attached ISO file. The extension is associated with copies of optical discs that can be mounted to access their content. Modern operating systems can mount ISO files directly, but dedicated software that can handle the extension also exists.
ISO files represent complete images of optical discs, and cybercriminals are now abusing them as containers for delivering their malicious applications, it seems. Such occurrences, however, are rare, Kaspersky says.
As part of the recent campaign, the ISO files contained the Loki Bot malware, an information-stealing Trojan designed to harvest usernames and passwords from the victim machines, along with other user data.
“The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners,” Kaspersky notes.
The new campaign proves yet again that the security measures organizations take should also include training for employees, in addition to technical protection. Employees’ actions can cause irreparable damage to a business, the security firm notes.
“Every year we observe an increase in spam attacks on the corporate sector. The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc,” Kaspersky concludes.
Related: Attackers Combine Office Exploits to Avoid Detection
Related: Commodity Ransomware Declines as Corporate Attacks Increase
Shanghai police said they were investigating a suspected data leak at NASDAQ-listed Chinese hotelier Huazhu Group, the local partner of France-based AccorHotels.
Huazhu, one of China’s biggest hoteliers, released a statement on Tuesday saying it had alerted police to reports that the company's internal data was being sold online, asking them to investigate.
Chinese media reports said the data included guest membership information, personal IDs, check-in records, guest names, mobile numbers, and emails.
Police in Shanghai said in a statement that they were looking into the case.
Huazhu's website said it operates more than 3,000 hotels in more than 370 cities in China, including the AccorHotels brands Ibis and Mercure.
Shanghai-based Huazhu formed a long-term alliance with Accor in 2014 to help the French hotel group develop the Chinese market.
Huazhu said the release of the data had caused a "vicious impact", without giving specifics, and that it was conducting an internal investigation.
The sale of personal information is common in China, which last year implemented a controversial cybersecurity law that requires services to store user data in China and receive approval from users before sharing their details.
Chinese e-commerce giant Alibaba came under fire earlier this year over its handling of user data in an episode that underscores growing concerns for privacy in the hyper-digitised country.
Alibaba's online-payments affiliate Ant Financial was forced to apologise after users said they felt misled into allowing its Alipay service to share data on their spending habits with Ant's credit-scoring arm and other third-party services.
Cybercriminals Have Been Experimenting With a Blockchain Domain Name System (DNS)
The takedowns of AlphaBay and Hansa in 2017 by law enforcement gave rise to much speculation about the future of dark web marketplaces. As I’ve discussed before, an environment of fear and mistrust are driving the cybercriminal community to incorporate alternative technologies to improve security and remain below the radar as they conduct illicit business online. One such technology is blockchain.
When most people hear the term “blockchain” they typically think of cryptocurrencies and other applications where transactions and interactions among a community of users must be executed with a high degree of trust, efficiency and transparency. However, if we consider the recent challenges that administrators of online criminal forums have encountered, it only makes sense that they would explore applications for blockchain. To that end, some have been experimenting with a blockchain domain name system (DNS) as a way of hiding their malicious activity and bullet-proofing their offerings.
A blockchain DNS is different from a traditional DNS. Typically, when we type a website into an Internet browser, a computer will query a DNS server for an IP address. Essentially, this is the Internet equivalent of a phone book. It includes the name of the entity and then, after the “dot”, the extension known as the Top Level Domain (TLD), which could be .com, .gov., .edu, .uk, .de, etc. The TLD is controlled by a central authority such as Internet Corporation for Assigned Names and Numbers (ICANN) with a global reach, or regional authorities like Nominet in the U.K. or DENIC in Germany. In contrast, Blockchain DNS is a decentralized DNS. Blockchain TLDs – including .bit, .bazar and .coin – are not owned by a single central authority. DNS lookup tables are shared over a peer-to-peer network and use a different technology from traditional DNS requests.
Decentralized DNS offers many benefits such as countering censorship by authorities (for example if a government orders all Internet Service Providers in a country to stop redirecting domains to a relevant IP address), or preventing DNS spoofing, where attackers can insert corrupt DNS data so that the name server returns an incorrect IP address and redirects traffic to an attacker computer. However, decentralized DNS can also be abused by attackers for malicious purposes. As blockchain domains do not have a central authority and registrations contain unique encrypted hashes rather than an individual’s name and address, it is harder for law enforcement to perform site takedowns. The following are just a few examples of bad actors using blockchain.
Back in January 2016, one of the first groups to employ blockchain DNS to create a .bazar domain in an attempt to better secure their operations was a group known as The Money Team. In July 2017, the Joker’s Stash, a popular Automated Vending Cart (AVC) site used to purchase stolen payment card details, began using blockchain DNS alongside its established Tor (.onion) domain. Users wanting to access the .bazar version of the site need to install a blockchain DNS browser extension or add-on. Other AVC sites and forums used to trade stolen account information have also been experimenting with peer-to-peer DNS technology.
Blockchain technology has also allowed users to realize alternative models for online marketplaces. The site known as Tralfamadore, for example, uses blockchain as its back-end to store the necessary databases and code to support front-end user interfaces. Transactions are made using cryptocurrency and recorded as smart contracts on the blockchain. The aim is to improve trust among users of the site as all transactions are permanently recorded and scam vendors can be more easily identified.
Another marketplace using blockchain technology is the site OpenBazaar. This project began in April 2016 and its userbase has increased steadily since then. In the first half of 2018, the number of new users on the site has risen by roughly 4,000, while the items for sale have gone up from 18,000 to over 27,000. Despite these gains, OpenBazaar has not been used for cybercriminal activity to any great extent, and the majority of items listed on the site would not be classed as illicit.
Despite these examples, it’s important to remember that as with most things in life, there are tradeoffs. The use of blockchain for cybercriminal activity is no exception. The primary issue preventing its wider adoption is that with blockchain-based platforms all interactions are publicly recorded. This goes against the strong desire by many users to engage in private messaging. Many cybercriminals are choosing to conduct their business away from dark web marketplaces and underground forums altogether. Instead, they are using their site to advertise their service and then directing users to dedicated channels on Jabber, Internet Relay Chat (IRC), Skype, Discord and Telegram to conduct their business. Buyers can contact sellers directly through peer-to-peer networks and private chat channels and execute transactions using cryptocurrencies or electronic payment services.
As cybersecurity professionals, we should continue to monitor for an uptick in the adoption of blockchain for the buying and selling of illicit goods. And while we’re at it, we should also continue to assess other emerging technologies that could be used for nefarious purposes. Because as long as there is a market for what cybercriminals have for sale – everything from compromised accounts and stolen payment cards to counterfeit goods – you can be sure they’ll find new and creative ways to profit.
Related: With Security at the Foundation, Blockchain Can Revolutionize the World
A newly detailed Android spyware that has an incredibly wide-ranging protocol has been active since May 2016, Kaspersky Lab warns.
Dubbed BusyGasper, the malware includes device sensors listeners (such as motion detectors), can exfiltrate data from messaging applications (WhatsApp, Viber, Facebook), includes keylogging capabilities, and supports 100 commands.
Featuring a multicomponent architecture, the malware can download payloads and updates from the command and control (C&C) server, an FTP server belonging to the free Russian web hosting service Ucoz.
The spyware also includes support for the IRC protocol and can “can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments,” Kaspersky’s security researchers reveal.
The malware is apparently being installed manually, likely through physical access to a compromised device. Thus, fewer than 10 victims have been identified to date, all of them located in Russia.
The attackers collected victims’ personal data, including messages from IM applications, and SMS banking messages, yet the actor doesn’t appear interested in stealing the victims’ money.
“We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware,” Kaspersky says.
An initial module installed on the targeted device can be controlled over the IRC protocol and allows operators to deploy additional components. The module apparently has root privileges, yet the researchers found no evidence of an exploit being used to obtain such rights.
The first module can start/stop IRC, manipulate IRC settings, exit, use root features, report when the screen is on, hide/unhide the implant icon, execute shell, send commands to the second module, download and copy component to the system path, and write specified message to log.
The second module writes a log of the command execution history to a file named “lock,” which can be exfiltrated to the C&C server. Log messages can also be sent via SMS to the attacker’s number.
“The malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter,” Kaspersky explains.
Featuring all of the capabilities found in modern spyware, the threat can spy on all available device sensors and can log registered events, can enable GPS/network tracking, and can execute multiple initial commands if an incoming SMS contains a specific string.
BusyGasper’s kelogging capabilities have been implemented in an original manner, Kaspersky says. The malware creates a textView element hidden from the user, then adds onTouchListener to it, to process every user tap. The listener only processes coordinates, which it matches with hardcoded ones.
A hidden menu that provides control of implant features appears to have been created for manual operator control. The menu is activated if the operator calls the hardcoded number “9909” from the infected device.
A full list of commands supported by the malware shows that it can capture photos, record audio and video, execute specified shell commands, monitor and exfiltrate messages, update itself, and perform various backdoor commands.
Related: New Spyware Framework for Android Discovered
Related: Researchers Link New Android Backdoor to North Korean Hackers
A new rootkit that has been distributed via the RIG exploit kit over the past few weeks can manipulate web browsers and also contains sophisticated defense mechanisms, Check Point says.
Dubbed CEIDPageLock, the malware was initially discovered a few months ago, when it was attempting to modify the homepage of a victim’s browser. The rootkit is currently attempting to turn the victim browser’s homepage into a site pretending to be a Chinese web directory.
On top of these sophisticated features, the latest versions of the malware monitors user browsing and, when the user attempts to access several popular Chinese websites, it dynamically replaces the content of those sites with the fake home page.
“Browser hijacking employed by malware like CEIDPageLock, can be profitable due to revenue earned via redirecting victims to search engines that share ad revenue with the referrers,” Check Point explained.
The malware’s operators also use a series of hijacking tricks to gather data on the victims’ browsing habits, such as the monitoring of visited sites, which could be used for its own ad campaigns or sold to other companies.
A dropper is used during infection, to extract a digitally signed 32-bit kernel-mode driver. The certificate was issued by Thawte but has been already revoked. After registering and starting the driver, the dropper sends the infected machine’s MAC address and user-id.
The driver is launched during startup and remains fairly stealthy, being able to evade antivirus solutions. It was designed to connect to one of two command and control (C&C) domains hardcoded in it and to download a homepage configuration to tamper the browser with.
The newer version of the malware is also packed with VMProtect, thus making analysis and unpacking difficult, especially since it is also a kernel mode driver, Check Point notes.
The iteration also includes a “redirection” capability, to send victims to the fake homepage whenever they attempt to access targeted sites. The rootkit also checks every outgoing HTTP message for specific strings and adds the process to the redirected list when a string is encountered.
The malware also blocks browsers from accessing a series of anti-virus’ files and includes the ability to create registry key in a security product.
The vast majority of CEIDPageLock’s targets are located in China, with only a negligible number of infections outside the country, Check Point says.
“At first glance, writing a rootkit that functions as a browser hijacker and employing sophisticated protections such as VMProtect, might seem like overkill. However, it seems that this simple malicious technique can be very profitable and thus the attackers believe that it is worthwhile to invest in building a stealthy and persistent tool for it,” the security firm notes.
Furthermore, the malware has the ability to execute code on an infected device. Coupled with the fact that it operates from the kernel and its persistence mechanism, CEIDPageLock is “a potentially perfect backdoor,” Check Point concludes.
Related: Kardon Loader Allows Anyone to Build a Distribution Network
Related: Backdoor Attacks From Windigo Operation Still Active